Data Protection Policy

  1. Introduction

The Frome Valley Art Club Committee is committed to a policy of protecting the rights and privacy of individuals. We need to collect and use certain types of Personal Data in order to manage and administrate the running of our club and communication with our members. This personal information must be collected and handled securely.

The Data Protection Act 2018 (DPA) and the United Kingdom General Data Protection Regulations (UKGDPR) govern the use of information about people (personal data). Personal data can be held on computers, laptops and mobile devices or in a manual file, and includes email, payment details (for term subscriptions), information pertaining to exhibition submissions and sales and minutes of meetings including an Annual General Meeting where all members are invited.

Frome Valley Art Winterbourne will remain the data controller for the information held. The committee is personally responsible for processing and using personal information in accordance with the Data Protection Act and UKGDPR. Committee members and members who have access to personal information will therefore be expected to read and comply with this policy.

2. Purpose

The purpose of this policy is to set out the Frome Valley Art Winterbourne committee’s commitment and procedures for protecting personal data. Frome Valley Art Winterbourne regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we work. We recognise the risks to individuals of identify theft and financial loss if personal data is lost or stolen.

The following are definitions of the terms used:-

Personal Data – information about living individuals that enables them to be identified e.g. name, address, telephone numbers and email addresses. It does not apply to information about organisations, companies and agencies but applies to named persons, such as individual members.

Data Controller – Any organisation, person, or body that sets the objectives and methods of processing personal data, whether alone or jointly, is in charge of the data and is accountable for it.

Act – The Data Protection Act 2018 and UK General Data Protection Regulations – The UK legislation that requires responsible behaviour by those using personal information.

Data Protection Officer – Frome Valley Art Winterbourne is not required to appoint a Data Protection Officer.

Data Subject/Service User – The individual whose personal information is being held or processed by Frome Valley Art Winterbourne (e.g. an individual, a member, a consumer, a candidate, a volunteer, a committee member).

Explicit Consent – is defined as a ‘freely provided, precise, informed and unequivocal’ expression of the data subject’s desires, either by a word or clear affirmative action.

Data Processors – The data controller decides the objectives for which personal data is processed and the methods by which it is processed.

Legitimate Interest – Whereby a small club or society utilises personal information in a way that the data subject would anticipate.

Information Commissioner – The UK Information Commissioner is responsible for implementing and overseeing the Data Protection Act 2018.

Processing – means collecting, amending, handling, storing or disclosing personal information.

3. The Data Protection Act 2018

This contains 7 principles for processing personal data with which we must comply.

Personal Data

  1. Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met.
  2. Shall be obtained only for one or more of the purposes specified in the Act and shall not be processed in a manner incompatible with that purpose.
  3. Shall be adequate, relevant and not excessive in relation to that purpose.
  4. Shall be accurate and, where necessary, kept up to date.
  5. Shall not be kept for longer than necessary.
  6. Shall be processed in accordance with the rights of data subjects under the Act.
  7. Shall be kept secure by the Data Controller who takes appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information.
  8. Applying the Data Protection Act within Frome Valley Art Winterbourne.

We will let members know why we are collecting their data, which is for the purpose of communicating information about the club, issuing reminders about subscriptions, information about professional visiting artists and other details pertaining to the club activities. This may also include marketing by known artists who offer external workshops and events and other art exhibitions. It is our responsibility to ensure the data is only used for this purpose. Access to personal information will be limited to the club membership secretary, club secretary and for circulation of a monthly newsletter.

Where individuals need to be identified in public documents e.g. minutes, and harm may result, initials rather than full names will be used.

Correcting Data

Individuals have the right to make a Subject Access Request (SAR) to find out whether the club holds their personal data, where and what it is used for and to have data corrected if it is wrong, to prevent use which is causing them damage or distress, or to stop marketing information being sent to them. Any SAR must be dealt with within 30 days. Steps must first be taken to confirm the identity of the individual before providing information, requiring both photo identification e.g. passport, and confirmation of address e.g. bank statement or utility bill.

Any concerns about complying with an SAR need to be discussed promptly with the committee for example if it is excessive or not factual.

Responsibilities

Frome Valley Art Winterbourne is the Data Controller under the Act and is legally responsible for complying with the Act, which means that it determines what purposes personal information held will be used for.

The committee will take into account legal requirements and ensure that the Act is properly implemented and will through appropriate management, strict application of criteria and controls:-

  1. Collect and use information fairly
  2. Specify the purposes for which information is used
  3. Collect and process appropriate information, and only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements
  4. Ensure the quality of information used
  5. Ensure the rights of people about whom information is held, can be exercised under the Act

These include:-

  • The right to be informed that processing is undertaken
  • The right of access to one’s personal information
  • The right to prevent processing in certain circumstances and
  • The right to correct, rectify, block or erase information which is regarded as wrong information
  • Ensure that personal information is not transferred abroad without suitable safeguards
  • Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information
  • Set out clear procedures for responding to requests for information

All committee members and volunteers need to be aware that a breach of the rules and procedures identified in this policy may lead to action being taken against them.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 2018.

In case of any queries or questions in relation to this policy please contact the club secretary.

