Data Protection and Privacy


Your Privacy is important to us!

This Policy was adopted and approved at the Executive Committee Meeting on 27th March 2018



Edenbridge U3A
Protection and Privacy Policy

ABOUT THIS POLICY
This policy applies to the work of Edenbridge U3A (referred to as ‘the U3A’). It sets out the requirements that the U3A must gather personal information for membership purposes. The policy details how personal information will be gathered, stored and managed in line with data protection principles and the EU General Data Protection Regulation 25th May 2018. The policy is reviewed on an ongoing basis by the U3A Committee Members to ensure that the U3A is compliant.

The Policy is in three parts as follows: -

·      1. General Data Protection and Privacy. This part is for those who would like an overview in relatively straight-forward terms about the way we collect, store and share data within the U3A.
·      2. Privacy Advice. This is accessible to all and contains advice for all members and Group Contacts relating to keeping our data as secure as we possibly can. This section replaces the Privacy Advice section formerly displayed on the website.
·      3. General Principles and Advice for Committee Members. This part is open to all and gives advice on the implementation of the policy by the Committee and others such as Group Contacts.

1. General Data Protection and Privacy

Why this policy exists
This policy ensures that the U3A:

  • Complies with data protection law and follows good practice.
  • Protects the rights of members, the Committee, Speakers, Partners and Neighbouring U3As with whom we have an agreement.
  • Is open about how it stores and processes members’ data.
  • Protects itself from the risks of a data breach.

Edenbridge U3A treats your privacy rights seriously. This policy sets out how we will deal with your ‘personal information’, that is, information that could identify, or is related to the identity of, an individual.

What personal information do we collect?
When you express an interest in becoming a member of the U3A you will be asked to provide certain information. This includes:

  • Name
  • Home address
  • Email address (if you have one)
  • Telephone numbers (Home and Mobile as appropriate)
  • Your Group Preferences
How do we collect this personal information?
All the information collected is obtained directly from you. This is usually at the point of your initial registration. The information will be collected via the membership application forms and renewal forms. At the point that you provide your personal information for membership purposes, we will also request that you provide consent for us to store and use your data (with effect from June 2018). Your consent is required in order to ensure our compliance with data protection legislation. See Appendix One.

How do we use your personal information?
We use your personal information:

  • To provide our U3A activities and services to you.
  • For administration, planning and management of our U3A.
  • To liaise with U3A Head Office for the distribution of the U3A Magazine.
  • To communicate with you about your group activities.
  • To monitor, develop and improve the provision of our U3A activities.
  • To keep you fully informed of activities via the Monthly Email Newsletter and any other electronic or standard communication.
We may send you, as required, messages by email, other digital methods, telephone and post to advise you of U3A activities.

Who do we share your personal information with?
We may disclose information about you, including your personal information: -
  • Internally - to Committee Members and Group Contacts as required to facilitate your participation in our U3A activities.
  • Externally – with your consent for services such as direct mailing for the Trust magazines (Third Age Matters and Sources) and / or If we have a statutory duty to disclose it for other legal and regulatory reasons.
Where we need to share your information outside of the U3A we will seek your permission (usually on initial membership and renewal documents)

How long do we keep your personal information?
We need to keep your information so that we can provide our services to you. In most instances, information about your membership will not be stored for longer than 12 months after you have left the U3A with the exception of the Email Newsletter from which we ask you to “Unsubscribe” when you no longer wish to receive it. The exceptions to this are instances where there may be legal or insurance circumstances that require information to be held for longer whilst this is investigated or resolved. Where this is the case then the member(s) will be informed as to how long the information will be held for and when it is deleted.

How your information can be updated or corrected
To ensure the information we hold is accurate and up to date, members need to inform the U3A as to any changes to their personal information. You can do this by contacting the Membership Secretary at any time. membership@edenbridgeu3a.co.uk Details are on the website in the “Contact Us” section on the HOME Page.

