DEREHAM & DISTRICT PROBUS CLUB
Est. 1976
C. DATA PROTECTION ASSESSMENT
Need for an Assessment:
Dereham & District Probus Club (the Club) uses personal data of its members to facilitate club administration.
The legality for processing this data is that the member has given consent to the processing for one or more specific purposes.
The purpose of this assessment is to determine that processing of this data complies with the General Data Protection Regulation.
Data collection & use:
Successful applicants are required to complete the Club member application form; the data extracted from this form is included on the Club database of current members.
The personal information required comprises:
Surname,
Forenames,
Name the member is normally addressed by,
Partner’s name,
Next of kin if not partner,
Address,
Postcode,
How long at current address,
Home Telephone Number,
Mobile Telephone Number,
E-mail address,
Details of previous Probus membership,
Profession prior to retirement/semi-retirement,
And any other information voluntarily provided or permitted by the member during his period of membership.
The Club does not obtain personal data from other outside sources or third parties, nor does it share any of the data with anyone other than club members.
The collected data is held by the Club Honorary Secretary, in the form of the origial application, a) filed as a ‘’hard copy’’ and b) in a database, held on a passworded memory stick.
The data is used to compile an annual directory of “Elected Officers & Members’’ which is only issued to current club members.
This contains:
Full name
Nickname if any
Partners name
Address,
Telephone number
E-mail address
For the purposes of this Regulation, the Club Honorary Secretary is the data controller.
The club uses the information for:
Dealing with requests and enquiries,
Contacting members by post, telephone or email for reasons related to Club membership and business,
To produce the directory of ‘’Elected Officers & Members’’ as described above and which is available to Club members only,
To notify members of matters relating to the management of the Club’s activities, all meetings, or any changes to the Club’s Constitution or Rules,
To notify members of issues pertaining to Members’ welfare,
To invite members to make nominations to the Club Committee,
To facilitate the organisation of functions and the notification thereof to Club members,
To provide information to members upon the Club's Website,
And to maintain the Club’s archives
The data is the minimal amount required for the administration of the club to function as indicated above.
Each individual member’s personal data will be held for the duration of their membership unless consent by a member is withdrawn when it will be retained until the following AGM.
No special category of data (eg. criminal offence data) is sought nor is it considered relevant.
There is no requirement to request or process any information relating to children.
The maximum number of members concerned will not exceed 40 at any time & all live locally to Dereham.
The directory of “Elected Officers and Members” gives any member access to other members information, but only to the extent described in the directory, in order that they may contact one another.
Risks to individuals:
The Club holds no information which in any form could be used to incriminate an individual member nor is that data of any commercial value.
Some of the data the Club holds can be obtained from the Electoral Register & National Census records.
Personal breaches might include:
Access by an unauthorised third party - very low risk since the data is securely held by the secretary.
Deliberate or accidental action (or inaction) by controller or processor - very low because the processes are limited in their action, relating to the persons whose data has been collected.
Sending personal data to an incorrect recipient - very low all recipients already have much of the data held in their copy of the club directory.
Computing devices containing personal data being lost or stolen – medium risk. The computer is secretary’s personal property & held at his home, however the personal data is held in an encrypted file.
Alteration of personal data without permission - low risk as there is no advantage in doing so.
Loss of availability of personal data - low risk, computer held files backed up by paper files.
Compliance with 'Consent':
We have checked that consent is the most appropriate lawful basis for processing.
We have made the request for consent prominent and separate from our terms and conditions.
We ask people to positively opt in.
We don’t use pre-ticked boxes, or any other type of consent by default.
We use clear, plain language that is easy to understand.
We specify why we want the data and what we’re going to do with it.
We have named our organisation and any third parties.
We tell individuals they can withdraw their consent.
We ensure that the individual can refuse to consent without detriment.
We don’t make consent a precondition of a service.
We keep a record of when and how we got consent from the individual.
We keep a record of exactly what they were told at the time.
Managing Consent:
We regularly review consents to check that the relationship, the processing and the purposes have not changed.
We have processes in place to refresh consent at appropriate intervals.
We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
We act on withdrawals of consent as soon as we can.
We don’t penalise individuals who wish to withdraw consent.