The GDPR came into force on 25 May 2018.
Nidderdale Angling Club has a mass of records including meeting minutes, expired leases and members’ catch returns, match results and photographs. Some records go back to the formation of the club in 1897 and members and those interested in angling history sometimes contact the club asking to view this information.
- Old NAC records.
The club is permitted under the new laws to retain these records if it is necessary to do this for:
- Archiving purposes.
- Scientific or historical research.
- Statistical purposes.
However, the records have actually to be needed for any of these purposes.
When retaining old records, where possible any personal data should be made anonymous. This may not be possible or necessary if:
- To do so would reduce the worth of the document.
- It would mean hours of searching and working on documents with very little return.
- It is unclear whether someone mentioned in the records is alive or deceased.
It is also worth bearing in mind that records that pre-date this data protection era would not have required the consent of members to archive their information at the time. This is not likely to be a problem with the ‘old’ material but it would be better if information collected from now on included consent from the person concerned.
Finally, the information has to be kept safe and secure and that kept electronically should preferably be encrypted or protected with appropriate IT security. If different Committee members hold records, the club must decide how to keep, transfer or destroy records when they retire from the committee.
- NAC Membership records
Membership records bring in several aspects of the GDPR:
- The processing of a member’s details must be fair, lawful and transparent.
- The information should not be used for any other purpose without the absolute clear consent of the person to whom the record relates.
- Only the information needed to keep up membership should be collected.
To be lawful, the GDPR lists a series of criteria to be met to allow the club to hold the information. The most relevant of these are:
- Consent - (i.e. the member has given clear, positive permission for the club to hold all of the data provided for a specific purpose)
- Contract - The information is needed for the performance of a contract between the member and the club, namely the member is paying their subscription and the club is providing their sport.
There is a strong argument that by deciding to give the club their information members are obviously also giving their consent to it being used or processed. The GDPR does not introduce a requirement to go back and get consent now to hold existing members’ details, it just means that going forward the club should make sure all members have given consent to the club to hold their data for a specific purpose which may not have been stated at the time they applied for membership.
The Membership Secretary should make reasonable efforts to keep information up-to-date and only keep it for as long as it is needed. If it is necessary to archive it then he should obtain the members consent to do this.
The club should only collect data that is actually needed. Some types of data used to be called ‘sensitive personal data’ but the GDPR has revised this description and it is now called ‘special categories’. These ‘special categories’ are data relating to:
- Race/ethnicity, Political opinions Religious/philosophical beliefs, Trade union membership, Sexual orientation, Genetics, Biometrics (e.g. fingerprints).
Nidderdale Angling Club will not ask for or store any of the above special category data relating to its members.
It is sometimes necessary to ask for health data, for example, if a junior member attending a club course has a specific health problem. In every case there must be a reason for collecting it. The most relevant are likely to be:
- The person has given explicit consent.
- It is necessary to protect the vital interest of that person or another (for example, to make sure that if a person is taken ill on a fishing course, people will know how best to help them).
- Credit card or debit card - information used to pay membership subscriptions is not in this list of ‘special data’. This information is confidential nonetheless. This information will not be stored and never passed on.
Once a member’s information is no longer required it must be deleted/destroyed safely and a record kept that this has been done.
- Data retention - NAC has a simple retention and destruction policy. Details of lapsed members may be kept for 12 months (in case someone wants to re-join) then destroyed at the end of that time if they haven’t re-joined.
- Email - In the case of email communications to members, anyone signing up to it should be asked for clear consent to receive these communications. Email messages often list all the people it is sent to and their email addresses. Unless a member has specifically consented to sharing their name and email address with other members the messages should be sent to ‘undisclosed recipients’ and the ‘BCC’ option used to protect members’ personal information.
- Social Media
Facebook pages may be available to anyone with access to the site and, as such, the clear consent of someone to include their photograph or video footage of them - even if they are not named - should be sought. Consent would be required even for posting on a private club Facebook group.
A member’s consent for NAC storage of their data can be withdrawn at any time by the member writing to or emailing the Membership Secretary.
- Club website
The club website will be administered in line with the new data protection law requirements. For photo galleries and other information about individuals the same requirements for consent as mentioned in 3 above apply.
The club’s privacy statement will be found on the website, but the Membership Secretary must be prepared to send a paper copy to anyone who does not use a computer. The privacy statement should be prominent and easily accessible.
The club’s data/records retention and destruction policy is as stated above.
If the website hosts a chat forum it should be monitored, and the club should be prepared to remove postings if necessary.
- Junior members
The GDPR states that anyone under the age of 16 cannot make decisions or requests about their personal data, only their parent or guardian can. However, the GDPR allows for Member States of the European Union (such as the UK) to set their own rule. The current draft of the Data Protection Bill lowers this age to 13 and it will probably stay that age when it is made law. The GDPR further states that any communications about data protection to a child should be in clear and plain language that they are likely to be able to understand.
Communications should be via parents.
- Events
Where there is an entry fee, the arrangement between NAC and the participants becomes a contractual one. Even without a fee there is a valid reason to continue collecting and sharing personal data relating to events (known as the “legitimate interests” condition). The consent of all participants in writing when they ‘sign-up’ should be obtained. It will make people more comfortable to know what is being done with their personal data, particularly if the participants are not club members.
- Angling-related crime and other offences
The handling of data about poachers and angling-related crime by the police and the Environment Agency will be covered by Part 3 of the new Data Protection Act. This is because GDPR does not specifically cover that type of data and the way that official bodies deal with it. It is dealt with by the EU’s Law Enforcement Directive. NAC can collect and pass on this data under the ‘Public Interest’ criteria in GDPR but as a working rule should only process what is needed and retain it for as short a time as is necessary.
- Sending personal data abroad
One area where the law has tightened considerably is where personal data is being sent outside of EU countries. This is because there are no given guarantees about the safety of data processing in those countries.
There is a potential security risk in sending NAC newsletters to members abroad. If such members give explicit consent for this then it is acceptable. Alternatively, if sending the newsletter is part of the contract between the member and the club (i.e. they have paid their membership subscription and a club newsletter is a membership benefit) there is an exception or ‘derogation’ to send the club news. The newsletter may of course contain other people’s personal data and it is a good idea to make sure that all members know that newsletters may be sent abroad.
- Paper and electronic records
Finally, if something does go wrong, the Membership Secretary or General Secretary are responsible for reporting to the Information Commissioner within 72 hours of discovering a data breach but only if it represents a high risk to the data subject’s privacy rights.
Problems may be put to the Information Commissioner’s Office by calling their dedicated helpline aimed at small organisations on 0303 123 1113 and select option 4. Alternatively, check whether the resources published on the Information Commissions’ website give an answer: www.ico.org.uk