South Ward (Kennington) Allotment Association Data Protection Policy
The data that members provide on their application forms are kept in documents that are held and processed electronically. This means that the Association is subject to the Data Protection Act.
Under the Act, the data that members provide are not classed as “sensitive data”, and because we are a not-for- profit organisation that does not use CCTV, we do not have to register with the ICO (Information Commissioner’s Office). Nevertheless, under the Act, we have responsibilities of care to uphold. This document outlines our policies. For more information, the ICO website is here: https://ico.org.uk/
What data do we keep?
We are only allowed to keep data that are necessary for our association activities. We keep the following:
Name and postal address
Telephone number(s) – optional
Email address – optional
We will endeavour to maintain accurate records, but we rely on members keeping us up-to-date.
Members can at any time ask the Secretary for a copy of their recorded data. To request this, send an email to [email protected]
What is the data used for?
The data are only used for legitimate Association uses; these include:
Communication between committee members and other members as part of the daily running of the
Association; notification of Association meetings, the minutes of those meetings; the provision of seed catalogues.
What is the data NOT used for?
We will not disclose your data to other members or to third parties or use it on behalf of third parties.
Who has access to the data?
Only those who need access to the data have access. The following committee members have access to all the member data:
Chair, Secretary, Treasurer, Lettings secretary and Seed secretary
What happens when a member leaves the Association?
We do not keep data that is not needed for operation of the Association. The data for members who leave is held for at most 6 months, after which time it will be deleted from our records. We keep the data for a short period in the event that we need to communicate with a member who has recently left.
How do we protect the data?
The Data Protection Act does not specifically define the level of protection required for personal data, but rather recommends protection that is appropriate depending on the sensitivity of the data and the risks that might be incurred in the event of a security breach. The data that we keep is not classed by the Act as sensitive (examples of sensitive information are bank account details, ethnicity etc.). We therefore assume that the risks that we are exposed to are no greater than the risks of an individual providing the same data to a friend for social purposes.
The Secretary and Chair responsible for mass emails across the membership have accounts with strong passwords. Mass emails to the membership are sent blind (Bcc) so that addresses are not exposed.
Who is responsible for the implementation of this policy?
The Chair is responsible for ensuring that this policy is adhered to.
What if this policy changes?
Members will be notified of any updates to this policy.