u3a

Stratford-upon-Avon

Privacy Policy

STRATFORD-UPON-AVON U3A

HOW WE USE PERSONAL INFORMATION

This statement explains how and why Stratford-upon-Avon u3a (‘SAVu3a’) processes personal information, whether organised in electronic or paper form. It applies to personal information stored on its behalf on the central database called ‘Beacon’ run by The Third Age Trust and to personal information which may be processed in other ways by members of SAVu3a when acting in an official capacity.

For data protection purposes this document is SAVu3a’s Privacy Statement. As a not-for-profit organisation SAVu3a is exempt from registering with the Information Commissioner’s Office.

1          How Personal Information is Obtained

1.1       Members’ and visitors’ personal information is collected from application forms which they complete. Membership renewal is done by email with the member being requested to inform us if their details or circumstances have changed. That is the member’s responsibility. (See also para 4.7 about keeping it up to date). For limited and specific purposes, eg a group activity, visit or social event, additional information might be recorded with the person’s knowledge and consent, which can be subsequently withdrawn at any time.

1.2       All personal information processed by SAVu3a is provided either directly by the individual concerned or on their behalf as part of an application. It is not obtained from third parties.

2          What Personal Information is Collected and Why

2.1       SAVu3a collects and processes the following personal information about its members and, where necessary, its visitors for which the legal basis is its ‘legitimate interests’:

  • Name
  • Contact address
  • Email address
  • Telephone number(s)
  • Membership status (ie full or lapsed/in arrears)
  • Group status (ie Member, Group Leader/Contact or waiting list)
  • Gift Aid consent
  • Preference in respect of the Third Age Trust magazine

2.2       Photographs and videos in which individuals can be identified may also be taken, stored and archived indefinitely for publicity and historical purposes. The legal basis for doing this will be ‘consent’: ie the reason for taking the photograph or video will be explained before it is taken and identifiable individuals will be given the opportunity to move out of shot if they wish.

2.3       Certain categories of information (called ‘special category data’ in data protection terms) are considered sensitive and require additional safeguards. They include, for instance, medical information or religious and political beliefs. SAVu3a does not normally process ‘special category’ information, but it may occasionally be necessary in relation to a specific trip or activity. In such a case arrangements would be made to obtain explicit informed consent. (Anyone who believes such information is improperly being kept about them by any part of SAVu3a should raise this with SAVu3a’s Data Protection Advisor (email: dataprotection@stratfordu3a.org.uk).

2.4       Although it does not hold medical information on the database or in other records, SAVu3a requires all members when engaged in u3a activities to carry a card with key medical and emergency contact information which they complete themselves. Blank cards for this purpose can be obtained from the Membership Secretary (email: memsec@stratfordu3a.org.uk) There is provision in data protection law to allow use of ‘special category’ information without consent where necessary to safeguard the individual in a ‘life and death’ emergency.

3          Why Personal Information is Processed

3.1       In pursuit of its legitimate interests, which include the provision of educational, leisure and recreational facilities for the public, particularly middle-aged and older people who are not in full-time employment in Stratford-upon-Avon and its surrounding locality, SAVu3a collects and uses the personal information listed above:

  • to identify its members,
  • to communicate with them on u3a activities
  • to share it on a need to know basis with other members acting in an official capacity in SAVu3a (ie Officers, Committee members, Group Leader/Contacts and the Data Protection Advisor)
  • to meet the requirements of the Third Age Trust public liability insurance

It is also used to compile anonymised statistics for planning and development purposes and for managing its finances. Where there is a legal or contractual obligation on SAVu3a to do so, information about identifiable individuals will be used by SAVu3a and, only to the extent necessary, disclosed to third parties to provide services the individuals have requested. Examples might include Gift Aid in relation to HMRC, the provision of the ‘Third Age Matters’ magazine by The Third Age Trust, or tour operators and trip venues.

3.2       SAVu3a may use its members’ personal information itself to advise them of events run by SAVu3a and other branches as well as external organisations where these are in line with our aims and objectives but will not transfer it to other organisations to use for direct marketing purposes.

