Guidance

This page provides information on how LALG handles personal data, and a statement of conformance to the regulations (known as GDPR) governing this subject.  LALG also has a Cookie policy for the website but this will not directly concern GCs.

The following three documents can be viewed by selecting from the list at the bottom of this page.

  • LALG's Privacy Statement detailing how explaining how LALG handles personal data.
  • A document giving Guidance to Group Contacts on the steps they should take when handling any personal data about their Group members.
  • A document giving details of the General Data Protection Regulations.

It is likely that as a Group Contact you, or someone else in your group, will keep a list of your group members and it is therefore essential that you comply with the GDPR regulations set out in the Guidance.  LALG also keeps a list of all Group Contacts which may include emails, telephone numbers and addresses.  This data is held securely and the LALG Committee will only use it to let you know about LALG activities or to provide you with information relating to your position as a group contact.

LALG PRIVACY STATEMENT

Who we are

We are Letchworth Arts and Leisure Group, a voluntary membership organisation. Our object is to further arts and leisure activities in Letchworth Garden City and the surrounding area.

Our Privacy Statement sets out:

  • How we use any personal information we collect about you when you become a Member of LALG, or register on our website. 
  • Who we share your information with, why and on what basis; and
  • What your rights are.

How we collect information from you

We obtain information about you when you join LALG, either via our website, our application form or over the telephone.

The type of personal information we collect
We currently collect and process the following information:

Required
Name
Address

Optional
Home and/or mobile telephone numbers
Email address
Year of birth

If registered on our website (for which a user does not have to be a Member)
Email address
User name
Encrypted password
Nickname (name a user is known by on the site)
Activity groups a user has subscribed to
Online events a user has registered for

We also record your date of joining/renewal date and whether your annual membership fee has been paid, but not your banking or payment card details.

How we get the personal information and why we have it
Most of the personal information we process is provided to us directly by you when you join LALG. We collect this information for the purposes of managing your membership and to provide you with information about LALG and associated organisations.

Associated groups include linked organisations, discount suppliers and those with which we collaborate such as the Letchworth Festival.

We use anonymised data for statistical purposes, for example to track membership numbers and demographic information year on year, and survey responses. 

Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are: 


  • Your consent. You are able to remove your consent at any time but by doing so you may terminate your membership if we do not have sufficient information to manage it. If you want to remove your consent you can do this by contacting LALG’s Membership Team at membership@lalg.org.uk. You can also opt out of receiving our emails by using the ‘unsubscribe’ option in the email footnote. 
  • We have a legitimate interest because you have chosen to join LALG and we need to manage your membership.

We do not pass personal data to any third party other than for the distribution of our newsletter, email communications, payment processing and event management. We ensure that the third parties we use are also GDPR compliant.

If another member of LALG asks for your contact details, we will only ever share them with your consent.


How we store your personal information
The bulk of your personal information is securely stored on our membership database. You can access and update your own data by registering on our website.

We keep your details on our membership database for the duration of your membership plus one year, after which your details will be permanently deleted. In certain circumstances, the retention period after termination of your membership will be less.

If any of your personal information is held elsewhere (for example by a Group Contact if you are a member of, or interested in, their group) there is a requirement to ensure that it is also held securely and confidentially, and permanently deleted when it is no longer required.

Your data protection rights
Under data protection law, you have rights including: 

  • Your right of access - You have the right to ask us for copies of your personal information. 
  • Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. 
  • Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances. 
  • Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances. 
  • Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances. 
  • Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact LALG’s Data Protection Officer at dpo@lalg.org.uk if you wish to make a request.

How to complain
If you have any concerns about our use of your personal information, you can make a complaint by contacting LALG’s Data Protection Officer at dpo@lalg.org.uk.

You can also complain to the ICO if you are unhappy with LALG’s response to your complaint.

The ICO’s address is:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk

This updated version was accepted by email and approved at the committee meeting on 22 January 2024

pdf copy of Privacy Statement

Data Protection advice for Group Leaders and Group Contacts

This page provides information on how LALG handles personal data, and a statement of conformance to the regulations (known as GDPR) governing this subject.    In addition you can view the LALG Cookie policy.

Data Collection and Use

Personal information should be collected and used lawfully and fairly.  ‘Fair’ means that that individual should know who has their information and what it will be used for.  Information collected for one purpose should not be used for another.  So if someone gives you information for LALG purposes you should not use it for anything else – for example to promote a business, event, charity or political party.

The key things you need to know:

New data protection legislation was introduced in May 2018.  The definition of what is personal data remains the same and includes anything that can identify an individual: contact details, membership number or photos. 

We can only collect data which we have a valid reason for having, and for which we have the owner’s consent to using. Sometimes explicit consent is not needed because it is obvious. Under the ‘contract’ that members have with LALG we do not need their consent to communicate with them but even so we have to provide clear and simple information about how their data will be stored and used.

We must keep data safe, see Information Security. If it is online it should be password protected. If it is a paper record, it should be kept private and when possible locked away.

When we no longer need the data, for example when a member has left the group or after an event we should safely destroy it.

So how does this apply to you as a Group Contact?

As a Group Contact you probably have a list of members in the group. Make sure you only have data that you have a valid reason for having. For example, if you will never email members don’t collect email addresses. 

If you meet in each other’s houses you will need to collect addresses.  Consider whether you should send a list to everyone in the group or just put the details for the next venue on the call up.

