The BFS Committee met to agree how to implement the requirements of the new Data Protection laws coming into force on 25th May 2018. We investigated and discussed what we needed to do to comply with the law and ensure that we continue to serve our members’ needs. Our discussion was based on the detailed guidance available from the Information Commissioners’ Office. This guidance can accessed here.
We hold the following contact details for our current members: name; email address; postal address; telephone number(s).
For former members, we will retain this information for 15 months after they have left the society. This is to enable us to update their membership records easily, should they decide to re-join during this time.
For members who do not renew during this time, we will now retain only their membership numbers, names and postcodes. We will retain these to enable us to reallocate them their original numbers, should they decide to re-join. The postcodes should ensure that we do not confuse a new member with a former member of the same name. To enhance security, we will no longer retain any other contact details.
This contact information sometimes comes from members directly (e.g. from emails to the society, or from completing the paper membership application form in our programme brochure.) More and more frequently, it now comes via our third party providers: from Gocardless (for members who pay by Direct Debit) or from Ticketsource (for members who join electronically, but not by Direct Debit.) Members supply their contact details to one of these two providers when they join the society. We have checked the Privacy Policies of both these organisations to ensure that they are UK compliant. Members can also do this for themselves, if they wish, as we are not able to take responsibility for them.
We will provide this on request. As the regulations include the right to see any email still held, we will delete all Webmail emails as soon as the issue they address has been resolved. This will normally be done on the same day as the society replies, and otherwise never normally more than a week later.
This is something which the data protection legislation obliges us to define. We have decided that we process member information on the basis of “legitimate interest”. This means that we do what a member would reasonably expect. In our case, this means that if you become a member of an organisation, you can reasonably expect to receive emails about the activities of that organisation. The guidance also explains that it is perfectly acceptable to continue to communicate with individuals in the way they have accepted and grown to expect. (The guidance calls this “soft opt-in”.) Each email message from us gives recipients the opportunity to unsubscribe if they wish.
We will not send information about NFTS charity screenings, as such “non-commercial marketing” is specifically excluded from “legitimate interest”. We may provide links to such events on our website, all of which is public, as this does not involve any data processing.
The regulations require additional safeguards for any processing of the data relating to minors. These include age verification and parental consent.
To avoid this complication, this is what we have decided to do:
All committee members will remain vigilant and report any possible data breaches to the current Chairperson, who will investigate and report in accordance with the regulations. If any member detects a possible breach, they should email the society, and this will be passed to the Chairperson for action.
Our policy is that all committee members will password protect any devices they use to process data, and ensure that the settings prompt re-entering the password before each use. We will not store data on memory sticks or other insecure devices.
This responsibility will be delegated by the Chairperson to one member of the committee. Any enquiries should be submitted via the society’s email (from the link on the website) and will be passed to the relevant person.