Here is our understanding of the impact of the General Data Protection Regulations (GDPR) on Morris teams (“sides”) that are members of the Morris Federation. This is not intended to be formal advice, merely notes on the topic using material gleaned from the Information Commissioner’s Office (http://ico.org.uk). Readers should be familiar with the Data Protection principles and legislation which are not further explained here. You remain responsible for your side’s conformance with the law and must make your own decisions to suit your own circumstances.
GDPR will be implemented by a new Data Protection Act (DPA2018). Under the Act, organisations must understand and document the lawful basis on which they process personal data and be accountable for the decisions they make around the use of that data.
You need to obey the fundamental principles to protect personal data “by design and by default” (i.e. keep only what you need, keep it only for as long as it is needed, keep it private).
These notes assume the side does nothing more than would be usual for a Morris side with a known membership, and that the only personal data held and used are the side’s members’ contact details. You should seek proper advice if you hold personal data above and beyond this. GDPR also introduces new obligations concerning the personal data of children. If you have children in the team – particularly if their parents are not also members – then you should take additional advice.
Otherwise, since the personal data belongs to your members, this is a matter for discussion with them.
Matters which your membership might discuss could include:
1. The lawful basis which permits the team’s officers to collect and use personal data about members1.
In most cases this will be because the officers need the members’ personal data to perform tasks that members expect in running the team. This is “processing necessary for the performance of a contract2” and/or “the legitimate interest of the organisation”, either of which allows use of personal data without separate consent.
It is, however, courteous to seek consent to obtain and use members’ personal data. But note that consent may be withdrawn at any time, so you should identify any personal data that is required to run the team successfully – and the use to which it will be put – even if that consent is withdrawn. See point 3 below.
2. What personal data is/should be collected and the things it is likely to be used for. Don’t forget intra-member use – e.g. maintaining an address list shared with the membership allows members to contact each other more easily.
You need to be sure that the use you have in mind actually does require you to hold the personal data in order to achieve it! In general you should only keep data essential to the processing identified.
Review the data you hold and delete anything that is not essential for the identified use(s). Better still, don’t collect it in the first place! E.g. Even if you have an “over-18” membership rule, you don’t need to keep dates of birth as membership information: you can keep a record that they have proved they are over-18 on joining, you do not need to keep the personal data itself.
3. Who should members contact if they want to check the data held, and/or correct it, and/or ask for it to be deleted?
Obviously, it’s in the team’s interests that the data held is accurate and up to date, so make it easy.
Note that you are probably entitled to refuse to delete specific data items essential for your functioning but only for as long as it remains essential. If someone resigns their membership and asks you to delete their data, you need to have a very good reason to keep it against their wishes. Indeed, you need to have a very good reason to keep it at all once all the paperwork has been sorted.
You can, however, maintain the minimum data necessary for legitimate archival purposes (e.g. names of dancers recorded in your scrapbook). However, you don’t need to keep all their personal details for that purpose, so don’t keep old address lists, for instance.
4. Where the data will be stored and what security arrangements apply.
The team should consider the risk of loss (accidental deletion), or damage (incorrect edits, partial loss), as well as theft. In practice, the impact of loss and damage is likely to be minimal – you can reconstruct the list from scratch simply by asking the members to provide the data again.
The consequences of theft (i.e. the data is published somewhere or falls into unfriendly hands) should be discussed with the team. Would it be simply inconvenient (or embarrassing to be outed as a Morris Dancer!) or could real damage be caused?
Your members must be happy with the arrangements made, but you are only obliged to take reasonable steps, not try the impossible or impractical. Review the advice given under “Security” on the ICO website.
NB. This is not a full list of possible discussion points. Team officers should review the GDPR guidance on the ICO website in full to see what else (if anything) needs to be considered.
Q. Do we need to collect and hold written consent from members to use their data?
Probably not. You can almost certainly rely on “legitimate interests” or “performance to fulfill a contract” as the basis for processing the data. And it’s not as if you obtained the data without the members knowing about it. But do have the conversation mentioned above – especially item 2 – and document what was agreed so it’s on the record – that could form the basis of a Privacy Statement, perhaps.
Q. We also hold data on inactive or ex-members (or “social” or “country” members). Is that okay?
If they do not pay subs, they might not be members in the eyes of the law and so you may not be able to rely on performance of contract or the legitimate interests of the team as your reason for holding and using their personal data. After all, they aren’t members of the team.
The team’s officers are required to work under a lawful basis for processing personal data so should perhaps seek an alternative (e.g. obtain and record their explicit consent for you to keep them on your address list, or to have them on your mailing list). If that consent is withdrawn then you should take them off the list. It may be worth checking every year or so to see that they do still want to receive information about the team or its activities. The GDPR is strong on the idea of “granularity” – so you might consider having different mailing lists for (e.g. day to day team business vs announcements of dance outs or events that social members might be interested in).
Q. We only hold a (postal) address list as a word document (or spreadsheet), do we have to worry about GDPR?
Technically, yes. In practice the risk of loss, damage or theft is very low and the impact of any loss, whilst inconvenient, is unlikely to be substantial. Nonetheless, have the discussion… but it will just be a very short discussion!
Q. We also put people’s email addresses on the list…
If you keep email addresses on the list, the risk is heightened somewhat as this might allow the address information to be more easily linked with other data available on the Internet (which often has the same email address associated with it).
In addition, if the email addresses are stolen, you may receive phishing emails that seem to come from fellow members (which could be high impact, up to and including identity theft) and/or will be spammed mercilessly.
Pay attention to security – local storage on your PC has different risks to cloud storage and shared documents.
Consider keeping email data separately – e.g. use a reputable mailing list system (local or cloud) rather than having every member have every other member’s email details. If members want to contact each other privately they can get the person’s email addresses themselves at practice.
Having said that, if you do use third-parties to process your members’ personal data then you should ensure those third parties are preparing for GDPR – they will be “Data Processors” under the law and have specific legal obligations which they (and you) should be aware of. Follow their advice where appropriate. If they claim not to have heard of GDPR, change provider!
In addition, please note there are rules about storing the personal data of UK citizens in non-EU countries (e.g. US cloud storage) and it is your responsibility to only use a provider that conforms to these rules. Brexit will not alter this. Seek advice from the provider and from ICO.
Finally, it’s quite cool to have generic addresses such as “firstname.lastname@example.org” which redirect to the correct person privately, behind the scenes. Then there’s no need to publish private email details on your website.
Q. We only produce paper copies of our address list for circulation, does this change anything?
Well presumably the original is produced on a PC (unless you still use a typewriter!) so GDPR still applies. Have the discussion anyway. Keep the PC’s anti-virus software up to date and use firewall software if connected to the Internet.
Q. Do we have to register with the Information Commissioner’s Office now?
No. Currently, not-for-profit membership-only organisations do not need to register with the ICO and the existing advice is that you will not have to pay a fee under DPA2018 either3. If in doubt as to your status (e.g. you are primarily a commercial art performance team rather than just hobbyists) you should confirm this using the ICO self-assessment tool when it is released.
2 To rely on this would be to accept that a contract exists between each of the members and between the members and the officers of an unincorporated association, based on your team’s constitution (if any).