Data Protection Policy

Table Of Contents
  1. Introduction
  2. Data Controller
  3. Data held by The Association
  4. What data is used for?
  5. What data is not used for?
  6. Who has access to the data?
  7. How long is Personal Data kept?
  8. How data is protected
  9. Data Breach
  10. The rights of members
  11. Complaints
  12. Responsibility for implementing this policy
  13. Data Protection Notice

Introduction

Leapool Allotment Association (“The Association”) respects the privacy of members and is committed to protecting their personal data.  The Association is subject to the principles of the General Data Protection Regulations (GDPR) and the Data Protection Act (2018) and will treat in accordance with the law any personal information provided by members.  This policy explains how this is achieved in relation to the personal data provided by members on the membership application form.

Data Controller

The Association is the Data Controller for any personal data provided by members.  The database is maintained electronically by the Association Secretary or Treasurer as decided by the Committee.

Data held by The Association

Only data that is necessary for the Association’s activities is kept. The basis under which personal data is used is that it is necessary for the performance of a contract between members and The Association for the provision of an allotment tenancy.  The data held is:

  • Name and postal address
  • Telephone numbers – mobile and landline, as applicable
  • Email address if applicable
  • Plot number

In certain circumstances, additional information may be required, such as relating to a member’s health, in order that reasonable adjustments can be made to enable them to access the allotments.  This information is one of the Special Categories of Personal Data under Article 9 of the GDPR.  Such information will only be used by The Association with the explicit consent of a member, and consent can be withdrawn at any time at the request of the member concerned.  Should consent be withdrawn, however, it may result in The Association being unable to process a request for reasonable adjustments to be made.

What data is used for?

Personal data is used to provide members with an allotment tenancy and to contact them regarding any matters arising from that tenancy.  Personal data will also be used for any legitimate activities of The Association including communicating between Committee members and other members as part of the daily running of The Association, notification of Association meetings, circulating minutes of meetings, the provision of seed catalogues and Trading Post information.  Data will also be shared with third parties where necessary.  This includes the National Allotment Society, insurance providers and seed and potato suppliers, as well as any other third party deemed essential by the Committee for the smooth running of the Association.

What data is not used for?

Personal data is not disclosed to other members of the Association or to third parties without a valid, legitimate reason in line with the law.  Personal data will not be sold, assigned, disclosed or rented to any other external organisation or individual unless required to do so by law.

Who has access to the data?

Access to personal data is restricted.  It will only be accessed by members who need to access it as part of the daily running of the Association.  Committee members including Chair, Treasurer, Secretary and Website manager will be able to access the full database.  Other members, such as the Trading Post manager will have access to a limited database showing name and plot numbers of members only. 

How long is Personal Data kept?

Personal data is not kept longer than is necessary.  Your data can be held for six years after your tenancy expires (section 5 Limitation Act, 1980) after which time it will be deleted from our records.

How data is protected

LAA is committed to ensuring that the personal data of members is secure.  To prevent unauthorised access or disclosure, appropriate procedures are in place to safeguard and secure this information.

Email addresses used by LAA to contact members are protected by a secure password.  Any emails circulated to all members are sent “blind” using Bcc so email addresses are not visible to other members.  

Computers used to secure personal data are password protected, and access is limited strictly to those individuals authorised by the Association.  Mobile devices, such as phones or tablets, used to access personal data are similarly password or PIN protected.  Access to personal data stored on the Cloud is strictly limited, permission being granted only by the elected Officers of the Association.

Data Breach

In the unlikely event that it is suspected that the personal data or any device holding it is lost or compromised, the Association Secretary will be notified.  The Chair and Secretary will then assess the situation and decide whether the breach needs reporting to the Information Commissioners Office (ICO) which, if necessary, will be done within 72 hours of the breach being discovered.

The rights of members

The Association will endeavour to maintain accurate records, but is reliant on members to keep this up to date.  Changes of address, telephone number or email address should be notified to the Secretary without delay.

Members may, at any time, request a copy of data held by the Association.  To do this, please contact the Association Secretary in person or by email at [email protected].

Subject to some legal exceptions, members also have the right to have personal data erased, place a restriction on processing of data, object to processing and request that data be ported (data portability).  For more information on such rights visit www.ico.org.uk.

Complaints

Any member who is dissatisfied with the way their data is being used by the Association should contact the Secretary in the first instance so that concerns can be addressed.  If the situation is not resolved satisfactorily, members have the right to send a complaint to the UK’s supervisory authority for data protection, the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF, telephone 0303 1231113 or 01625 545 745, website www.ico.org.uk

Responsibility for implementing this policy

It is the responsibility of every member of the Association with access to personal data to ensure that they comply with data protection laws and do not use personal data outside the boundaries of this policy.  A nominated member of the Committee is responsible for ensuring that this policy is implemented.  The current nominee is Marie Hanley, Secretary, plot 41.

Data Protection Notice

The Leapool Allotment Association holds the following data about each of its members:

  1. Name
  2. Postal address
  3. Contact details (as applicable): landline phone number, mobile phone number, email address
  4. Plot number
  • This data is physically and electronically securely stored by the Association Secretary and available only to serving Leapool Allotment Association officers and to those committee members nominated by the Committee (e.g. web developer). Limited data is also shared with members as appropriate, for example the Trading Post manager will keep a record of members’ names and plot numbers.
  • Each member is entitled to see his or her own entry.
  • The Association uses this information to contact members to inform them of its activities over the year, including administration of rents and notifications of general meetings.
  • The Association does have dealings with third parties that require basic personal information (name. address, preferred form of contact) to be passed to them. They are insurers, seed supplier and the National Allotment Society.
  • Personal data will not be passed on to any other third party without prior permission of members.
  • The data will normally be deleted as and when a person leaves the Leapool Allotment Association but may be kept for up to six years in accordance with the law.

On 25th May 2018, the General Data Protection Regulation (GDPR) came into force. It is a Europe-wide regulation. One specific requirement is that members of all organisations need to be made aware of the information held about them and the uses to which that data is put, and must be asked to indicate that they agree to contract in to that GDPR requirement.   Consequently, every year, Leapool Allotment rent invoice forms ask members to sign to say they agree to their data being held and used in accordance with the GDPR legislation as described above.  New members are asked to sign the same form at the start of their tenancy.

Under the NAS Allotmenteers Liability Insurance, by signing to agree that the Association can hold and use personal data as described above, members are opting into this scheme with consent.  This enables the Secretary to forward the relevant information to the NAS. 

Adapted from a sample data protection notice provided by the NAS.