The BFS Committee met to agree how to implement the requirements of the new Data Protection laws coming into force on 25th May 2018. We investigated and discussed what we needed to do to comply with the law and ensure that we continue to serve our members’ needs. Our discussion was based on the detailed guidance available from the Information Commissioners’ Office. This guidance can accessed here.
What personal information do we hold about our members?
We hold the following contact details for our current members: name; email address; postal address; telephone number(s).
For former members, we will retain this information for 15 months after they have left the society. This is to enable us to update their membership records easily, should they decide to re-join during this time.
For members who do not renew during this time, we will now retain only their membership numbers, names and postcodes. We will retain these to enable us to reallocate them their original numbers, should they decide to re-join. The postcodes should ensure that we do not confuse a new member with a former member of the same name. To enhance security, we will no longer retain any other contact details.
Where did this information come from?
This contact information sometimes comes from members directly (e.g. from emails to the society, or from completing the paper membership application form in our programme brochure.) More and more frequently, it now comes via our third party providers: from Gocardless (for members who pay by Direct Debit) or from Ticketsource (for members who join electronically, but not by Direct Debit.) Members supply their contact details to one of these two providers when they join the society. We have checked the Privacy Policies of both these organisations to ensure that they are UK compliant. Members can also do this for themselves, if they wish, as we are not able to take responsibility for them.
With whom do we share our information?
- From Gocardless, committee members with access to this provider can access the contact details members have supplied on joining, and the amounts they have paid. All payments are via the Gocardless secure system, and BFS has no access to anyone’s bank details.
- From Ticketsource, committee members with access can see members’ contact details, and records of their bookings. Like Gocardless, the Ticketsource electronic payment system is secure, and BFS has no access to any bank details. If a member joins by Direct Debit, cash or cheque, we import their contact details to Ticketsource, to enable them to select their seats for screenings and pay electronically.
- We also add member names and email addresses to Mailchimp, the provider we use to send group emails, such as notifications of upcoming screenings, links to screening notes and booking information. Members can unsubscribe at any time. Because NFTS kindly allows us free use of their cinema and café areas, for all our screenings, we also forward student requests such as for filming locations, or film extras, to help students in their studies. We never give contact details of our members to the NFTS. Instead, we leave it to members to make contact themselves, should they wish to do so.
- We use ‘Webmail 1 and 1’ to communicate with individual members, such as to send them a welcome email, thank them for renewing via Direct Debit, remind them to renew, or to answer their queries. In the past, committee members have sometimes used their own personal email addresses to communicate with members, but we are now moving towards using only the society (webmail) account. This is to ensure that members are protected from any lack of security in committee members’ personal email accounts.
How can members find out what information we hold on them?
We will provide this on request. As the regulations include the right to see any email still held, we will delete all Webmail emails as soon as the issue they address has been resolved. This will normally be done on the same day as the society replies, and otherwise never normally more than a week later.
What is the lawful basis for the society’s processing of member information?
This is something which the data protection legislation obliges us to define. We have decided that we process member information on the basis of “legitimate interest”. This means that we do what a member would reasonably expect. In our case, this means that if you become a member of an organisation, you can reasonably expect to receive emails about the activities of that organisation. The guidance also explains that it is perfectly acceptable to continue to communicate with individuals in the way they have accepted and grown to expect. (The guidance calls this “soft opt-in”.) Each email message from us gives recipients the opportunity to unsubscribe if they wish.
We will not send information about NFTS charity screenings, as such “non-commercial marketing” is specifically excluded from “legitimate interest”. We may provide links to such events on our website, all of which is public, as this does not involve any data processing.
What about children’s data?
The regulations require additional safeguards for any processing of the data relating to minors. These include age verification and parental consent.
To avoid this complication, this is what we have decided to do:
- The society is only open to members over the age of 16. Parents are able to bring children under 16 to screenings, as student guests, as long as they are above the age of the relevant film certificate. (From September 2018, our brochure will show certificate ratings for each film, where available)
- Young people between the ages of 16 and 18 are able to join the society (normally, as student members), but we will only use their parents’ contact details to keep in touch with them
What will we do if we detect a possible breach of data security?
All committee members will remain vigilant and report any possible data breaches to the current Chairperson, who will investigate and report in accordance with the regulations. If any member detects a possible breach, they should email the society, and this will be passed to the Chairperson for action.
What will we do to keep all our data safe?
Our policy is that all committee members will password protect any devices they use to process data, and ensure that the settings prompt re-entering the password before each use. We will not store data on memory sticks or other insecure devices.
- Where committee members use their own devices to process information (such as an Excel spreadsheet to rearrange the columns in Ticketsource or Gocardless downloads, so that they fit the columns in our G Drive membership list), such documents will be deleted as soon as the information has been reformatted and uploaded.
- Any paper records containing personal data will be shredded after use.
- Additionally, Committee members have only have access to the data they need, in order for them to fulfil their current roles.
- We will change passwords each year, and at the same time review who needs access to which systems.
Who is overseeing data protection in the BFS?
This responsibility will be delegated by the Chairperson to one member of the committee. Any enquiries should be submitted via the society’s email (from the link on the website) and will be passed to the relevant person.