When you join a committee, board of management, or any kind of committee group where you are gathering data and organizing activities there will always be paperwork.
Depending on the organization that you are part of it could be that there are intake forms, registration forms, sign up forms for classes, yearly sports groups that you could be members of etc. This is just a brief example of the kinds of forms we all have to fill out on a regular basis to join any group. All of these organisations require either parents/guardians/ carers to complete their required paperwork on behalf of the minors that they are taking care of. Also depending on the activities that are being carried out, the information that could be requested in these forms could vary from: name, e-mail address, mobile number, home address, parents names, mobile numbers, medical information, allergies, other members of families, banking information PPS number etc. The list is endless and sometimes a lot of it isn’t relevant to the actual reason it is being collected so always review your forms at the start of each season to make sure they are not excessive.
Whilst a vast majority of this information is relevant to joining and becoming a member of an organization, the people who are gathering this information have to understand the importance of the information they are gathering and also consider what would happen if that information was ever lost.
Things to think About
If you are part of a committee have a think about how the collected data Is shared. Is it communicated via e-mail, is it passed around on paper form, is there an attendee list that people sign is there a mobile WhatsApp group that people sign up to or let people know if they are attending an event? How do you as an organisation share data amongst yourselves? Are there any risks or weaknesses involved in sharing this information? What if a mobile was lost or a car stolen with paper files? These are all situations you need to consider.
When these events are not taking place where is that information stored? Whose responsibility is it to make sure that that information is stored in a secure environment? Is there a clearly defined role within your organization for the person who is in charge of any membership lists, registration list, different group lists that may exist, all members in total?
Whilst storing information in paper form it’s not the most preferred method for personal or sensitive data we have to be realistic with the resources that a lot of organizations have. As long as the information is only shared on a need- to-know basis and it is kept locked securely away and it’s only taken out and shared when it is necessary, and maintained accurately and adequately for the role that it has been collected for then it is being properly monitored.
All organizations must review the information that they are storing in their records on a regular basis. Depending on how often your organization changes from year to year or if they change from group to group if they are based within the school system is it relevant to keep all of the information that you require if a person is no longer within that group?
Rights to Access
members have the right to access what information you are storing on them. If they are under the age of 18 than their parents can act on their behalf, and they can lodge a Subject Access Request with yourself to find out what information you are storing on their child. They have the right to have access to all information that is being stored regarding their child and it does not just have to be any information that they have completed themselves. They have the right to access any information where their child’s name is mentioned.
You must always be aware of the information you are storing and that is being communicated amongst yourselves. You must never share information in relation to another person that you would not be happy saying to that person’s face. We all have the right to have access to the data that is being stored about us and that includes any information that mentions us whilst we may not be party to that conversation.
Consent can be withdrawn at any time. If a person no longer wants to be a member of a group or an organization they have the right to withdraw their consent and you must stop processing their data. This means that they should be taken off any e-mail list that they are on, and they should also be removed from any groups or communication platforms that they have been added to. They should be taken out of any WhatsApp groups that they are included in if they haven’t done so already and the only information that should be kept in relation to them should be any financial transactions that have taken place as they are part of your accounting responsibilities within an organization.
Consent & Data Storage
As they rule of thumb under GDPR I would recommend only storing the minimum amount of information that you are required to store in order to perform the agreement that the person has committed to join that organization. Once that person has left that organization then you should delete all information that is related to them unless there are grounds for any legal issues or if there are any accounting reasons for you to keep their information.
If in doubt about any information you are storing in relation to any of the members always raise this as an issue with the chairperson or the person in charge of that organization. I would suggest put it in writing via e-mail to make sure that you are covering yourself in case there are any issues that may come in in relation to data being shared stored or retained unlawfully.
Consent is always King and Queen in relation to storing of data- always remember if it was your data and you have decided to leave an organization would you want them still to be processing and storing and commenting about your information when you are no longer part of an organization?