General GDPR Advice and Key Changes
Note: The below should be read in conjunction with the formal Insulae Draconis Principality GDPR policy
Electronic 3rd Party Record Keeping
It is advised that all files should be stored with an online provider and no SCA files (unless personal which is then an individual’s choice) should be kept on personal computers. Google docs etc and other similar functionality is available for this.
Long Term Retention of Attendance Data for Insurance Purposes
One key change in process will be retention of some data, particularly attendance sheets at practices and events for insurance purposes. We need someone at group level to hold that information for an extended period of time (across years). These records will be electronic. (Easiest way is to take a legible picture of the attendance sheet at the end of the practice or event on a smartphone). The person running the practice or event can then forward the image to the group seneschal who then will store it in an online folder as per above.
General Retention of Data
All officers at all levels are encouraged to go through their files and determine what is necessary information with a legitimate purpose to be retained. All unnecessary information should either be deleted or if in paper form securely disposed of.
What comprises necessary information for legitimate purposes will vary from office to office.
The marshallate for example will have a legitimate need to retain records of authorised combatants, and authorised marshals, and relevant incident records for example.
Heralds for example will need records of device and name submissions. The device and SCA name submission may not be sensitive data in itself but because linked to a mundane name in the submission process will become so. Group Marshalls and Heralds at shire level will have need to share information up to principality and maybe Kingdom level and vice-versa.
There will be a need for some data to be created and operated on a short-term basis, particularly documentation needed for events, bookings, dietary information, whether a person has paid etc.
This data should be restricted to people directly connected with running the event and then at the completion of the event, deleted (attendance data being the exception as per above)
Not all data should be considered as sensitive and requiring deletion. A lot of purely SCA data will not be considered as sensitive
For example, The Order of Precedence which shows peoples SCA names and their awards is up on relevant society websites, This information displays SCA names and awards attached to those names, but does not link to mundane names or other real world information. It is necessary so people can check who has got what award, a good idea before recommending someone to Royalty for their 3rd Award of Arms for example...smile. However, it is not real world sensitive information as such.