Introduction
Within the UK, an individual’s confidentiality was previously protected by the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations 2016 (PECR). However, as of 25th May 2018, this confidentiality has been significantly improved due to the Data Protection Act being superceded by the much stricter General Data Protection Regulation (GDPR – Regulation (EU) 2016/679). PECR has also been modified as of 8th September 2018, so as to align with GDPR.
Even though GDPR is a piece of EU legislation, following the Brexit transition period it has now been incorporated into UK law and is now known as the UK GDPR.
Amongst other changes, GDPR together with PECR now require ERMS to obtain explicit consent from each member to both store their personal data electronically, and to use it to communicate with them. Implied consent is no longer acceptable. As before, personal information supplied by members to ERMS will continue to be stored electronically and securely but this data will now be deleted once it is no longer relevant (see below – Data Retention Policy). Please note, however, that paper copies of membership application/renewal forms will also be retained, but for a slightly longer period (see below – Data Retention Policy).
What personal information does ERMS hold about each member?
ERMS stores the following personal information about each member, in electronic format:
- Name
- Address
- Phone numbers (landline and mobile)
- Email address
- Whether or not the member is over 18.
- Whether or not the member is also a member of the Geologists Association
This is the only information that ERMS holds on any member, and in those cases where a member has declined to provide some elements of this data (e.g. landline telephone number – possibly because they do not have one), ERMS will make no attempt to discover and record this information from any other sources (e.g. ERMS will not consult the BT telephone directory in order to discover the member’s landline telephone number).
Where it is proposed to display an identifiable image of an ERMS member on the ERMS website or newsletter, specific written consent must be obtained beforehand. No identifiable images of ERMS members will be used by ERMS on any social media channels.
How does ERMS collect its members’ personal information?
ERMS collects personal information from each member once per year, on the membership/renewal form, which currently exists only in paper format. Apart from renewing a member’s consent, this annual collection of data means that ERMS records can be regularly updated with changes to a member’s postal address, email address etc.
What does ERMS use this personal information for?
ERMS uses its members’ personal information solely for the purposes of engaging in the legitimate activities of the Society. Examples of such activities are:
- Emailing of the monthly newsletter (Email address required)
- Coordination of field visits etc. (mobile phone number required). Because of Health and Safety and also insurance requirements, it is essential that we can communicate with members by mobile phone. For example, if we organise a field trip to a quarry, we need to be certain that all members have left the quarry at the end of the visit.
Although ERMS does not intend to engage in any form of marketing activity, some of the articles included within the newsletter (and possibly other communications) might conceivably fall within the legal definition of ‘marketing’. For this reason, the membership form requests a member’s consent to be sent marketing information.
Member's consent to hold personal information
GDPR and PECR require that ERMS obtains each member’s explicit consent to:
- a) Electronically hold all of the personal information that they give us on the paper membership/renewal form
- b) Use any of the following means to communicate with them:
- landline telephone
- mobile telephone
- text message
ERMS obtains this explicit consent by requesting each member to fill in a tick box on the paper membership/renewal form to confirm consent. This consent must be renewed each year.
Who will ERMS share members’ personal information with?
ERMS will not share members’ personal data with ANY organisation or individual outside of ERMS. The only exceptions to this are if ERMS is required by law to divulge information e.g. by HMRC.
What format does ERMS hold a member's personal data is held in?
ERMS holds all members’ personal data in a spreadsheet which is encrypted and password protected.
ERMS Data retention policy
When a member gives ERMS his/her personal information, ERMS will keep this information electronically for the remainder of the calendar year in which the member joined ERMS or renewed his/her subscription, plus an additional six (6) months (i.e. up to the end of June in the following year, so as to accommodate late renewals). After this time ERMS will delete all of that member’s personal information from its electronic records.
Paper records (mainly application/renewal forms) may be retained for up to two (2) years after the end of the calendar year in which they were created.
Communication of privacy notices
ERMS communicates its policies on member’s data privacy in two ways:
- A limited explanation on the membership/renewal form.
- Complete description (this document) on the ERMS web site
The membership/renewal form recommends that members view the complete privacy policy on the ERMS website.
Member's rights to view all the personal information that EMRS holds about them
If a member wants to view all of the personal data that ERMS holds about them, they should write to the Membership Secretary, who will respond with this information within one (1) calendar month of receiving the request. ERMS reserves the right to request proof of identity of any person making such a request. For the avoidance of doubt, any request by an ERMS member to view the data relating to any other ERMS member will be rejected.
Withdrawal of Consent or modification/deletion of personal data
Any ERMS member who wishes to:
- withdraw or alter his/her consent to hold his/her personal information, or
- withdraw or alter their consent to be contacted by any of the electronic communication methods listed above
should write to the ERMS Membership Secretary, requesting this action. The Membership Secretary will change the ERMS records of the member’s consent, including (where requested) modification or deletion of all of the member’s personal information within one (1) calendar month of receiving the request.
A member has a right to object to the ICO (Information Commissioners Office) if they feel that the EMRS is not handling their personal data in a satisfactory manner.
ERMS reserves the right to request proof of identity of any person making such a request. For the avoidance of doubt, any request by an ERMS member to modify/delete the data relating to any other ERMS member will be rejected.
What is the Lawful Basis for holding and processing of a member’s personal data?
GDPR requires that every organisation declares the Lawful Basis on which it stores and processes personal data with the full range of possible Lawful Bases being set out in Article 6 of the GDPR. The Lawful Basis which ERMS has chosen to store and process a member’s personal data is the Consent of that member to do so, in order to take part in the activities of ERMS (“the individual has given clear consent for you to process their personal data for a specific purpose.”).
Responsibility for ensuring compliance with GDPR
The ERMS Membership Secretary has overall responsibility for compliance with GDPR, assisted by other members of the ERMS Committee.
Data controller and data processor
The Membership Secretary is the Data Controller and primary Data Processor. Pursuant to the GDPR, the Data Controller determines the purposes and means of processing personal data and is responsible for compliance with the GDPR Principles set in Appendix A.
Any member of the ERMS Committee who also holds personal data in electronic form for the purposes of administering ERMS activities will also be a Data Processor. A Data Processor is required to maintain personal data securely and has a legal liability if responsible for a data breach.
Data breaches
In the unlikely event that the personal information ERMS holds is compromised, in any way, ERMS will inform the relevant authorities (currently the Information Commissioners Office) with 72 hours of becoming aware of this breach.
Children
ERMS requires parental/guardian consent to hold the personal information about any member who is under the age of eighteen (18), as well as to send such a member any electronic communications. ERMS will require anyone who claims to be the relevant parent/guardian to present evidence that they are, indeed, the legal parent/guardian.
Appendix A
Article 5 of the GDPR requires that all personal data shall be:
‘a) processed lawfully, fairly and in a transparent manner in relation to individuals;
- b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’