Guidance

This page provides information on how LALG handles personal data, and a statement of conformance to the regulations (known as GDPR) governing this subject.  The following four documents can be viewed by selecting from the list below this page.

  • A Statement to members explaining how LALG handles personal data.
  • A formal Notice describing conformance to the regulations.
  • A document giving Guidance to Group Contacts on the steps they should take when handling any personal data about their Group members.
  • A document giving details of the General Data Protection Regulations.

It is likely that as a Group Contact you, or someone else in your group, will keep a list of your group members and it is therefore essential that you comply with the GDPR regulations set out in the Guidance.  LALG also keeps a list of all Group Contacts which may include emails, telephone numbers and addresses.  This data is held securely and the LALG Committee will only use it to let you know about LALG activities or to provide you with information relating to your position as a group contact.

Privacy Statement for Members GDPR

The incorporation of the General Data Protection Regulation (GDPR) into the Data Protection Act 2018, effective 25 May 2018, replaced all previous data protection legislation. For Letchworth Arts and Leisure Group (LALG) there will be no changes to the data we collect from you or the information we send you.

As a member of LALG, it is essential that we continue to communicate with you. Currently we do this by email (if you have supplied an email address) or by post and occasionally by telephone. We also send you our monthly newsletter and put that on our website. We will continue to contact you in these ways. Additionally your group contact may send you details of activities they are organizing.

Our emails and letters to you will contain membership information, plus details of meetings and events organised by LALG. We will also continue to inform you of other events, meetings, exhibitions and our discount suppliers scheme. As before, such emails will still carry an ‘unsubscribe’ option in the footnote.

You can request to see your membership information that we have on file under your name. This is limited to the date you joined, your name, address, home and mobile telephone numbers and email address. We will also record whether you have paid your subscription but not your banking details.

We will continue our policy of not passing on your details to third parties other than for distribution of the newsletter, which is undertaken by our printers, and we use GPDR compliant companies to distribute emails to you.

You can view the LALG Privacy Notice below or request a copy from the Secretary.

Privacy Notice

Why do we need your data? We need to collect and store your name, address and email so that we can let you know what leisure opportunities are provided each month by Letchworth Arts and Leisure Group (LALG). We provide you with details of linked organisations, discount suppliers and include some advertising in our monthly newsletter. We also track subscription payments. We use anonymised data for statistical purposes for example to track survey responses and membership numbers year on year. We check what data we have on members every two years and remove it if we no longer need it. If you leave LALG we’ll make sure we remove and/or delete any data, we don’t need to keep.

What do we use it for?

Any of the information listed might be needed to manage your membership with LALG and to run our activities including those organised by group contacts. We won’t ever use this information for anything else unless you give us your active consent for that additional use. We will also tell you about activities run by like-minded organisations and from time to time we will tell you about volunteering opportunities. We will always include opt-out options on all email communications. You can withdraw your consent at any time by contacting the LALG Secretary.

Do we share your data with anyone else? 

  • We will never give your data to third parties for them to use.
  • We will use third party services to send emails and our monthly newsletters. The Tourist Information Office and David’s Bookshop act as our agents for some purposes. We will make sure they are reputable and secure, and that your data is kept safe.
  • If another member of LALG asks for your contact details, we will only ever share them with your consent.

What can you ask us to do?

At any time you can ask to view, update or correct any data we hold on you. You can also ask that we stop using your data or that we erase it. To request any of these please contact the LALG Secretary.

If you’ve got a question who should you speak to?

The best person to speak to is the Data Protection Officer: dpo@lalg.org.uk 

Data Protection advice for Group Leaders and Group Contacts

This page provides information on how LALG handles personal data, and a statement of conformance to the regulations (known as GDPR) governing this subject.    In addition you can view the LALG Cookie policy.

Data Collection and Use

Personal information should be collected and used lawfully and fairly.  ‘Fair’ means that that individual should know who has their information and what it will be used for.  Information collected for one purpose should not be used for another.  So if someone gives you information for LALG purposes you should not use it for anything else – for example to promote a business, event, charity or political party.

The key things you need to know:

New data protection legislation was introduced in May 2018.  The definition of what is personal data remains the same and includes anything that can identify an individual: contact details, membership number or photos. 

We can only collect data which we have a valid reason for having, and for which we have the owner’s consent to using. Sometimes explicit consent is not needed because it is obvious. Under the ‘contract’ that members have with LALG we do not need their consent to communicate with them but even so we have to provide clear and simple information about how their data will be stored and used.

We must keep data safe, see Information Security. If it is online it should be password protected. If it is a paper record, it should be kept private and when possible locked away.

When we no longer need the data, for example when a member has left the group or after an event we should safely destroy it.

So how does this apply to you as a Group Contact?

As a Group Contact you probably have a list of members in the group. Make sure you only have data that you have a valid reason for having. For example, if you will never email members don’t collect email addresses. 

If you meet in each other’s houses you will need to collect addresses.  Consider whether you should send a list to everyone in the group or just put the details for the next venue on the call up.

You should tell group members that you will abide by LALG’s privacy statement  www.lalg.org.uk/privacy.  If they prefer a paper copy they should contact the LALG Secretary via the contact details on the website or in the newsletter.

