ALDE VALLEY SUFFOLK FAMILY HISTORY GROUP and the GDPR ②
+++ DRAFT ONLY: SUBJECT TO COMMITTEE DISCUSSION & AGREEMENT +++
Q. HOW does the Policy impact AVSFHG and how do we implement it?
RELEVANCE TO AVSFHG
Obviously the foregoing affects how AVSFHG processes members' data. The data we hold primarily surrounds their membership and the access to reduced event-entry fees that it gives them, but can spill over for some of our members into specialised areas such as fieldwork — and family-tree tracing performed for people other than themselves.
The Group's prime interest is in "family history", as indeed its own name suggests. Fortunately for us, processing of personal data by a natural person in the course of a purely personal or household activity is not affected by the new Regulation.
IMPLEMENTATION WITHIN AVSFHG
"Even if an individual is given responsibility for data protection in an organisation, they will be acting on behalf of the organisation, which will be the data controller." In our case, therefore, the "data controller" is embodied in the Committee, whose members at any particular time are responsible jointly and individually for ensuring compliance.
The Committee "will be responsible as data controller for ensuring that the records are held securely. It should undertake the necessary risk assessments. This means documenting the path of the data as it enters and leaves the society's control and assessing the risk of a data security breach — accidental loss, destruction or damage — at each stage."
The "data processors" (or "information officers" as we prefer to call them) are limited to four specific posts within the Committee, namely the Secretary, the Membership Secretary, the Newsletter Editor and the Publicity Officer. Currently, the latter two posts are held by the same person. The individuals occupying those posts at any particular time are indicated on the AVSFHG "Contact us" webpage, with a letter "ℹ︎" denoting an "information officer". Only those persons are privy to members' data.
There is also an implicit need for the Auditor, who will not be a Committee member or indeed may not even be an AVSFHG member at all, to be able to perform the annual audit to ensure compliance with a legal obligation.
INFORMATION THAT WE HOLD AND ITS INTERNAL COMMUNICATION
New (but not relocated or deleted) text at Version 1.4 will remain shown in red until any next version is published and for at least six months.
THIS VERSION 1.4 IS IN DRAFT AWAITING AMENDMENT AND FORMAL ADOPTION BY COMMITTEE ON 15th OCTOBER
CHANGES IN VERSION 1.4 (dated 15th October 2018): All changes are within the Section on "Information that we hold and its internal communication" on page ② —
— Definition of "traditional" members as "paid-up" to differentiate them from members of the Facebook group, for whom there are no subscription fees;
— Expansion of the list of "areas of data that we might hold" from ten to 16, so as to include: listing of new Members' names in the Newsletter, the internal list of "Contact Details for AVSFHG Committee", Speakers' contact details, the "Members' Interest Register", the "AVSFHG Facebook Group Surname Interests" list, our overseas-communication arrangements and the list of borrowers of Help Centre resources [none of these changes are deemed of day-to-day significance to most members];
— Reordering and renumbering of the "areas of data" to a more consistent order;
— Text additions, changes and moves resulting from the above; addition of paragraph-numbering to tie up with each of the "areas of data".
All these changes were adopted at the Committee meeting this day.
THIS TO FOLLOW ➡︎ The previous version (1.3) of page ② can be seen here [hyperlink]. FOR ICO AUDIT PURPOSES
Essentially, there are
ten 17 areas of data that we might hold —
1. Paid-up Membership data, comprising name, and email or (exceptionally) home address;
2. Listing of new paid-up Members' names in the Newsletter;
3. Membership data of ex-members who haven’t renewed their subscription;
4. Committee members' contact details displayed on the website and/or listed in the Newsletter;
5. Internal List of "Contact Details for AVSFHG Committee" (circulated confidentially);
6. Help Centre rotas of volunteers on duty
(public versions show surname as initial only);
7. Publicity Officer's mailing list
(of media and local organisations with an interest in history, culled from the public domain);
8. Speakers' Contact Details;
9. Mailing list of people who have indicated a wish to be kept in touch with our activities;
10. "Members' Interest Register";
11. "AVSFHG Facebook Group Surname Interests" list (via Closed Group);
12. Family research contracts, though none are in progress just now;
13. Notes made during similar ad-hoc searches for those attending the Help Centre or who have enquired from out-of-area via email;
14. Fieldwork data, though no fieldwork is in progress just now;
15. Historic reports on the database about fieldwork, events and talks;
16. Overseas Communications (only rare emailed family-history enquiries occur);
17. List of borrowers of Help Centre resources
[this paragraph moved] Between the ex-officio information officers identified in the "Implementation" Section above, information is transferred using the paper forms, which are subsequently filed away in lockable cabinets. Electronic files are password-protected, periodically validated, and superfluous or obsolete data removed. The Treasurer is not one of those officers.
