GDPR and the Data Protection Act

Some notes on GDPR and the Data Protection Act 2018

Here is our understanding of the impact of the General Data Protection Regulations (GDPR) on Morris teams (“sides”) that are members of the Morris Federation.  This is not intended to be formal advice, merely notes on the topic using material gleaned from the Information Commissioner’s Office (http://ico.org.uk).  Readers should be familiar with the Data Protection principles and legislation which are not further explained here. You remain responsible for your side’s conformance with the law and must make your own decisions to suit your own circumstances.  

GDPR has been implemented by a new Data Protection Act (DPA2018). Under the Act, organisations must understand and document the lawful basis on which they process personal data and be accountable for the decisions they make around the use of that data.  This is now UK law and so will not be affected by Brexit.

You need to obey the fundamental principles to protect personal data “by design and by default” (i.e. keep only what you need, keep it only for as long as it is needed, keep it private).

These notes assume the side does nothing more than would be usual for a Morris side with a known membership, and that the only personal data held and used are the side’s members’ contact details.  You should seek proper advice if you hold personal data above and beyond this. GDPR also introduces new obligations concerning the personal data of children. If you have children in the team – particularly if their parents are not also members – then you should take additional advice.

Otherwise, since the personal data belongs to your members, this is a matter for discussion with them.

Matters to discuss

Matters which your membership might discuss could include:

Lawful basis

What is the lawful basis which permits the team’s officers to collect and use personal data about members?

In most cases this will be because the officers need the members’ personal data to perform tasks that members expect in running the team.  This is “processing necessary for the performance of a contract” and/or “the legitimate interest of the organisation”, either of which allows use of personal data without separate consent.

It is, however, courteous to seek consent to obtain and use members’ personal data. But note that consent may be withdrawn at any time, so you should identify any personal data that is required to run the team successfully – and the use to which it will be put – even if that consent is withdrawn.

Data collected

What personal data is/should be collected and what will it be used for?

Distinguish between “data necessary for the effective running of the team” (name, subs paid, maybe email?) and “personal data provided voluntarily” (e.g. address to allow car sharing or month/day of birth to send team birthday cards).  The voluntary data is almost always for intra-member use – e.g. maintaining an address list shared with the membership allows members to contact each other more easily.

You need to be sure that the use you have in mind actually does require you to hold the personal data in order to achieve it!  In general you should only keep data essential to the processing identified.  

Review the data you hold and delete anything that is not essential for the identified use(s).  Better still, don’t collect it in the first place! E.g. Even if you have an “over-18” membership rule, you don’t need to keep dates of birth as membership information:  you can keep a record that they have proved they are over-18 on joining, you do not need to keep the personal data itself.  

Responsible persons

Who should members contact if they want to check the data held, and/or correct it, and/or ask for it to be deleted?

Obviously, it’s in the team’s interests that the data held is accurate and up to date, so make it easy.

Note that you are probably entitled to refuse to delete specific data items essential for your functioning but only for as long as it remains essential. If someone resigns their membership and asks you to delete their data, you need to have a very good reason to keep it against their wishes. Indeed, you need to have a very good reason to keep it at all once all the paperwork has been sorted.

You can, however, maintain the minimum data necessary for legitimate archival purposes (e.g. names of dancers recorded in your scrapbook).  However, you don’t need to keep all their personal details for that purpose, so don’t keep old address lists, for instance. 

Storage and security

Where the data will be stored and what security arrangements apply?

The team should consider the risk of loss (accidental deletion), or damage (incorrect edits, partial loss), as well as theft.  In practice, the impact of loss and damage is likely to be minimal – you can reconstruct the list from scratch simply by asking members to provide the data again.

The consequences of theft (i.e. the data is published somewhere or falls into unfriendly hands) should be discussed with the team.  Would it be simply inconvenient (or embarrassing to be outed as a Morris Dancer!) or could real damage be caused?

Your members must be happy with the arrangements made, but you are only obliged to take reasonable steps, not try the impossible or impractical. Review the advice given under “Security” on the ICO website.

Note

This is not a full list of possible discussion points. Team officers should review the GDPR guidance on the ICO website in full to see what else (if anything) needs to be considered.


FAQ

Q1. Privacy Policy – do we need one?

Yes, in that you need to have some record of what has been agreed regarding the storage and use of personal data within the team. The easiest way to do this is to have a Privacy Policy agreed by the team at an AGM.  This should include a list of the uses to which personal data will be put and describe the security arrangements in place, as well as the appropriate way to get updated or deleted. Once written it should be reviewed from time to time to ensure it is still fit for purpose.