If you intend to use the data for anything other than running your group you will need the explicit permission of the member?  For example, you can only take and store an image such as a photograph or video if you have the explicit consent of the member(s) involved.

You need to review how safely you are storing the data you hold. Take steps to avoid data going to anyone else. This includes within the group: so when emailing several members, use the bcc facility unless you have explicit permission to share those email addresses within the group.

Any data that you no longer need should be destroyed safely and securely.  This also applies if you step down as Group Contact. 

Summary Statements

For Members - It is best practice to add a footnote to any email, booking form, or leaflet saying:

'I will safely store your name, phone number and email address and will only use them to manage the group’s activities and to contact you about group events.'  (Note: Add address if you use this to contact people or meet at each other’s houses).

'If you give me your consent I will add your phone number /email address, address to my mailing list for other communications which might be of interest to you. You can withdraw your consent at any point by contacting me.'

(Only if relevant to your group) 'If you give me your consent I will take photographs/videos of group activities which might be used on public sites such as the LALG website or LALG Facebook page for promotional activities.'

'The full LALG Privacy Notice can be found on the LALG website by clicking on LALG Privacy Statement at the bottom of any page.'

For Non Members - Sometimes people who are not members of LALG join us at events or activities. If we collect data from them, we should also tell them how that data will be used. 

For example, on an email or booking form:

'I will safely store your name, phone number, email address, address (delete as applicable) and will only use them to manage the LALG event/activity (add details).  

The principles outlined in the LALG privacy notice apply and can be found on the LALG website by clicking on LALG Privacy Statement at the bottom of any page.'

If relevant you can add:

'If you give me your permission I will store your details and use them to send you future information about LALG events/activities.'

GDPR Detailed Guidance

Introduction of General Data Protection Regulations – some key principles

From May 2018 the new General Data Protection Regulations (GDPR) will be in place.  The definition of what is personal data has been expanded and now includes almost anything that can be used to identify an individual, so this could be personal contact details, a membership number or a photo.  The key thing with all data is that there is a good reason to have it and consent to use it.

Reason – under GDPR we should not be collecting data for no good reason.

Consent – under GDPR a person must give positive consent.  They should have access to a clear and specific privacy statement that explains what the data they are providing will be used for.

Legitimate interests – there are situations where positive consent is not needed because use of data is implied in the activity the individual is taking part in.  Whilst positive consent might not be needed there should still be access to clear and simple information about how the data will be used.

Retention of Data – we need to be vigilant about how long we keep data, if we don’t need it any more we shouldn’t keep it.

Secure Storage – any electronic data should be in a secure password-protected environment.  Physically held data should be held locked and secured too.

Documentation and Process – there is a shift in emphasis to show compliance.  So having documentation is important for example having evidence of consent being given.

Reason, consent and legitimate interests

The key thing with all data is not that you have it as such – but that you have a good reason to have it and that you have consent to use it.

  • Reason: under GDPR you should not be collecting data for no good reason. Unless you have a genuine reason for having and using data then don’t ask for it. This is common sense really – and good practice. All it will do is take up digital or physical space - and if you have no use for it, it essentially exists only as a risk for you – so why have it all?
  • Consent: this will perhaps be the biggest change. Previously consent could be implied by inaction or silence – it’s the pre-ticked box or ‘unless you tell us otherwise we will email you’ approach. Under GDPR consent will have to be positive – an individual will have to take definite action to say ‘you can have and use my data’ – so they tick the box rather then it being pre-ticked. They should also have access to a clear and specific privacy statement that explains what the data they are providing will be used for. It shouldn’t be a general catchall for all data and all use – it has to be specific to the data they are providing at the time.
  • Legitimate interests - there will be situations where you don’t need positive consent as use of data is implied in the activity the individual is taking part in. For example emailing a member of your group about a meeting change or fee reminder is legitimate interest and implied by being a member. Whilst positive consent might not be needed they should still have access to clear and simple information about how the data will be used.

Retention of data

One of the changes with GDPR is that you will need to be more vigilant with regards to how long you keep data for. It can be very easy to keep old data on a spreadsheet somewhere or locked away in a filing cabinet.  However, you should not hold and use data unless you have a good reason for doing so.

Removing old data may seem like an administrative burden. But tidying up data is a good administrative process to go through anyway – and if you don’t need the data, why have it? It takes up space and exists purely to create risk for you – which you can easily remove.

Having a regular review of the data you hold and how you use it is a good idea. But thinking about data retention and making sure your data is clean and useful should be an ongoing process. If you have some processes in place for cleaning data as you go, it will help ensure you are being fair and responsible in how you use data and reduce any risk to your group, not to mention making a regular data review much easier.

Have a process in place for reviewing your data on a regular basis. The point of this review should be to decide if you still have a good and fair reason to store and/or use the data, and that you have any necessary permissions in place.

Secure storage

Rules around how data is stored have not changed too much. But it’s always useful to have a reminder:

  • Any electronically held data should be in a password-protected, secure environment, and those passwords should be changed regularly.
  • It can be easy to focus on digital/electronic data for GDPR. Physically held data should be kept locked and secure too.

Summary Statements

On our general Data Protection Requirements Guidance page there are some summary statements to help you.

 

Follow us on Facebook, or Twitter.  

 
Zircon - This is a contributing Drupal Theme
Design by WeebPal.