ALDE VALLEY SUFFOLK FAMILY HISTORY GROUP and the GDPR ②
Changes at Version 1.8 (from V1.6) are highlighted in red, and will remain so until the next Version or for at least six months.
Q. HOW does the Policy impact AVSFHG and how do we implement it?
RELEVANCE TO AVSFHG
Obviously the foregoing affects how AVSFHG processes members' data. The data we hold primarily surrounds their membership and the access to reduced event-entry fees that it gives them, but can spill over for some of our members into specialised areas such as fieldwork — and family-tree tracing performed for people other than themselves.
The Group's prime interest is in "family history", as indeed its own name suggests. Fortunately for us, processing of personal data by a natural person in the course of a purely personal or household activity is not affected by the new Regulation.
IMPLEMENTATION WITHIN AVSFHG
"Even if an individual is given responsibility for data protection in an organisation, they will be acting on behalf of the organisation, which will be the data controller." In our case, therefore, the "data controller" is embodied in the Committee, whose members at any particular time are responsible jointly and individually for ensuring compliance.
The Committee "will be responsible as data controller for ensuring that the records are held securely. It should undertake the necessary risk assessments. This means documenting the path of the data as it enters and leaves the society's control and assessing the risk of a data security breach — accidental loss, destruction or damage — at each stage."
The "data processors" (or "information officers" as we prefer to call them) are limited to four specific posts within the Committee, namely the Secretary, the Membership Secretary, the Newsletter Editor and the Publicity Officer. Currently, the latter two posts are held by the same person. The individuals occupying those posts at any particular time are indicated on the AVSFHG "Contact us" webpage, with a letter "ℹ︎" denoting an "information officer". Only those persons are privy to members' data.
There is also an implicit need for the Auditor, who will not be a Committee member or indeed may not even be an AVSFHG member at all, to be able to perform the annual audit to ensure compliance with a legal obligation.
INFORMATION THAT WE HOLD AND ITS INTERNAL COMMUNICATION
For ICO audit purposes, the previous version (1.6) of this page ② can be seen here.
Essentially, there are 18 areas of data that we might hold —
1. Paid-up Membership data, comprising name, email and home address;
2. Listing of new paid-up Members' names in the Newsletter;
3. Membership data of ex-members who haven’t renewed their subscription;
4. Committee members' contact details displayed on the website and/or listed in the Newsletter;
5. Internal List of "Contact Details for AVSFHG Committee" (circulated confidentially);
6. Help Centre rotas of volunteers on duty;
7. Publicity Officer's mailing list;
8. Speakers' Contact Details;
9. Mailing list of people who have indicated a wish to be kept in touch with our activities;
10. "Members' Interest Register" and incoming "Possible Match of Interests" form;
11. "AVSFHG Facebook Group Surname Interests" list (via Closed Group);
12. Family research contracts, though none are in progress just now;
13. Notes made during similar ad-hoc searches for those attending the Help Centre or who have enquired from out-of-area via email;
14. Fieldwork data, though no fieldwork is in progress just now;
15. Historic reports on the database about fieldwork, events and talks;
16. Overseas Communications (only rare emailed family-history enquiries occur);
17. Help Centre log, and record of borrowers of Help Centre resources;
18. Incoming emails to the Zoom Host, from Members and "Visitors", wishing to attend Zoom meetings.
Between the ex-officio information officers identified in the "Implementation" Section above, information is transferred using the paper forms, which are subsequently filed away in lockable cabinets. Electronic files are password-protected, periodically validated, and superfluous or obsolete data removed. The Treasurer is not one of those officers.
1. The existing internal procedures already mean that the Treasurer has no "need to know" members' identities. The banking of cash sums by the Membership Secretary is depersonalised, even if it relates only to one member. One exception is when an individual pays their membership fee by electronic transfer direct into the AVSFHG bank account, rather than in cash, as is more normal — it is deemed that the payer, by opting to use that alternative payment method, has implicitly agreed to disclosure of their identity for purposes of correctly linking their payment back to them. Another exception, of course, is the receipt of personal donations to the Group.
