Data Protection Act 2018 and General Data Protection Regulation (GDPR)

The Data Protection Act 2018 achieved  Royal Assent on 23rd May 2018 and is the UK’s implementation of GDPR.  The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and GDPR. The Derbyshire Archaeological Society (DAS) takes its responsibility of protecting your personal data seriously and to comply with all these regulations the Society must obtain your consent to collect and use your personal information. 

The Society will only use your Personal Data for the administration and operation of the Society and will not pass, sell or otherwise, any of your Personal Data to any person, company, business or other entity outside of the Society unless it obtains explicit permission from you (except anonymously for data analysis purposes).

The Society has produced a General Data Protection Regulation Policy and a copy of the policy is provided below.

Data Protection Policy: Derbyshire Archaeological Society

1.    Definitions

1.1   Personal data is information about a person which is identifiable as being about them. It can be stored electronically or on paper, and includes images and audio  recordings as well as written information.

1.2   Data protection is about how we, as an organisation, ensure we protect the rights and privacy of individuals, and comply with the law, when collecting, storing, using, amending, sharing, destroying or  deleting personal data.

2.    Responsibility

2.1.  Overall and final responsibility for data protection lies with the DAS Council, who are responsible for overseeing activities and ensuring this policy is  upheld.

2.2.  All Society members are responsible for observing this policy, and related procedures, in all areas of their work for the Society.

3.    Overall policy statement

3.1   Derbyshire Archaeological Society needs to keep personal data about its Council membersand ordinary members in order to carry out Society activities.

3.2.  We will collect, store, use, amend, share, destroy or delete personal data only in ways which protect people’s privacy and comply with the General Data Protection Regulation (GDPR) and other relevant legislation.

3.3   We will only collect, store and use the minimum amount of data that we need for clear purposes, and will not collect, store or use data we do not need.

3.4   We will only collect, store and use data for:

• purposes for which the individual has given explicit consent, or
• purposes that are in the Society’s legitimate interests, or
• contracts with the individual whose data it is, or
• to comply with legal obligations, or
• to protect someone’s life, or
• to perform public tasks.

3.5   We will provide individuals with details of the data we have about them when requested by the relevant individual.

3.6   We will delete data if requested by the relevant individual, unless we need to keep it for legal reasons.

3.7   We will endeavour to keep personal data up-to-date and accurate.

3.8   We will store personal data securely.

3.9   We will keep clear records of the purposes of collecting and holding specific data, to ensure it is only used for these purposes.

3.10 We will not share personal data with third parties without the explicit consent of the relevant individual, unless legally required to do so.

3.11 We will endeavour not to have data breaches. In the event of a data breach, we will endeavour to rectify the breach by getting any lost or shared data back. We will evaluate our processes and understand how to avoid it happening again. Serious data breaches which may risk someone’s personal rights or freedoms will be  reported to the Information Commissioner’s Office within 72 hours, and to the individual concerned.

3.12 To uphold this policy, we will maintain a set of data protection procedures for our members to follow.

4.    Review

This policy will be reviewed every two years.

Data Protection Procedures

1.    Introduction

1.1   The Derbyshire Archaeological Society has a data protection policy which is reviewed regularly. In order to help us uphold the policy, we have created the following procedures which outline ways in which we collect, store, use, amend, share, destroy and delete personal data.

1.2   These procedures cover the main, regular ways we collect and use personal data. We may from time to time collect and use data in ways not covered here. In these cases we will ensure our Data  Protection Policy is upheld.

2.    General procedures

2.1   Data will be stored securely. When it is stored electronically, it will be kept in password protected files. When it is stored online in a third party website (e.g. One Drive) we will ensure the third party comply with the GDPR. When it is stored on paper it will be filed carefully in a locked filing cabinet.

2.2   When we no longer need data, or when someone has asked for their data to be deleted, it will be deleted securely. We will ensure that data is permanently deleted from computers, and that paper data is shredded.

2.3   We will keep records of consent given for us to collect, use and store data. These records will be stored securely.

3.    Mailing list

3.1   We will maintain a mailing list. This will include the names and contact details of people who wish to receive publicity from the Society.

3.2.  When people sign up to the list we will explain how their details will be used, how they will be stored, and that they may ask to be removed from the list at any time. We will ask them to give separate consent to receive publicity, and will only send them messages which they have expressly consented to receive.

3.3   We will not use the mailing list in any way that the individuals on it have not consented to.

3.4   We will provide information about how to be removed from the list with every mailing.

3.5   Access to the mailing list will be strictly controlled and will be restricted to three officers – Honorary Treasurer, Membership Secretary and the Newsletter Editor.

4.    Contacting members

4.1   The membership of the Society is spread across Derbyshire, other UK counties, the EU and the USA.

4.2   We will maintain a list of contact details for all members.

4.3   Members will be removed from the list if they have not renewed and paid their annual subscription within six months of the due date (1st January each year).

4.4   When contacting members on this list, we will provide a privacy notice which explains why we have their information, what we are using it for, how long we will keep it, and that they can ask to have it  deleted or amended at any time by contacting the Society.

4.5   To allow members to organise events for the Society, it is sometimes necessary to share member contact details with other members. We will only do this with consent.

5.    Contacting Council members

5.1   The Council need to be in contact with one another in order to run the Society effectively and ensure its legal obligations are met.

5.2   Council member contact details will be shared among the Council.

5.3.  Council members will not share each other’s contact details with anyone outside of the Council, or use them for anything other than Derbyshire Archaeological Society business, without consent.

6.    Review

These procedures will be reviewed every two years.