Guidance

This page provides information on how LALG handles personal data, and a statement of conformance to the regulations (known as GDPR) governing this subject.  LALG also has a Cookie policy for the website but this will not directly concern GCs.

The following three documents can be viewed by selecting from the list at the bottom of this page.

  • LALG's Privacy Statement detailing how explaining how LALG handles personal data.
  • A document giving Guidance to Group Contacts on the steps they should take when handling any personal data about their Group members.
  • A document giving details of the General Data Protection Regulations.

It is likely that as a Group Contact you, or someone else in your group, will keep a list of your group members and it is therefore essential that you comply with the GDPR regulations set out in the Guidance.  LALG also keeps a list of all Group Contacts which may include emails, telephone numbers and addresses.  This data is held securely and the LALG Committee will only use it to let you know about LALG activities or to provide you with information relating to your position as a group contact.

Data Protection advice for Group Leaders and Group Contacts

This page provides information on how LALG handles personal data, and a statement of conformance to the regulations (known as GDPR) governing this subject.    In addition you can view the LALG Cookie policy.

Data Collection and Use

Personal information should be collected and used lawfully and fairly.  ‘Fair’ means that that individual should know who has their information and what it will be used for.  Information collected for one purpose should not be used for another.  So if someone gives you information for LALG purposes you should not use it for anything else – for example to promote a business, event, charity or political party.

The key things you need to know:

New data protection legislation was introduced in May 2018.  The definition of what is personal data remains the same and includes anything that can identify an individual: contact details, membership number or photos. 

We can only collect data which we have a valid reason for having, and for which we have the owner’s consent to using. Sometimes explicit consent is not needed because it is obvious. Under the ‘contract’ that members have with LALG we do not need their consent to communicate with them but even so we have to provide clear and simple information about how their data will be stored and used.

We must keep data safe, see Information Security. If it is online it should be password protected. If it is a paper record, it should be kept private and when possible locked away.

When we no longer need the data, for example when a member has left the group or after an event we should safely destroy it.

So how does this apply to you as a Group Contact?

As a Group Contact you probably have a list of members in the group. Make sure you only have data that you have a valid reason for having. For example, if you will never email members don’t collect email addresses. 

If you meet in each other’s houses you will need to collect addresses.  Consider whether you should send a list to everyone in the group or just put the details for the next venue on the call up.

You should tell group members that you will abide by LALG's privacy statement. If they prefer a paper copy they should contact the LALG Secretary via the contact details on the website or in the newsletter.

If you intend to use the data for anything other than running your group you will need the explicit permission of the member?  For example, you can only take and store an image such as a photograph or video if you have the explicit consent of the member(s) involved.

You need to review how safely you are storing the data you hold. Take steps to avoid data going to anyone else. This includes within the group: so when emailing several members, use the bcc facility unless you have explicit permission to share those email addresses within the group.

Any data that you no longer need should be destroyed safely and securely.  This also applies if you step down as Group Contact. 

Summary Statements

For Members - It is best practice to add a footnote to any email, booking form, or leaflet saying:

'I will safely store your name, phone number and email address and will only use them to manage the group’s activities and to contact you about group events.'  (Note: Add address if you use this to contact people or meet at each other’s houses).

'If you give me your consent I will add your phone number /email address, address to my mailing list for other communications which might be of interest to you. You can withdraw your consent at any point by contacting me.'

(Only if relevant to your group) 'If you give me your consent I will take photographs/videos of group activities which might be used on public sites such as the LALG website or LALG Facebook page for promotional activities.'

'The full LALG Privacy Notice can be found on the LALG website (www.lalg.org.uk) by clicking on LALG Privacy Statement at the bottom of any page.'

For Non Members - Sometimes people who are not members of LALG join us at events or activities. If we collect data from them, we should also tell them how that data will be used. 

For example, on an email or booking form:

'I will safely store your name, phone number, email address, address (delete as applicable) and will only use them to manage the LALG event/activity (add details).  

The principles outlined in the LALG privacy notice apply and can be found on the LALG website (www.lalg.org.uk) by clicking on LALG Privacy Statement at the bottom of any page.'

If relevant you can add:

'If you give me your permission I will store your details and use them to send you future information about LALG events/activities.'

Introduction of General Data Protection Regulations – some key principles

From May 2018 the new General Data Protection Regulations (GDPR) will be in place.  The definition of what is personal data has been expanded and now includes almost anything that can be used to identify an individual, so this could be personal contact details, a membership number or a photo.  The key thing with all data is that there is a good reason to have it and consent to use it.

Reason – under GDPR we should not be collecting data for no good reason.

Consent – under GDPR a person must give positive consent.  They should have access to a clear and specific privacy statement that explains what the data they are providing will be used for.

Legitimate interests – there are situations where positive consent is not needed because use of data is implied in the activity the individual is taking part in.  Whilst positive consent might not be needed there should still be access to clear and simple information about how the data will be used.

Retention of Data – we need to be vigilant about how long we keep data, if we don’t need it any more we shouldn’t keep it.

Secure Storage – any electronic data should be in a secure password-protected environment.  Physically held data should be held locked and secured too.

Documentation and Process – there is a shift in emphasis to show compliance.  So having documentation is important for example having evidence of consent being given.

Reason, consent and legitimate interests

The key thing with all data is not that you have it as such – but that you have a good reason to have it and that you have consent to use it.

  • Reason: under GDPR you should not be collecting data for no good reason. Unless you have a genuine reason for having and using data then don’t ask for it. This is common sense really – and good practice. All it will do is take up digital or physical space - and if you have no use for it, it essentially exists only as a risk for you – so why have it all?
  • Consent: this will perhaps be the biggest change. Previously consent could be implied by inaction or silence – it’s the pre-ticked box or ‘unless you tell us otherwise we will email you’ approach. Under GDPR consent will have to be positive – an individual will have to take definite action to say ‘you can have and use my data’ – so they tick the box rather then it being pre-ticked. They should also have access to a clear and specific privacy statement that explains what the data they are providing will be used for. It shouldn’t be a general catchall for all data and all use – it has to be specific to the data they are providing at the time.
  • Legitimate interests - there will be situations where you don’t need positive consent as use of data is implied in the activity the individual is taking part in. For example emailing a member of your group about a meeting change or fee reminder is legitimate interest and implied by being a member. Whilst positive consent might not be needed they should still have access to clear and simple information about how the data will be used.

Retention of data

One of the changes with GDPR is that you will need to be more vigilant with regards to how long you keep data for. It can be very easy to keep old data on a spreadsheet somewhere or locked away in a filing cabinet.  However, you should not hold and use data unless you have a good reason for doing so.

Removing old data may seem like an administrative burden. But tidying up data is a good administrative process to go through anyway – and if you don’t need the data, why have it? It takes up space and exists purely to create risk for you – which you can easily remove.

Having a regular review of the data you hold and how you use it is a good idea. But thinking about data retention and making sure your data is clean and useful should be an ongoing process. If you have some processes in place for cleaning data as you go, it will help ensure you are being fair and responsible in how you use data and reduce any risk to your group, not to mention making a regular data review much easier.

Have a process in place for reviewing your data on a regular basis. The point of this review should be to decide if you still have a good and fair reason to store and/or use the data, and that you have any necessary permissions in place.

Secure storage

Rules around how data is stored have not changed too much. But it’s always useful to have a reminder:

  • Any electronically held data should be in a password-protected, secure environment, and those passwords should be changed regularly.
  • It can be easy to focus on digital/electronic data for GDPR. Physically held data should be kept locked and secure too.

Summary Statements

On our general Data Protection Requirements Guidance page there are some summary statements to help you.