General Data Protection Regulation (GDPR) and the AARG
Prepared and approved by the AARG Committee
This document explains our responsibilities with respect to GDPR and describes how we discharge them in a compliant manner and informs you of your rights under the new legislation.
What is GDPR?
GDPR expands existing Data Protection Regulations and widens their scope. It requires that personal data on members (“data subjects”) must be:
• processed lawfully, fairly and in a transparent manner in relation to individuals;
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
How does the AARG comply?
Under the legislation, AARG becomes the ‘Data Controller’ for the personal data it holds on current members, and past members. That data is held within a membership spreadsheet (referred to as the 'database') compiled and controlled by the AARG Secretary. Our policy for compliance with GDPR is as follows:
• The AARG has a legitimate reason to hold your personal data: The AARG holds personal data to allow it to service members in regard to subscriptions, event organisation and general communications. We retain ex-members’ personal data to allow us to re-engage with them to entice them to re-join. Personal data relating to all non-members will be addressed as defined in item (vi) below on or before 25th May 2018 when the new regulations come into force.
• The AARG holds your personal data securely: All of AARG’s membership and ex-membership data is on the AARG membership spreadsheet.
• The AARG uses your personal data responsibly: The AARG uses the personal data it holds solely for the purposes of administering the Club. The AARG does not disclose, share, sell or otherwise distribute personal data in its database with the exception that Name and Callsign is included in the membership listing on the AARG public website. If a member wishes to have their name excluded from the memberships listing on the AARG website they should inform the AARG secretary, who will then notify the AARG website webmaster. It should be noted that this information is available on other public amateur radio data sources e.g. QRZ.COM, Callbooks etc.
• The AARG allows those whose data we keep to know what we keep and why: The AARG keeps the following personal data for entries on the database (note that not all entries have all of the following fields completed): Full name and title, salutation (on air name), primary callsign, other callsign(s), postal address, e-mail address, telephone number(s), information related to subscription.
• At present, some personal data we keep on members, with the exception of any notes added to a record by Administrators, has been obtained either directly from the member or from publicly available sources (e.g. callbooks, QRZ.com etc.). Under GDPR, we will be retaining this data as it is necessary for AARG and in the interests of the individual member.
• The AARG allows those whose personal data we keep to request some or all of it to be updated or deleted: Only the AARG secretary can delete data from the database. If any person would like personal data removed from their database record they should contact AARG secretary at email@example.com.
Members may access and update their own primary data by contacting the AARG secretary. This is also how any inaccuracies or changes in your personal data can be updated. AARG committee members who have access to any data are legally required to comply with all of the conditions of GDPR.
Whilst it is the right of any person to have their personal data deleted, removal of personal data that would result in AARG being unable to service a membership or which created a significant ongoing load on any of our volunteers may result in that person’s membership being suspended. Some AARG members have signed up to the AARG groups.io forum, which is a separate web based 'members only' forum. AARG members can register if they so wish setting their own passwords which are not visible to any other users including the forum Administrator. A copy of the AARG GPDR will be posted on the forum and the same rules will apply. However, it should be noted that members have total control of their personal data and can remove themselves from the forum at any time.
• The AARG does not retain personal data for longer than is necessary for the reasons it was held in the first place: This is not something we have considered before but now need to. The AARG Committee believes the following periods to be reasonable to allow it to function in a responsive manner:
• Members: All data to be retained for the period of their membership.
• Ex-Members: All data to be retained for seven years after cessation of membership.
• The AARG has a nominated Data Protection Officer: The Data Protection Officer will be AARG Secretary the who may be contacted at firstname.lastname@example.org.
• The Data Protection Officer will be responsible for informing the Information Commissioners Office within 72 hours, if there is a suspected breach of security affecting personal data.
What needs to be done by 25th May 2018?
The action on AARG secretary is to delete personal data on ex-members where that data is aged by the amounts shown in (vi) above. This will be completed before the deadline.
What do members & ex-members need to do?
If you are content for AARG to hold the personal data we do, then nothing. If you would like to see any data we hold on you, or require any of that data to be updated or deleted, then please contact email@example.com.