You should tell group members that you will abide by LALG's privacy statement. If they prefer a paper copy they should contact the LALG Secretary via the contact details on the website or in the newsletter.

If you intend to use the data for anything other than running your group you will need the explicit permission of the member?  For example, you can only take and store an image such as a photograph or video if you have the explicit consent of the member(s) involved.

You need to review how safely you are storing the data you hold. Take steps to avoid data going to anyone else. This includes within the group: so when emailing several members, use the bcc facility unless you have explicit permission to share those email addresses within the group.

Any data that you no longer need should be destroyed safely and securely.  This also applies if you step down as Group Contact. 

Summary Statements

For Members - It is best practice to add a footnote to any email, booking form, or leaflet saying:

'I will safely store your name, phone number and email address and will only use them to manage the group’s activities and to contact you about group events.'  (Note: Add address if you use this to contact people or meet at each other’s houses).

'If you give me your consent I will add your phone number /email address, address to my mailing list for other communications which might be of interest to you. You can withdraw your consent at any point by contacting me.'

(Only if relevant to your group) 'If you give me your consent I will take photographs/videos of group activities which might be used on public sites such as the LALG website or LALG Facebook page for promotional activities.'

'The full LALG Privacy Notice can be found on the LALG website (www.lalg.org.uk) by clicking on LALG Privacy Statement at the bottom of any page.'

For Non Members - Sometimes people who are not members of LALG join us at events or activities. If we collect data from them, we should also tell them how that data will be used. 

For example, on an email or booking form:

'I will safely store your name, phone number, email address, address (delete as applicable) and will only use them to manage the LALG event/activity (add details).  

The principles outlined in the LALG privacy notice apply and can be found on the LALG website (www.lalg.org.uk) by clicking on LALG Privacy Statement at the bottom of any page.'

If relevant you can add:

'If you give me your permission I will store your details and use them to send you future information about LALG events/activities.'

Introduction of General Data Protection Regulations – some key principles

From May 2018 the new General Data Protection Regulations (GDPR) will be in place.  The definition of what is personal data has been expanded and now includes almost anything that can be used to identify an individual, so this could be personal contact details, a membership number or a photo.  The key thing with all data is that there is a good reason to have it and consent to use it.

Reason – under GDPR we should not be collecting data for no good reason.

Consent – under GDPR a person must give positive consent.  They should have access to a clear and specific privacy statement that explains what the data they are providing will be used for.

Legitimate interests – there are situations where positive consent is not needed because use of data is implied in the activity the individual is taking part in.  Whilst positive consent might not be needed there should still be access to clear and simple information about how the data will be used.

Retention of Data – we need to be vigilant about how long we keep data, if we don’t need it any more we shouldn’t keep it.

Secure Storage – any electronic data should be in a secure password-protected environment.  Physically held data should be held locked and secured too.

Documentation and Process – there is a shift in emphasis to show compliance.  So having documentation is important for example having evidence of consent being given.

Reason, consent and legitimate interests

The key thing with all data is not that you have it as such – but that you have a good reason to have it and that you have consent to use it.

  • Reason: under GDPR you should not be collecting data for no good reason. Unless you have a genuine reason for having and using data then don’t ask for it. This is common sense really – and good practice. All it will do is take up digital or physical space - and if you have no use for it, it essentially exists only as a risk for you – so why have it all?
  • Consent: this will perhaps be the biggest change. Previously consent could be implied by inaction or silence – it’s the pre-ticked box or ‘unless you tell us otherwise we will email you’ approach. Under GDPR consent will have to be positive – an individual will have to take definite action to say ‘you can have and use my data’ – so they tick the box rather then it being pre-ticked. They should also have access to a clear and specific privacy statement that explains what the data they are providing will be used for. It shouldn’t be a general catchall for all data and all use – it has to be specific to the data they are providing at the time.
  • Legitimate interests - there will be situations where you don’t need positive consent as use of data is implied in the activity the individual is taking part in. For example emailing a member of your group about a meeting change or fee reminder is legitimate interest and implied by being a member. Whilst positive consent might not be needed they should still have access to clear and simple information about how the data will be used.

Retention of data

One of the changes with GDPR is that you will need to be more vigilant with regards to how long you keep data for. It can be very easy to keep old data on a spreadsheet somewhere or locked away in a filing cabinet.  However, you should not hold and use data unless you have a good reason for doing so.

Removing old data may seem like an administrative burden. But tidying up data is a good administrative process to go through anyway – and if you don’t need the data, why have it? It takes up space and exists purely to create risk for you – which you can easily remove.

Having a regular review of the data you hold and how you use it is a good idea. But thinking about data retention and making sure your data is clean and useful should be an ongoing process. If you have some processes in place for cleaning data as you go, it will help ensure you are being fair and responsible in how you use data and reduce any risk to your group, not to mention making a regular data review much easier.

Have a process in place for reviewing your data on a regular basis. The point of this review should be to decide if you still have a good and fair reason to store and/or use the data, and that you have any necessary permissions in place.

Secure storage

Rules around how data is stored have not changed too much. But it’s always useful to have a reminder:

  • Any electronically held data should be in a password-protected, secure environment, and those passwords should be changed regularly.
  • It can be easy to focus on digital/electronic data for GDPR. Physically held data should be kept locked and secure too.

Summary Statements

On our general Data Protection Requirements Guidance page there are some summary statements to help you.