The Privacy Policy must distinguish between “personal data necessary to run the team effectively” and “personal data provided voluntarily for helpful but not essential activities”.  Members cannot reasonably opt-out of providing necessary data – but that should really be the absolute minimum required (name, subs paid, maybe email?). The rest really is voluntary: you can hardly force people to provide personal data if they don’t want you to have it..   

There is an example policy in Appendix One. Please do not copy it blindly. What works for one team may not be completely suitable for another. 

Q2. Written consent from members – is it necessary?

That depends on the data and its use. For essential data you can almost certainly rely on “legitimate interests [of the team]” or “performance [to fulfill the team’s objectives]” as the basis for processing (see above). And given that you’d be asking the member themselves for the data anyway, there’s implied consent if they give it to you…. But do have the conversations mentioned above regarding the “non-essential but very useful” data, for which you should probably  obtain and hold written consent (which can just be their initials on a round-robin pre-forma)..

Q3. Do we have to register with the Information Commissioner’s Office?

No. Small not-for-profit membership-only organisations do not need to register with the ICO. If in doubt as to your status (e.g. you are primarily a commercial art performance team rather than just hobbyists) you should confirm this using the ICO self-assessment tool.

Q4. Do we need a Data Protection Officer?

No, but you can check here.  Having said that, it would be sensible for some officer (the Secretary, perhaps?) to have a basic understanding of what is required with respect to the protection of members’ personal data.

Q5. Do we need an “Article 27 representative”?

No. Article 27 is not relevant to any UK-based morris team.

Q6. Inactive or ex-members (or “social” or “country” members) – what about them?

If they do not pay subs, they might not be members in the eyes of the law and so you may not be able to rely on performance of contract or the legitimate interests of the team as your reason for holding and using their personal data. After all, they aren’t members of the team.  

The team’s officers are required to work under a lawful basis for processing personal data so should seek an alternative (e.g. obtain and record their explicit consent for you to keep them on your address list, or to have them on your mailing list). If that consent is withdrawn then you should take them off the list. It may be worth checking every year or so to see that they do still want to receive information about the team or its activities. 

The GDPR is strong on the idea of “granularity” – so you might consider having different mailing lists for (e.g.) day to day team business vs announcements of dance outs or events that social members might be interested in.

Q7. Email addresses – can we hold them on our address list?

Well, best practice is to use a reputable mailing list system (local or cloud, e.g. groups.io or even mailchimp)  rather than having every member have every other member’s email details. If members want to contact each other privately they can get the person’s email addresses themselves at practice. That said, this is a matter for the team to decide for itself, to share or not to share….

If you keep email addresses together with a postal address list, the risk is heightened somewhat as theft might allow the postal address information to be more easily linked with other data available on the Internet (which often has the same email address associated with it).

Pay attention to security – local storage on your PC has different risks to cloud storage and shared documents.  If the email addresses are stolen, you may receive phishing emails that seem to come from fellow members (which could be high impact, up to and including identity theft) and/or will be spammed mercilessly. 

Finally, it’s quite cool to have generic addresses such as “squire@ambridgemorris.org.uk” which redirect to the correct person privately, behind the scenes. Then there’s no need to publish private email details on your website or even to members.

Q8. Must the team review its Privacy policy and ask members to sign up to this each year?

No; but it would be  eminently sensible to do so.  Perhaps at each AGM? This would ensure that new members are made fully aware of the policy and the use to which their personal data may be put.  Having said that: members do not need to actually sign the policy – once agreed by the team it applies to every member as a condition of membership.   You also don’t need to table it every year, either, once accepted, it applies until changed or removed; but the team can choose for itself how it wishes to approach this.

Every expected use of personal data should be outlined in the privacy policy, especially if you expect to pass that data on to others (e.g. event organisers).  Do make sure the members approve of these reasons; you may think they’re sufficient, but they need to do so too! People need to be able to make an informed judgement about whether they are willing to provide personal data to you.

Q9. Re the suggestion of signing up annually to the Privacy policy – would members need to complete all their contact details every year (address,email,tel nos) – or can we ask members to confirm annually that their contact details are unchanged?

The latter is fine; you may even give people the facility to update their own details, through a shared file, perhaps. 

Q10. Opt-in: Our current Privacy Policy allows us to share email/address data etc. unless members opt out.  Must we now ask members specifically to opt-in?

It is true that genuine consent implies opt-in, not opt-out (or pre-ticked boxes).  So again this is a sensible suggestion that is easy to implement. Put a list of names and boxes on the bottom of the policy and run it round the room at the AGM (and any number of practices needed to get everyone!). Have them initial the box rather than just ticking it.