4. Procedures for Handling Data and Data Security

Frome Valley Art Winterbourne has a duty to ensure that appropriate technical and organisational measures are taken to prevent

  • Unauthorised or unlawful processing of personal data
  • Unauthorised disclosure of personal data
  • Accidental loss of personal data

Frome Valley Art Winterbourne will ensure that personal data is dealt with properly no matter how it is collected, recorded or used. This applies whether or not the information is held on paper, in a computer or recorded by some other means e.g. tablet or mobile phone.

Personal data relates to data of individuals who can be identified from that data and use of that data could cause an individual damage or distress. This does not mean that mentioning someone’s name in a document compromises personal data; however, combining various data elements such as a person’s name, address and ethnicity would be classed as personal data, and falls within the scope of the Data Protection Act. It is therefore important that all members of the club committee consider any information (which is not otherwise in the public domain) that can be used to identify an individual as personal data and observe the guidance given in the Privacy Notice and Consent Policy.

5. Operational Guidance

Email

All committee members should consider whether an email (both incoming and outgoing) will need to be kept as an official record. If the email needs to be retained it should be saved into the appropriate folder or printed and stored securely. This also applies to information about visiting artists. Emails that contain personal information no longer required for operational use should be deleted from the Frome Valley Art mailbox and any ‘deleted items’ mailbox.

Where someone not a committee member needs to be copied into an email e.g. a wider circulation for an upcoming event, we encourage the use of bcc instead of cc so as to avoid personal data being shared through forwarding.

Phone Calls

Phone calls can lead to unauthorised use or disclosure of personal information and the following precautions should be taken:-

  • Personal information should not be given out over the telephone unless you have no doubts as to the caller’s identity and the information requested is innocuous.
  • If you have any doubts ask the caller to put their enquiry in writing.
  • If you receive a phone call asking for personal information to be checked or confirmed be aware that the call may come from someone impersonating someone with a right of access.

Laptops and Portable Devices

All laptops and portable devices that hold data containing personal information must be protected with a suitable password which is changed regularly.

Ensure your laptop is locked (password protected) when left unattended, even for short periods of time.

When travelling in a car, make sure the laptop is out of sight, preferable in the boot. If you have to leave your laptop in an unattended vehicle at any time, put it in the boot and ensure all doors are locked an alarm is set.

Never leave laptops or portable devices in your vehicle overnight.

Do not leave laptops or portable devices unattended in restaurants or bars or any other venue.

When travelling on public transport, keep it with you at all times, do not leave it in luggage racks or on the floor beside you.

Data Security and Storage

Store as little personal data as possible relating to Frome Valley Art Winterbourne on your computer or laptop. This includes previously sent emails to members, which would still contain their personal data. To this end all emails to members should be sent from the Frome Valley Art mailbox to minimise the data security risk.

Passwords

Do not use passwords that are easy to guess. All your passwords should contain both upper and lower case letters and preferably contains some numbers or special characters. Ideally passwords should be 6 characters or less.

Protect your password. Common sense rules for passwords are:-

  • Do not give out your password
  • Do not write your password somewhere on your computer
  • Do not keep it written on something stored in your laptop case

When collecting personal information, Frome Valley Art Winterbourne will ensure that the Data Subject:-

  • Clearly understands why the information is needed and how it will be used
  • Understands what it will be used for and what the consequences are should the Data Subject decide not to give consent to processing
  • As far as reasonably possible, grants explicit consent, either written or verbal for data to be processed
  • Is as far as reasonably practicable competent enough to give consent and has given so freely without duress

Data Storage

Personal data will be stored securely and will only be accessible to authorised users.

Information will be stored for only as long as is needed or required and will be disposed of appropriately. For financial records this will be up to 7 years. Archive material such as minutes and legal documents will be stored indefinitely. Other correspondence and emails will be disposed of when no longer required or when members retire from the committee.

All personal data held for Frome Valley Art Winterbourne must be non-recoverable from any computer which has been passed on/sold to a third party.

Data Subject Access Requests

Frome Valley Art Winterbourne may occasionally need to share data with other agencies such as the local authority, funding bodies and other voluntary agencies which are not in furtherance of the management of the club. There are circumstances where the law allows Frome Valley Art Winterbourne to disclose data (including sensitive data) without the data subjects consent.

These are:-

  1. Carrying out a legal duty or as authorised by the Secretary of State protecting vital interests of the Data Subject or other person e.g. child protection
  2. The Data Subject has already made the information public
  3. Conducting any legal proceedings, obtaining legal advice or defending any legal rights
  4. Monitoring for equal opportunities purposes i.e. race, disability or religion

We regard the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal. We intend to ensure that personal information is treated lawfully and correctly.

Risk Management

The consequences of breaching Data Protection can cause harm or distress to service users if their information is released to inappropriate people, or they could be denied a service to which they are entitled. Committee members and associated artists should be aware that they can be personally liable if they use members’ personal data inappropriately. This policy is designed to minimise the risks and to ensure that the reputation of the club is not damaged through inappropriate or unauthorised access and sharing.

Review Date March 2025