4          How Personal Information is Managed and How Long it is Retained

4.1       SAVu3a’s central database of membership information is held securely on the Third Age Trust  ‘Beacon’ database which is provided to SAVu3a under a contract which contains strict confidentiality and security requirements on both parties. The contract provides that under data protection law SAVu3a is ‘the controller’ and The Third Age Trust is ‘the processor’ which takes its instructions from SAVu3a. The server on which ‘Beacon’ rests is located in the United Kingdom.

4.2       Responsibility for policy in respect of data protection and SAVu3a’s use of the Beacon system rests with the SAVu3a Committee. Day-to-day management is the responsibility of the SAVu3a Beacon Site Administrator in close liaison with the Membership Secretary and the Treasurer.

4.3       The Committee has decided that Officers, members of the Committee, the SAVu3a Beacon Site Administrator, Group Leader/Contacts and the Data Protection Advisor may have access to the Beacon system.

4.4       Group Leader/Contacts apply for access through the Groups Co-ordinator. When granted, it is limited to viewing the contact details and membership status of members of their own group only and amending their status in relation to that group (ie ‘group member’ or ‘waiting list’). Other conditions may be imposed. They are unable to view any financial information.

4.5       Before anyone is granted access to the Beacon system they must first undertake to abide by the Committee’s rules on the appropriate and confidential use of the information it contains. Periodic reports of who has access to the Beacon system and their level of access will be made to the Committee.

4.6       Officers, members of the Committee and Group Leader/Contacts who keep their own records of member information for u3a purposes and store them on their own computers or filing system must abide by SAVu3a’s Privacy Policy. There may sometimes be a grey area between those records on the one hand and information which is kept solely for ‘personal, family and household’ reasons and thus exempt from data protection law. Where there is doubt advice should be sought from the Data Protection Advisor. In all cases, however, records which are maintained outside the Beacon system should as a minimum be handled with discretion and within the spirit of this Statement and the principles of data protection.

4.7       SAVu3a will keep members’ personal information for as long as they are members. It is legally required as ‘the controller’ to ensure that personal information is accurate and sufficient (and not excessive) for the purposes for which it is kept and it will correct errors and omissions promptly. One way it regularly reviews this is through the annual membership renewal process where members are asked to confirm their details.

4.8       Members are also asked each year to confirm if they do not wish to renew their membership. Unless paragraph 4.9 applies, the records of those who do this will be deleted as soon as practicable. Where a member does not renew and does not indicate they wish to cease membership, they will be recorded as a ‘lapsed member’. In view of its experience of members unintentionally failing to renew, SAVu3a considers it legitimate to retain the records of such members either until the next renewal date or they confirm they do not wish to renew (whichever is earlier) at which point their record will be deleted.

4.9       An individual’s personal information will only be retained for longer than their membership or lapsed membership status would normally allow if SAVu3a has a legal obligation to do so (such as by HMRC) or it is required to do so by a law enforcement or regulatory body, by its insurers or because the information is or may reasonably be expected to be required in connection with legal proceedings, or it is held in the form of a photograph or video and paragraph 2.2 applies.

5          Members’ Rights and Whom to Contact

5.1       Anyone has the right to ask SAVu3a whether it is processing personal information about them and, if it is, to be given information about what is being processed (known as a ‘subject access request’) and to have errors corrected. In certain circumstances they can object to their information being processed and to ask for it to be erased. Requests to exercise these rights, or queries or complaints about SAVu3a’s data protection practice and policy, should be directed to the Data Protection Advisor (email: dataprotection@stratfordu3a.org.uk).

5.2       The Data Protection Advisor is a member of SAVu3a who is independent of its management structure (but who has direct access to the Chairman of the Committee). He or she advises on compliance with data protection law, provides training, manages ‘subject access requests’ and acts as an internal advocate for individuals’ information rights.

            Adopted by the Committee

9 October 2024

Ref 01L