Lancaster Photographic Society is a voluntary organisation existing for the shared interests of its members, and is a ‘Data Controller’ within the UK, subject to the Data Protection Act 2018. All persons whose ‘Personal Data’ are collected and stored are ‘Data Subjects’.The changes in this new Act have no new implications for the Society Protection of Vulnerable Individuals Policy. The Society upholds the following principles:

Summary of Principles:

• The Controller must keep all Personal Data secure, but also available for the relevant purposes.
• The Controller must respect the rights of Data Subjects, including the right of access.

Provisions:

Scope:

The Society may manage and process data relating to members of the Society and to other individuals with whom the Society needs to be in contact, such as editors of local magazines, for the publication of Society events.

Information considered sensitive may only be stored on the Society website in a password-protected area.

Compliance:

In the absence of a requirement to notify the Information Commissioner (a practice abolished by the Digital Economy Act 2018), a new and important requirement is for the Club to demonstrate its compliance with the principles enshrined in the EU General Data Protection Regulations as incorporated into the 2018 Act. This is by

1. publishing its Policy and outlining its scope and purpose, and
2. reviewing and documenting its compliance with its own Policy.

This Policy recognizes its need to meet the first of the rights of all Data Subjects: to be informed. Strict measures must be taken to ensure the accuracy and safe-keeping of the data maintained and processed. This is particularly applicable where emails are sent to the membership. Whilst it is acceptable for all email addresses to be visible when messages are restricted to Committee members, to enable sharing of replies, it is essential that messages sent to the whole membership are sent as ‘blind copies’ (BCC).

Voluntary Officers:

The Society should designate one or more persons to be responsible for ensuring the accuracy and safe keeping of the data held by the Society. This is currently the Society Membership Secretary (primary), Chairman and Treasurer, who have access to the Society's email address and database, and the Webmaster for the Society’s website. Additionally the Competition Secretaries should have the consent of members whose images are entered into Inter-Club competitions. No person acting as Data Controller on behalf of the Society may transfer or share any data with another Data Controller body for whom he/she also has responsibility.

Lawful Purpose:

Of the six lawful purposes for processing Personal Data, those relevant to this Society are Consent, Contract and/or Legitimate interests. The Club should inform its members about the requirement to hold personal data without needing explicit consent – this being valid within a published policy.

The data stored must be relevant to the relationship the individual has with the Society - normally

• Name (including any photographic affiliations, awards or achievements),
• Address,
• Telephone number,
• Email address
• Competition information about image titles and scores, members’ information voluntarily offered about photographic equipment and interests, and any other information necessary for the running of the Society. The Society must delete the information concerning an individual within a reasonable period of time, once the relationship between that individual and the Society comes to an end. To this end it has been deemed to be acceptable to retain members’ details on a “Past Members” list and to remove those details once a former member specifically requests this. The Society deems it important also to retain historical records such as programmes and award winners.

Consent via a Third Party:

Data can be passed to other organisations, such as the Lancashire and Cheshire Photographic Union , PAGB, provided it has the consent of the individual, usually obtained when the individual fills out a membership form. This would normally be restricted to Committee posts (relevant to the needs of the above organisations), and to inter-Club Competition images and authors. The Lancashire and Cheshire Photographic Union and PAGB make commitments in their Data-Protection Policies to uphold these principles.

Subject Access:

The Society is obliged to respond readily to a written request from an individual to provide the information that is held pertaining to that individual, without giving a reason. It should also respond to request for rectification of incorrect details. Importantly, the ‘right to be forgotten’ (ie have all personal data erased) is not automatic, and would not apply within the circumstances outlined in this document in relation to electronic marketing. Also the Society must comply immediately with an individual’s request to receive no further emails. It should be made known to Data Subjects that they have a right to complain to the Information Commissioner over any issue relating to the Club’s operation of this policy.

Electronic Marketing:

This does not come within the scope of the Data Protection Act. However, a member is entitled to withdraw consent to the offer of goods and services from outside the Society. And the Society must not make their membership contacts’ information available for electronic marketing. General advertising – such as a pile of leaflets advertising an event - does not come under this.