On an annual basis you will have the opportunity to update your information, as required, via the membership renewal form. Should you wish to view the information that the U3A holds on you, you can make this request in writing or email by contacting the Membership Secretary – as detailed above. There may be certain circumstances where we are not able to comply with this request. This would include where the information may contain references to another individual or for legal, investigative or security reasons. Otherwise we will usually respond within 14 days of the request being made.

How do we store your personal information?
Your membership information is held in the following ways: -

  • On your original application form and renewal forms which are held securely by the Membership Secretary.
  • In spreadsheets accessed by Committee Members only.
  • Group Contacts who may apply to a Committee Member for contact details about an individual member.
  • Group Contacts who may hold contact details about members of their group supplied by the members themselves. This in turn may be shared with other members of the same group.
  • The Treasurer will hold information on a spreadsheet about payment of subscriptions.
SECURITY ON THE EDENBRIDGE U3A WEBSITE
No information about individual members is collected or stored on the Edenbridge U3A Website as members do not currently need to register or login to any online services. If this situation were to change, secure log-in and data storage safeguards would be put into place. The only exception to this is the display of contact details for the Committee Members and Group Contacts and the following safeguards are in place: -

  • All email addresses on the website (Committee and Group Contacts) are displayed in the format of "forwarding" email addresses which forward to personal email addresses. E.g. admin@edenbridgeu3a.co.uk or chess@edenbridgeu3a.co.uk These are to be found generally on the Contact Us Page, individual group pages and the Study Group Contact List. These emails are used only to forward to personal emails and have the advantage of not revealing personal addresses which should cut down on unwanted Spam emails. This is only available for Group Contacts and the Committee and the forwarding ceases if he/she does not carry on the role. It should be noted, however, that this is only a forwarding address and the personal email will be revealed once a reply is made. Replies can be made as normal by pressing REPLY. 

  • We have in place the security safeguard Secure Socket Layer (SSL) encryption, which creates a secure connection with your browser when you visit the website.
When you visit the website, you will see: -


Please note the “s” on https:/ which stands for “secure” provided by our Domain Name Provider or: -


Please note the word “SECURE”

  • Cookies on the Website: - A cookie is a small text file that is downloaded onto a computer, tablet or smartphone when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions. Edenbridge U3A uses cookies on its website (www.edenbridgeu3a.com) in order to monitor and record the number of visitors and page views of the website. This gives us a useful insight into how users as a whole are engaging with the website. We have placed a pop-up box on the website that will activate each new time a user visits the website. This will allow them to click to consent (or not) to continuing with cookies enabled, or to ignore the message and continue browsing (i.e. giving their implied consent).
  • External Links: - Whist we take great care to verify the security of any external links in the best interest of our members, please be aware that if these are accessed you will no longer be within the Edenbridge U3A domain and this policy will no longer be applicable.
  • Photographs / video on the website: - To make our website as interesting and informative as possible, we include photographs taken by members which may include other members. Should any member object to a photograph being included on the website, please contact the website administrator and it will be removed immediately and without question.
  • Copyright Notice: - We make every effort on our website to ensure that we only use our own images or copyright-free images and clipart. Where members have sent photographs which they have taken themselves for inclusion on the website, it is assumed that they give permission for them to be uploaded. Should anyone become aware of our unintentional infringement of copyright, please contact us at admin@edenbridgeu3a.co.uk and the item will be removed immediately and without question.
Availability and changes to this policy
This policy is available: -

  • On the Edenbridge U3A website under “Data Protection and Privacy Policy” from the main menus on the Home Page and News Page.
  • In a downloadable PDF format from the same pages on the website.
  • By request in writing or email from the Membership Secretary membership@edenbridgeu3a.co.uk
·    This policy may change from time to time. If we make any material changes, we will make members aware of this via the Monthly Email Newsletter and the Monthly Members' Meetings.

Contact
If you have any queries about this policy, need it in an alternative format, or have any complaints about our privacy practices, please contact us: -

Policy review date: February 2018

2. Privacy Advice

The internet is a wonderful resource for sharing information, finding things out and indeed learning. At Edenbridge U3A, we work hard to keep you informed of what is going on, what has happened and what is in the pipeline for future events. All of this is done through our website.
The internet, however can also create some issues of privacy and we would prefer that you are not affected by these. We have put together some advice to try to help you with this so that you can maintain your privacy.

