WHO?

ALDE VALLEY SUFFOLK FAMILY HISTORY GROUP and the GDPR ③

Q. WHO does what?

EFFECT UPON AVSFHG MEMBERS

The practical effect for existing and new members is that they are asked to sign a paper form permitting the holding of a minimum amount of information about them, so that they can enjoy the rights of membership, such as reduced entry fees to AVSFHG events and talks, and confirming that they have read, understood and agreed to this our Policy before their application can be processed further.

Similarly, potential members joining online are asked to "read our current GDPR webpage AND, by ticking the relevant box(es), consent to the personal details you supply being stored on our database".

The Policy resides on the website as a sub-page of the Home page, with a link from the Membership page.

The Group's income, including membership fees, is received almost entirely in cash. Therefore, the only data required on the membership form — which is also downloadable — is the joining member's name and preferably their email address. If their email address is not forthcoming — and no reason need be given — a postal address will be required instead. This is so that the individual can receive the Newsletter.

EFFECT UPON COMMITTEE MEMBERS, SPEAKERS AND ADDITIONAL ACTIVITIES

Parallel processes are being put in place to cover the publication of Committee members' details and of our Speakers' details on the AVSFHG website and/or in the Newsletter — and in due course further processes to cover our fieldwork and the tracing of members' family histories at their request.

CHANGES TO ADMINISTRATIVE PROCESSES AND FORMS

The right to withdraw consent to data being held and the "right of access" by a member to know what information is held about them are both being incorporated into a process that involves a member's written, typically emailed, application to the Secretary. As for the requested information, the UK's Information Commissioner's Office (ICO) suggests that it "must be provided without delay and at the latest within one month of receipt" of the enquiry.

From May 2018, all AVSFHG's paper forms are marked with the version number of the Policy current at the time that they were last amended. The current valid versions are listed at the end of the Policy page.

The forms also make clear that consent is given in accordance with the version of the Policy on the website on the day of signature, so that it is clear and verifiable what the person has signed up to. Exceptionally, as each Speaker's individual Receipt & Consent form is adjusted to suit them for name, address, circumstances, etc, yet based on the original version 1.0, they are numbered sequentially 1.0A, 1.0B, 1.0C, etc — there is no expectation of a redesign of the skeleton form.

NON-REGISTRATION WITH THE ICO

We consider that we are not required to register with (or "notify") the ICO, because of the following guidance copied verbatim from their website at https://ico.org.uk/for-organisations/data-protection-fee/faqs/ on 8th June 2018 —

Q. "We are a not-for-profit organisation — do we need to pay a fee?

A. "You do not have to pay a fee if your organisation was established for not-for-profit making purposes and does not make a profit. ...

"You must —
— only process information necessary to establish or maintain membership or support;
— only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it;
— only hold information about individuals whose data you need to process for this exempt purpose [and] the personal data you process is restricted to personal information that is necessary for this exempt purpose;
— only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration."

We may continue to hold personal data beyond its currency, but only for audit purposes. Apart from that, we consider that we fully comply with the stated conditions. Furthermore, the ICO registration self-assessment process states that "organisations ... who only process personal data for ... domestic or recreational reasons are exempt, [so] do not have to pay a fee to the ICO".