2. New paid-up Members' names are listed in the Newsletter, with their specific permission, which is obtained by the holder of the "New Members' Welcome" post.
3. Details of expired memberships will be deleted after six months, around July of each year.
4. Incoming Committee members are to be asked what contact details they are willing to have displayed on the website and/or in the Newsletter. Those already in post have each completed and signed the Consent Form.
5. It is agreed that the internal list of "Contact Details for AVSFHG Committee" continues to be maintained and circulated privately by the Secretary to assist the smooth, timely and reactive running of the Committee between meetings (such as with the countersigning of payment cheques), and we consider that no process change is necessary. A broadly similar list is maintained confidentially by the Webmaster to link the generic email-addresses on the «Contact Us» webpage with each individual's personal email address, for exchange with the website service-provider One Suffolk, so that incoming emails are correctly redirected.
6. The quarterly Help-Centre rotas of Volunteers on duty are only circulated internally to those directly involved. They now show just first names (plus surname initials where necessary) and personal phone numbers. The redacted names-only version, for access from the "Help Centre" webpage, will no longer be produced.
7. The media and those local organisations with an interest in history, who receive the Publicity Officer's news bulletins, are culled from the public domain and are routinely asked if they prefer not to be circulated.
8. The "Speaker's Receipt & Consent Form", which contains their name and address, is kept by the Treasurer for audit purposes. In the unlikely event that the Webmaster has to remove any personal data from the website for which consent has been denied on the form, that is done as promptly as possible; whilst the Secretary and Publicity Officer are informed of any restrictions as necessary.
9. Those on the mailing-list of interested people were circulated during Spring 2018 for their continued consent to our holding their personal data, or they would be removed from our mailing lists. They will be circulated again every two years.
10. Any paid-up member can complete an input form on our website, to supply surnames of interest to them for inclusion on the Members' Interest Register, which is hosted on the Family History Federation's website. A matching incoming «Possible match of interests» online form is also available.
11. Members of the Facebook group (established in March 2018 when the imminence of GDPR was already well known) can choose to register on the online "AVSFHG Facebook Group Surname Interests" list, which any of the closed-group members can read. The list is maintained only by the Facebook Administrator. It is deemed that the Facebook Members have implicitly given consent to our holding that offered personal data, so that the mutual register can operate as intended, aiding the applicants' personal family-history searches. Every two years they will be reminded via Facebook to permit their continued appearance in the interest-list.
12. Similarly, robust documentary mechanisms will be put in place when the next family-search contract is offered to us.
13-15. We maintain that the purpose of the Group, as indeed its name implies, is to build up a corpus of knowledge and not simply discard it. This is the express aim of our fieldwork, and to deliberately dispose of reports on our talks would represent a discourtesy to our speakers.
Digital copies of "family history" data will be stored indefinitely. It is in the nature of genealogy that those with an interest may wish to revisit at some future date the services that we provide, and at that time a copy of knowledge collected should be available. Related email communications will be held for a year after the completion of any research, to provide continuity of service in the event of subsequent query or a request for further research. Email communications for potential clients will be retained for a similar period.
16. We currently have no overseas communications, whether within or outside the EU. Processes will be put in place should this situation change.
17. The Help Centre Attendance Book is maintained for insurance and health & safety reasons, and should be signed by EVERYONE attending. Paid-up Members may borrow items from our Help Centre, such as reference books and CD's, for a month at a time, and these should be signed out, also in the Attendance Book. As the Membership Secretary might not have the Member's contact address and phone number, they are both to be noted in the book too, to aid any active recovery. This is
in order to protect the Group's assets and for the mutual benefit of all Members. A copy of this Clause is to be affixed to the Attendance Book.
18. Incoming emails from Members and "Visitors" wishing to attend Zoom meetings may be authored by the senders, or generated by the «Book for our next Zoom talk» online facility. They are deleted when acted upon.