Emails
  • Keeping Emails Private: Most of our communication is done by email. We send you an email once or twice a month if you are on our email list, informing you of future events and what we think you would want to know about. Group contacts send emails to people in their groups. It’s the fastest way of communicating to a few people and provides a record of what has been said. However, if we do not take adequate precautions, the email addresses of those we send to can be seen by others. You may not want this. In the majority of cases this is not a problem as you trust the people you receive from. When we send the Monthly Newsletter Emails to our members, we do not reveal the email addresses of anyone other than your own. If you want to do this for your group, especially large ones, there is an explanation in EMAILS AND SPAM ADVICE in the tabs on the HOME PAGE
  • Monthly Newsletter Emails: If you receive our emails regularly and no longer wish to do so, simply send us an email with UNSUBSCRIBE in the Subject Line and we will remove your address. If you are not receiving emails and wish to do so, please contact admin@edenbridgeu3a.co.uk
  • Reply to all: In most cases, small groups opt to share email addresses and everyone is happy with this as you may wish to contact individuals for whatever reason. However, you should consider when you reply to an email whether everyone needs to know what you are saying, especially in large groups. If, for example, you are given information about an event and the Group Contact asks you to reply to say whether you are going or not, ask yourself if everyone needs to know. It’s better in this case that you just REPLY to the sender who will note your response rather than using REPLY TO ALL and everyone in the group receiving unnecessary emails.
  • Dedicated Email Addresses: You can, of course, unclutter your personal email inbox by having a dedicated email address just for U3A and/or other hobbies etc. However, we would ask you not to include Edenbridge U3A in its title (except for Group Contacts) as this may be confused with our official emails. This is particularly useful for Group Contacts of large groups who may receive a lot of emails and want to keep them separate from their personal account. One or two of our Contacts have done this. E.g. edenbridgeu3atheatre@gmail.com
  • Email addresses on the website: The only email addresses on the website are those of the Committee and Group Contacts. You will notice that all the Committee and all Group Contacts have an “@edenbridgeu3a.co.uk” email address. This is simply a forwarding address to personal accounts but does not reveal the personal accounts which we wish to keep personal. This is only available for Group Contacts and the Committee and the forwarding ceases if he/she does not carry on the role. It should be noted, however, that this is only a forwarding address and your personal email will be revealed once you reply. You can reply as normal by pressing REPLY.
  • What happens if you don’t use email: - We understand that not everyone wishes or is able to use email. This is your choice. However, as the U3A grows, it is becoming increasingly difficult for us to telephone everyone who does not use email about future events. We will try but we are all volunteers. You can help us by trying to agree an “email partner” (a friend or another member who uses email) – to keep you informed about what is going on. Perhaps you can give them a ring from time to time to remind them.
Telephone

Telephoning others:
We ask you to be considerate about the time you telephone others

Telephone numbers on the website: We discourage this as much as possible in order to avoid nuisance calls although these are very rare. It is no less safe than being in a directory which is accessible to all but we know that some people prefer to be ex-directory. If you choose to have your telephone number on the website, it is done so entirely at your own risk. This is particularly important for those who do not use email. Please keep the Groups Coordinator informed of your preference in this area. groups@edenbridgeu3a.co.uk

If you feel you need to contact anyone about any of the above, please email the Website Administrator at admin@edenbridgeu3a.co.uk.


Policy review date: February 2018


3. General Principles and Advice for Committee Members

guidelines for committee members and group conTACTs
  • The only people able to access data covered by this policy should be those who need to communicate with or provide a service to the members of the U3A.
  • Data should not be shared informally or outside of the U3A
  • The U3A will provide training to Committee Members and Group Contacts to help them understand their responsibilities when handling personal data.
  • Committee Members and Group Contacts should keep all data secure, by taking sensible precautions and following the guidelines below.
  • Strong passwords must be used and they should never be shared.
  • Personal data should not be shared outside of the U3A unless with prior consent and/or for specific and agreed reasons.
  • Member information should be reviewed and consent refreshed periodically via the membership renewal process or when policy is changed.
Data protection principles
The General Data Protection Regulation identifies 8 data protection principles.