Q11. No sharing at all?  It has been suggested that we should not share members’ addresses at all with each other. However most members want to continue doing this as we car-share; meet up for planning and committee meetings; store Morris kit; put on kit workshops etc. Can we share address lists of current members if we have consent to do so from members?

Yes, absolutely so. Consent is a legitimate basis for processing (here, storing and accessing) personal data.  Anyone who does not want to have their address (etc) shared should have the right to have the data deleted from the shared drive/document. Or, if the data is essential for the correct functioning of the club, access must be restricted to those who absolutely need to know and who cannot get the data any other way (i.e. it’s not shared with all and sundry) .

Q12. Child members: do we need to observe particular requirements?

Yes.  Please see the relevant ICO guidance. The first question to ask is “Do you need to store their details at all?”.  Which of the purposes explained in your Privacy Policy requires you to have these details?  If their parents are also members, can you work with just their data?  Or even if they aren’t members…? 

If you do need to store the child’s details, you should have the parents consent in writing. Children under 13 cannot legally consent to anything so do so not seek data from them directly.  Children over 13 should be considered competent to decide if their own data should not be included, even if that differs from their parents views (be diplomatic).

Again, get parental consent to send cards to children.  If you store birthdays to enable the sending of cards, etc, just store month and day, there is no need to include the year. You don’t need to store ages or full dates of birth: a flag to say “Under 16” or “Adult member” will suffice.

Q13. Is it acceptable to ask members for an emergency contact name and phone number, and to enquire about allergies, relevant medical information or additional needs?

To ask?  Yes, of course.  To demand?  Probably not.  Allergies and medical information (and dates of birth, by the way) are classed as “sensitive” data and more care must be taken to ensure that it is only requested for good reason.  It may be necessary to establish a “private” record for use only to advise event organisers (etc) but that may not be the case, as, frankly, allergies are rarely secret. Again, the team should discuss and agree what must be done – allowing that if one person wants it to be private then it needs to be private for everyone.

You should probably write some suitable catch-all in your policy to cover legitimate exceptions such as medical emergencies, etc, where you will be able to act to disclose data without consent but for the greater good of the individual concerned.

Q14. We have some new recruits who have not yet signed up to privacy policy. These new people have not been added to the group email list, but are being “blind-copied” in to group emails. Is this okay?

Ah; probably not a good idea.  Two things to consider: 

  1. Membership
    1. No-one should have access to team correspondence (never mind other people’s personal data) if they are not members of the team and thus bound by its rules.  Bear in mind that anyone who is not a member of the team is just a member of the public… Are these new recruits officially members? Sign them up asap!
    2. If officers need to communicate with non-members (even prospective members) they should do so separately and not by BCC on team correspondence. That may mean resending team emails separately but then (a) it’s a conscious choice and (b) you can tailor the text appropriately. 
  2. Bcc: this is a common way of hiding email addresses but it is seriously flawed:
    1. No-one can successfully “reply all” (anyone bcc’d will miss the reply)
    2. If everyone has their own list of members, they can easily get out of sync
    3. If you’re bcc’ing the new people are you revealing the email addresses of current members (to whom you owe a duty of privacy)?

Have the team use a decent mailing list service (e.g. groups.io; or even mailchimp.com). That way there is one “true” list but no-one gets to see anyone else’s email address.

Q15. A member has refused to sign the Privacy policy ….

If they are a member (has paid subs, etc) then they do not need to “sign up to” the policy.  It applies to them by the simple fact of membership. If they want to change the policy they should raise a motion at the AGM.  

But I would ask why they have refused to sign… does your Privacy Policy fail to distinguish between “personal data necessary to run the team effectively” and “personal data provided voluntarily for helpful but not essential activities”?  Does the member understand why their data is needed? What do they get in return for providing the information?

At the end of the day, Morris is a hobby; the “rules” of the side are just suggestions for voluntary cooperation likely to enhance enjoyment.  If someone doesn’t want to cooperate, the first step must be to discuss the matter with them in order to seek mutual agreement. Only if that fails can further action be considered.


Appendix 1 – example privacy policy

This is an extract from one team’s Constitution; it could easily be a separate policy approved by the team in General Meeting.  Given its importance, it should be approved by a two-thirds majority.

Note: the word “may” implies the action is optional/voluntary.  The use of “must” or “shall” means the action is mandatory.

Data Protection

The team intends that personal data provided by members, for whatever purpose, be kept securely and shared only in pursuit of legitimate objectives.  This document explains what data is kept, by whom, and for what purpose.

