GDPR tests are approval to hold data, legitimate interest/use and security of storage.
For organisations, having a GDPR policy in place will also be helpful to show that there is a consistent way that GDPR is being handled. This is why a Principality wide draft policy has been developed.
Security of Data
The security of data storage one is fairly straight forward. By placing data on 3rd party applications like google-docs that require a login and password, you eliminate the risk of data being on your own pc or laptop, so data security easier (as long as passwords held securely etc.
Approval to hold data
Approval is a little trickier. Approval consent does not last forever. The advice received indicates a 2-year window. For instance, the chronicler has sent out one email requesting everyone who get gets Baelfyr to confirm they are happy to continue receiving it
Positive statements will need to go on all forms and attendance sheets indicating that data will be held for legitimate purposes such as insurance records etc. and that short-term data will be deleted after use (say at the end of an event when no longer needed)
Legitimate purpose is reasonably straight forward. - allow the business of the society to progress as per normal…Marshallate need marshal files etc, event stewards need booking sheets etc. The examples are numerous.
Retention of Data
Data will only be held as long as there is a legitimate purpose in doing so, and data will be regularly reviewed by relevant officers to ensure that no data is held longer than necessary.
Deletion of Data
Data will be securely deleted on reputable 3rd party applications. Hardcopy data will be securely disposed of by shredding or burning.
BODY OF POLICY
[GROUP NAME HERE] is committed to looking after data properly. We recognise that all information collected, processed and stored in order to carry out our activities must be handled fairly, lawfully and securely and properly disposed of when no longer necessary.
Data Storage and Access
All information is held securely in electronic format in group-controlled accounts hosted by third-party data providers (eg. Google Docs) and is only to be accessed, used or shared appropriately by people with legitimate interest, such as shire officers and event team members.
The group holds some information for the proper, legal and safe governance and organisation of the legitimate interests and obligations of the group. This includes, but is not limited to: accounts, correspondence, accident reports, safeguarding information and information about venue bookings.
For all events, including single day events and practices a list of names of those attending will be collected via an attendance sheet, to be retained in electronic form by the relevant Group Seneschal for no more than seven years*, after which it will be securely deleted. This information is held for insurance purposes. When a shire hosts Principality or Kingdom events within Insulae Draconis, this data will be shared with and stored by the Principality Seneschal for the same period.
In order to attend or register for an event with advance registration, participants are asked to provide some details, which will vary by event but are likely to include:
- Your name and SCA name – so we know who is coming
- Contact details, usually phone numbers and email addresses – so we can provide further information about the event, including notifying you of any changes.
- Whether you are a member of the SCA or an affiliate body of the SCA - in order for us to comply with society reporting of attendance
- Any food allergies or other special dietary needs – for events where food is prepared
- Any other information you provide to the event team eg. physical limitations on bunk bed use
We will ask for your explicit consent to hold and use event registration data for the purposes of organising and running the event.
Full information on event attendees is available to the core event team only (usually event steward, deputy event steward, head cook and registration steward). Some information, excluding contact information, may also be made available to other event team members (such as kitchen helpers, volunteers at the registration desk, heralds) where necessary.
Information regarding payments via bank transfer or IBAN is collected and processed by the bank. Only people with a legitimate interest, normally Shire Exchequer and/or a registration steward, have access to information provided on the bank statement about payments.
SCA names may be publicly displayed online showing who is expected to attend. Registration information, other than the attendance sheet, will be securely deleted no later than six months after the event.
Photography and Media Consent
If you agree to images, recordings or other media which you made or in which you appear being used by the group (eg. on the website, on leaflets) we will keep a record of your consent.
By requesting to join SCA UK CIC, consent is given for membership details to be retained in a 3rd party data application with appropriate login security and policies (already in place). Permission is also given for the Principality Newsletter (The Baelfyr) to be distributed to members email addresses unless otherwise indicated at time of joining. Member details will only be accessed by appropriate individuals with legitimate purposes (ie the Membership Secretary, and the Principality Seneschal – to be able to run polls for example)
If the shire operates an email-based mailing list for group communications, any list of email addresses, user names and passwords will be held securely by the mailing list administrator. You may request un-subscription at any time. Information on membership of social media groups and mailing groups used for communication, eg. Facebook, Yahoo!, is held by the provider, not the group.
From time to time contact information may be collected at eg. demos in order to send out information about the group’s activities. This information will be collected via a form seeking consent to receive email about the group and upcoming shire events. One email will be sent, providing links to the relevant group’s website and social media presences and asking the recipient to confirm consent to use that email address for any further contact.
Sharing Information with Third Parties
Information may be shared with appropriate people within the Shire, SCA Principality, Kingdom and Society structures where proper and necessary to the legitimate interests of the group.
We do not pass personal data to third parties outside the SCA, other than for cloud storage or if legally required to do so.
If event management or ticketing systems are used in order to collect event information we will only use reputable providers with appropriate data protection policies.
Updating or deleting your details
Please contact the event registration steward if you need to update any details in the run up to an event.
Please contact the relevant seneschal in order to request deletion of any of your details or request a copy of the data we currently hold on you, by emailing: GROUP SENESCHAL EMAIL HERE
*time period to be adjusted on receipt of correct retention information from insurers