Principle 1 - Personal data shall be processed lawfully, fairly and in a transparent manner

Principle 2 - Personal data can only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Principle 3 - The collection of personal data must be adequate, relevant and limited to what is necessary compared to the purpose(s) data is collected for.

Principle 4 – Personal data held should be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.

Principle 5 – Personal data which is kept in a form which permits identification of individuals shall not be kept for longer than is necessary.

Principle 6 - Personal data must be processed in accordance with the individuals’ rights.

Principle 7 - Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Principle 8 - Personal data cannot be transferred to a country or territory outside the European Union unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of personal data.

Lawful, fair and transparent data processing
The U3A requests personal information from potential members and members for the purpose of sending communications about their involvement with the U3A. The forms used to request personal information will contain a privacy statement informing potential members and members as to why the information is being requested and what the information will be used for. Members will be asked to provide consent for their data to be held and a record of this consent along with member information will be securely held. U3A members will be informed that they can, at any time, remove their consent and will be informed as to who to contact should they wish to do so. Once a U3A member requests not to receive certain communications this will be acted upon promptly and the member will be informed as to when the action has been taken. See Appendix One below.

Processed for Specified, Explicit and Legitimate Purposes
Members will be informed as to how their information will be used and the Committee of the U3A will seek to ensure that member information is not used inappropriately. Appropriate use of information provided by members will include:
  • Communicating with members about the U3A’s events and activities
  • Group contacts communicating with their group members about specific group activities.
  • Adding members details to the direct mailing information for the Third Age Trust magazines – Third Age Matters and Sources.
  • Sending members information about Third Age Trust events and activities.
  • Communicating with members about their membership and/or renewal of their membership.
  • Communicating with members about specific issues that may have arisen during the course of their membership.
The U3A will ensure that group contacts are made aware of what would be considered appropriate and inappropriate communication. Inappropriate communication would include sending U3A members marketing and/or promotional materials from external service providers.

The U3A will ensure that members' information is managed in such a way as to not infringe an individual members rights which include:
  • The right to be informed.
  • The right of access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.
Adequate, Relevant and Limited Data Processing
Members of the U3A will only be asked to provide information that is relevant for membership purposes. This will include: -

  • Name
  • Home address
  • Email address (if you have one)
  • Telephone numbers (Home and Mobile as appropriate)
  • Your Group Preferences
Where additional information may be required, such as health-related information, this will be obtained with the specific consent of the member who will be informed as to why this information is required and the purpose that it will be used for.

Where the U3A organises a trip that requires next of kin information to be provided, the U3A will require the member to gain consent from the identified next of kin. The consent will provide permission for the information to be held for the purpose of supporting and safeguarding the member in question. Were this information to be needed as a one off for a particular trip or event then the information will be deleted once that event or trip has taken place unless it was to be required – with agreement – for a longer purpose. The same would apply to carers who may attend either a one-off event or on an ongoing basis to support a U3A member with the agreement of the U3A.

There may be occasional instances where a members' data needs to be shared with a third party due to an accident or incident involving statutory authorities. Where it is in the best interests of the member or the U3A in these instances where the U3A has a substantiated concern then consent does not have to be sought from the member.

Accuracy of Data and Keeping Data up to Date
The U3A has a responsibility to ensure members' information is kept up to date. Members will be informed to let the membership secretary know if any of their personal information changes. In addition, on an annual basis the membership renewal forms will provide an opportunity for members to resubmit their personal information and reconfirm their consent for the U3A to communicate with them.

Accountability and Governance
The U3A Committee are responsible for ensuring that the U3A remains compliant with data protection requirements and can evidence that it has. For this purpose, those from whom data is required will be asked to provide written consent. The evidence of this consent will then be securely held as evidence of compliance. The U3A Committee shall ensure that new members joining the Committee receive an induction into how data protection is managed within the U3A and the reasons for this. Committee Members shall also stay up to date with guidance and practice within the U3A movement and shall seek additional input from the Third Age Trust National Office should any uncertainties arise. The Committee will review data protection and who has access to information on a regular basis as well as reviewing what data is held.