Essential data

  1. Members’ names are recorded in a number of team documents, including the definitive list of members (which also holds subscription data); the “tick-list” whereby members show their interest in attending events; the “record of practices” held by the foreman; the agenda and minutes of general meetings; notes circulated after practices, etc. These records are held to be the minimum necessary for the effective running of the team.
  2. New members are invited to subscribe to the team email distribution list and may choose to subscribe at that time or any time subsequently.  This subscription is “private” in that members’ email addresses are not visible to others when using the mailing list, but the address provided will be visible to the Secretary, or other Officer, administering the list. Members may withdraw their subscription to the mailing list at any time by request to the Secretary. However, the list is the official channel of communication for the team and it is unlikely that alternative arrangements will be made for members who choose not to subscribe. 
  3. The treasurer has, and other officers may have, access to the team’s financial records and team bank account and the personal data recorded therein (who has paid what subscriptions, for example). 
  4. The team’s accounts are reviewed annually by a third party appointed for that purpose by the team in general meeting.  This third party will have access to the accounts for the purpose of conducting a proper review to detect or prevent fraud. This may include individual subscription records. The Officers consider the impact on individual privacy to be limited and to be justified by the legitimate interests of the team and its members.

Discretionary data

  1. Members may choose to make additional personal data available to fellow members and selected third parties (e.g. event organisers) for a number of purposes, including, but not necessarily limited to, those described below. 
  2. This data can include:
    1. Postal address
    2. Mobile, workplace and/or home telephone numbers
    3. Email address
    4. Month and day of birth
    5. Names of “usual” guests at events (e.g. partners, family)
    6. Dietary preferences and food allergies
    7. [Other information you normally keep]

Members make this data available by adding their data to the team address list, which is held “in the cloud” as a shared file with Internet access.

  1. The address list can be accessed by all team members.  No login is required. 
  2. Risks: It is possible by the nature of the technology used for team members to share access to the list with others not in the team.  Former members may also retain access to the list. The convenience of offering easy access to current members is held to outweigh the risk of misuse by others.  Nonetheless, members should take this into account in considering what personal information they wish to provide.
  3. Provision of personal data for the address list will be deemed to be de-facto consent to the uses of personal data described in this policy. [Alternatively] Members must “opt-in” to the uses of personal data described in this policy by initialling the list circulated at the AGM or when they join the team.
  4. Individual members must take responsibility for keeping their own data up to date on the address list. Members may remove their data from the address list at any time,  or request the Secretary to do so on their behalf. 
  5. Some of the above data (e.g. name(s), dietary preferences) will be shared with third-parties where it is necessary for effective performance or it is in the member’s interest that we do so. Generally this data is shared only with event organisers to enable them to issue tickets,  plan meal choices, etc. In the event of a medical emergency (e.g. allergic reactions) any member may share any and all information necessary for the health and well-being of others.
  6. Members’ address details are generally used only for:
    1. Car-share arrangements for practices, events etc;
    2. the delivery of Birthday and Christmas cards (or other holiday greetings); 
    3. (add to the list as appropriate).
  7. The team has a tradition of sending a card, signed by everyone except the recipient, to members on their birthday. If you would like to participate (and receive a card) please provide your birthdate (day and month only). This data is recorded only to allow this tradition to be maintained! 
  8. Mobile phone numbers are very useful in keeping members informed of last minute changes to event arrangements, etc. “Group chats” using these numbers may be established for that purpose, especially at major festivals, etc. 
  9. Members may also add their email address to the team address list so that they can be contacted privately by officers and fellow members.
  10. The team also maintains a (separate) mailing list for ex-members and others who may be interested in attending events, reunions, etc. Any person may apply to subscribe to this list, subject to the approval of the officers, such approval not be unreasonably withheld.  As with the team mailing list, subscribers do not see each others’ email addresses but the list administrator can see all addresses. [Alternatively] The team uses social media (e.g. FaceBook and Twitter) to advertise events, reunions, etc. Anyone may “friend” or “follow” the team on these platforms.  Personal data available to our media administrators as a consequence is used only to communicate with the friend/follower using the normal mechanisms provided by the underlying platform.
  11. Under no circumstances will the team share personal data of members, or others associated with the team, with third parties outside the scope of this policy.

This policy was approved by a two-thirds majority vote on XX/XX/XX. It should be reviewed annually to ensure it is still fit for purpose.


Author: Jerry West; Last Updated: 12/02/2020

Don't miss out

Get The Morris Federation's News

Subscribe for news about The Morris Federation and morris related activities. Available for all.