The General Data Processing Regulation came into force in 2018. The Society’s Data Protection Policy defines how WPEHS will comply with the GDPR, and in particular what data is retained and processed by WPEHS, and for what purposes.
This is page is a short summary, but please follow this link to read the full Data Protection Policy:
WPEHS GDPR Data Protection Policy version 5
WPEHS holds three types of data: Membership data, Event and Activity data, and Enquiry data.
The lawful basis for all this information being held and processed is “legitimate interests”, i.e. to carry out Society activities, WPEHS “use people’s data in ways they would reasonably expect and which have a minimal privacy impact”.
WPEHS does not retain or process information that would require explicit consent under the GDPR. There is a common misapprehension that explicit consent is required for everything, but in fact explicit consent is only one of a range of options under GDPR.
Data is shared on a “need to know” basis – full membership data is only held by the Membership Secretary. Relevant data is shared with committee members organising events and dealing with enquiries.
The only formal register of membership information is held by the Membership Secretary in a password protected environment and retained for a maximum period of four years.
If other members require the information for legitimate purposes e.g. to manage an event on behalf WPEHS it will be provided by the Membership Secretary to the individual by email with a password protected file, and the recipient must save the information to a password protected environment.
Once the reason for having the data has expired it must be deleted – it must not be retained for any purposes.
How the information held is communicated to members
Members are made aware of the types of information that WPEHS hold through this privacy notice on the website, in the magazine and in membership communications.
Subject access requests – reviewing, updating and deleting information
Members are asked to contact the Membership Secretary if they wish to review, update or delete their membership information, or to contact the responsible committee member direct regarding events, activities or enquiries information. On receipt of a member’s request the Membership Secretary or other relevant committee member will provide a copy of the relevant data electronically and in a commonly used format.
Data protection responsibility
Data protection responsibility rests with the Membership Secretary on behalf of the committee.
It is the responsibility of the Committee members (and nominated volunteers dealing with enquiries) to ensure the security of membership, event and enquiry information they hold by maintaining up-to-date virus protection and firewall, and by ensuring the physical security of any devices they hold this information on.
If any person has reason to suspect a data breach they should notify the Membership Secretary or the Chairman, who will arrange for investigation and appropriate action.
The full Data Protection Policy was adopted in July 2018.