ALDE VALLEY SUFFOLK FAMILY HISTORY GROUP and the GDPR ②
This OLD version (1.3) of this page is being retained for ICO audit purposes. It was replaced by version 1.4 dated 15th October 2018.
Q. HOW does the Policy impact AVSFHG and how do we implement it?
RELEVANCE TO AVSFHG
Obviously the foregoing affects how AVSFHG processes members' data. The data we hold primarily surrounds their membership and the access to reduced event-entry fees that it gives them, but can spill over for some of our members into specialised areas such as fieldwork — and family-tree tracing performed for people other than themselves.
The Group's prime interest is in "family history", as indeed its own name suggests. Fortunately for us, processing of personal data by a natural person in the course of a purely personal or household activity is not affected by the new Regulation.
IMPLEMENTATION WITHIN AVSFHG
"Even if an individual is given responsibility for data protection in an organisation, they will be acting on behalf of the organisation, which will be the data controller." In our case, therefore, the "data controller" is embodied in the Committee, whose members at any particular time are responsible jointly and individually for ensuring compliance.
The Committee "will be responsible as data controller for ensuring that the records are held securely. It should undertake the necessary risk assessments. This means documenting the path of the data as it enters and leaves the society's control and assessing the risk of a data security breach — accidental loss, destruction or damage — at each stage."
The "data processors" (or "information officers" as we prefer to call them) are limited to four specific posts within the Committee, namely the Secretary, the Membership Secretary, the Newsletter Editor and the Publicity Officer. Currently, the latter two posts are held by the same person. The individuals occupying those posts at any particular time are indicated on the AVSFHG "Contact us" webpage, with a letter "ℹ︎" denoting an "information officer". Only those persons are privy to members' data.
There is also an implicit need for the Auditor, who will not be a Committee member or indeed may not even be an AVSFHG member at all, to be able to perform the annual audit to ensure compliance with a legal obligation.
INFORMATION THAT WE HOLD AND ITS INTERNAL COMMUNICATION
Essentially, there are ten areas of data that we might hold —
1. Membership data, comprising name, and email or (exceptionally) home address;
2. Committee members' contact details displayed on the website and/or listed in the Newsletter;
3. Publicity Officer's mailing list (of media and local organisations with an interest in history, culled from the public domain);
4. Membership data of ex-members who haven’t renewed their subscription;
5. Mailing list of people who have indicated a wish to be kept in touch with our activities;
6. Family research contracts, though none are in progress just now;
7. Notes made during similar ad-hoc searches for those attending the Help Centre;
8. Fieldwork data, though no fieldwork is in progress just now;
9. Historic reports on the database about fieldwork, events and talks;
10 Help Centre rotas of volunteers on duty (public versions show surname as initial only).
The existing internal procedures already mean that the Treasurer has no "need to know" members' identities. The banking of cash sums by the Membership Secretary is depersonalised, even if it relates only to one member. One exception is when an individual pays their membership fee by electronic transfer direct into the AVSFHG bank account, rather than in cash, as is more normal — it is deemed that the payer, by opting to use that alternative payment method, has implicitly agreed to disclosure of their identity for purposes of correctly linking their payment back to them. Another exception, of course, is the receipt of personal donations to the Group.
Between the ex-officio information officers identified above, information is transferred using the paper forms, which are subsequently filed away in lockable cabinets. Electronic files are password-protected, periodically validated, and superfluous or obsolete data removed.
Committee members are to be asked what contact details they are willing to have displayed on the website. Similarly, robust mechanisms will be put in place when the next family-search contract is offered to us.
The media and other organisations who receive the Publicity Officer's news bulletins are routinely asked if they prefer not to be circulated. Similarly, the ex-members, and those on the mailing-list of interested people, have recently been asked for their continued consent to our holding their personal data, or they will be removed from our mailing lists.
We maintain that the purpose of the Group, as indeed its name implies, is to build up a corpus of knowledge and not simply discard it. This is the express aim of our fieldwork, and to deliberately dispose of reports on our talks would represent a discourtesy to our speakers.
Digital copies of "family history" data will be stored indefinitely. It is in the nature of genealogy that those with an interest may wish to revisit at some future date the services that we provide, and at that time a copy of knowledge collected should be available. Related email communications will be held for a year after the completion of any research, to provide continuity of service in the event of subsequent query or a request for further research. Email communications for potential clients will be retained for a similar period.
We currently have no overseas communications, whether within or outside the EU. Processes will be put in place should this situation change.
NEXT: ➡︎ WHO does what?