1. The existing internal procedures already mean that the Treasurer has no "need to know" members' identities. The banking of cash sums by the Membership Secretary is depersonalised, even if it relates only to one member. One exception is when an individual pays their membership fee by electronic transfer direct into the AVSFHG bank account, rather than in cash, as is more normal — it is deemed that the payer, by opting to use that alternative payment method, has implicitly agreed to disclosure of their identity for purposes of correctly linking their payment back to them. Another exception, of course, is the receipt of personal donations to the Group.
2. The listing of new paid-up Members' names in the Newsletter ceased after No.39, the issue for January 2018.
3. Details of expired memberships will be deleted after six months, around July of each year.
[THIS PARAGRAPH MOVED UP TO TOP OF SECTION] Between the ex-officio …
4. Incoming Committee members are to be asked what contact details they are willing to have displayed on the website and/or in the Newsletter. Those already in post have each completed and signed the Consent Form.
5. [NEW PARAGRAPH] It is agreed that the internal list of "Contact Details for AVSFHG Committee" continues to be maintained and circulated privately by the Secretary to assist the smooth, timely and reactive running of the Committee between meetings (such as with the countersigning of payment cheques), and we consider that no process change is necessary.
6. [NEW PARAGRAPH] The quarterly Help-Centre rotas of Volunteers on duty are only circulated internally to those directly involved. They now show just first names (plus surname initials where necessary) and personal phone numbers. ?The redacted names-only version, for access from the "Help Centre" webpage, will no longer be produced.
[THIS PARAGRAPH MOVED DOWN] 12. Similarly, robust ... family-search contract is offered to us.
7. The media and those local organisations with an interest in history, who receive the Publicity Officer's news bulletins, are culled from the public domain and are routinely asked if they prefer not to be circulated.
8. [NEW PARAGRAPH] A scan of each "Speaker's Receipt & Consent Form", which contains their name and address, is kept by the Treasurer for audit purposes. In the unlikely event that the Webmaster has to remove any personal data from the website for which consent has been denied on the form, that is done as promptly as possible. Then, the original is passed to the Publicity Officer for any further action, and filing.
Similarly, the ex-members, and Those on the mailing-list of interested people were circulated during Spring 2018 for their continued consent to our holding their personal data, or they would be removed from our mailing lists. They will be circulated again ???HOW OFTEN???.
10/11. [NEW PARAGRAPH] Any paid-up member may volunteer their own personal family history data for inclusion on the "Members' Interest" Register, [is this true?➡︎] which is in the public domain. Also, members of the Facebook group (established in March 2018 when the imminence of GDPR was already well known) can do the same for posting on the online "AVSFHG Facebook Group Surname Interests" list, which any of the closed-group members can read: the list is maintained only by the Facebook Administrator.
[NEW PARAGRAPH] It is deemed that both classes have implicitly given consent to our holding that offered personal data, so that each of the mutual registers can operate as intended, aiding the applicants' personal family-history searches. It is of note that even those who are not paid-up members of the main Group — or, indeed, perhaps never have been — may request insertions on [true?➡︎] either/both lists and/or subscribe to the Facebook Group.
[NEW PARAGRAPH] ?In January (or soon after) each year, paid-up Members will be re-confirmed at the time of membership renewal, and Facebook-Group Members will be reminded via Facebook, to monitor their continued appearance in their respective interest-lists.
12. [TEXT FROM ABOVE=] Similarly, robust documentary mechanisms will be put in place when the next family-search contract is offered to us.
13-15. We maintain that the purpose of the Group, as indeed its name implies, is to build up a corpus of knowledge and not simply discard it. This is the express aim of our fieldwork, and to deliberately dispose of reports on our talks would represent a discourtesy to our speakers.
Digital copies of "family history" data will be stored indefinitely. It is in the nature of genealogy that those with an interest may wish to revisit at some future date the services that we provide, and at that time a copy of knowledge collected should be available. Related email communications will be held for a year after the completion of any research, to provide continuity of service in the event of subsequent query or a request for further research. Email communications for potential clients will be retained for a similar period.
16. We currently have no overseas communications, whether within or outside the EU. Processes will be put in place should this situation change.
17. The list of borrowers of Help Centre resources, such as reference books and CD's, is maintained to protect the Group's assets.
*** DON'T FORGET TO AMEND VERSION NUMBER AT THE TOP OF PAGE ④ ***
NEXT: ➡︎ WHO does what?