Secure Processing
The committee members of the U3A have a responsibility to ensure that data is both securely held and processed. This will include:
  • Committee members using strong passwords.
  • Committee members not sharing passwords.
  • Restricting access of sharing member information to those on the Committee who need to communicate with members on a regular basis.
  • Using password protection on laptops and PCs that contain or access personal information.
  • Using password protection or secure cloud systems when sharing data between committee members and/or group contacts.
  • Paying for firewall security to be put onto Committee Members' laptops or other devices where the device is for the sole use of the U3A.
Subject Access Request
U3A members are entitled to request access to the information that is held by the U3A. The request needs to be received in the form of a written request to the Membership Secretary of the U3A. On receipt of the request, the request will be formally acknowledged and dealt with within 14 days unless there are exceptional circumstances as to why the request cannot be granted. The U3A will provide a written response detailing all information held on the member. A record shall be kept of the date of the request and the date of the response.

Data Breach Notification
Were a data breach to occur action shall be taken to minimise the harm by ensuring all committee members are aware that a breach had taken place and how the breach had occurred. The committee shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches. The Chair of the U3A shall contact National Office within 24 hours of the breach occurring to notify of the breach. A discussion would take place between the Chair and National Office as to the seriousness of the breach, action to be taken and, where necessary, the Information Commissioner's Office would be notified. The committee shall also contact the relevant U3A members to inform them of the data breach and actions taken to resolve the breach.

If a U3A member contacts the U3A to say that they feel that there has been a breach by the U3A, a committee member will ask the member to provide an outline of their concerns. If the initial contact is by telephone, the committee member will ask the U3A member to follow this up with an email or a letter detailing their concern. The concern will then be investigated by members of the committee who are not in any way implicated in the breach. Where the committee needs support or if the breach is serious they should notify National Office. The U3A member should also be informed that they can report their concerns to National Office if they don't feel satisfied with the response from the U3A. Breach matters will be subject to a full investigation, records will be kept and all those involved notified of the outcome.

Policy review date: February 2018

Appendix One

PRIVACY STATEMENT  INCLUDED IN APPLICATION FORM AND RENEWAL FORM

Edenbridge U3A Data Protection Agreement

You are being asked to complete this form in order that Edenbridge U3A complies with the law as outlined in the General Data Protection Regulation (GDPR) May 2018. If for any reason you feel unable to tick any of the boxes below, please cross out the area with which you do not agree. It is advisable that, prior to making the decision to delete an area, you read the Data Protection and Privacy Policy on the Edenbridge U3A website and / or discuss the matter with a member of the committee so that you will be fully informed of the implications of your choice.

Please tick the box below to give us permission to use the information you have supplied in the following ways:
·      To store it securely for membership purposes.
·      To communicate with you as a U3A member.
·      To share with group leaders for those groups that you are a member of.
·      To send you general information about the Third Age Trust (the national organisation to which U3As are affiliated).     

        I consent to my data being used for membership purposes as detailed above.

Are you happy to be added to the direct mailing list for the Third Age Trust magazines – Third Age Matters and Sources?  If so, please tick the box below:
  
        I consent to my data being shared with the company who oversee the distribution of the Trust Magazines.

        I am aware that there are full details of the Privacy and Data Protection Policy on the website and it is available in writing from the Membership Secretary membership@edenbridgeu3a.co.uk

         I consent to being included in photographs / video being taken and used on the Edenbridge U3A website and understand that if I wish any such photograph / video of myself to be removed, it will be deleted without question by contacting the website administrator on admin@edenbridgeu3a.co.uk (Please see section on SECURITY ON THE EDENBRIDGE U3A WEBSITE in the Data Protection and Privacy Policy for further details.)

Signed ____________________________   Date ____________________

Please be advised that you can request for your data not to be used for any of these purposes at any time by contacting us:


The Edenbridge U3A Privacy and Data Protection Policy was approved and adopted by the Executive Committee on 27th March 2018.