The Data Protection Act 1998 contains important requirements about the way in which personal data (i.e. information about living people) must be handled and subjects’ rights to inspect and challenge the data. The previous Data Protection Act just covered electronically-held data: the current Act extends this to paper-held records as well (and has new restrictions on transferring data abroad). Each club and society registered with the Proctors is responsible for the handling of its own data. You will therefore need to think about the kinds of personal information held about the club’s members (and perhaps others who are on mailing-lists but who are not official members) and how this information is used. For example, if you photocopy your handwritten membership register and give out members’ name-and-address details to external sponsors, or even to other clubs when you are arranging joint events, you may be breaking the law.
The key features of the current Data Protection Act are:
- personal data must not be held without consent or unless absolutely necessary to fulfil a contract with the subject or to meet legal requirements, and then must be processed fairly and lawfully: so it is OK for you to keep members’ names on a written or electronic register and use this for the purposes of administering the club (collecting subscriptions, sending out termcards, organising elections, keeping a record of who is eligible to drive minibuses under the Minibus Hire Scheme, etc) provided individual members agree to this;
- personal data must be obtained for one or more lawful purposes and must not be further processed in any manner incompatible with the purpose(s); so it is not OK for you to use the membership register to generate mailing-lists for use by external parties (e.g. sponsors, other clubs) unless individual members specifically agree to this
- personal data must be adequate and not excessive for the purpose(s) for which they are processed; so if you are asking members to provide details of home addresses, their subject and year of study, etc you need to consider whether such data are necessary for the purposes of the club’s activities
- personal data must be accurate and where necessary kept up to date;
- personal data must not be kept for longer than necessary for the purpose(s) originally collected; so you need to be careful about retaining details of members who have left the University – the club might want them for its historical records, but must not use such information as the basis of mailshots (e.g. for fund- raising) unless the subjects consented to that when the data were originally collected
- personal data must be processed in accordance with subjects’ rights under the Act: these include the subject’s right to inspect the data held about him or her (but not data about other people); to prevent the processing of data; to correct, block or erase data; to sue for damage caused; you need to bear in mind that the club collectively, or individual officers, could be prosecuted for breaches of the Act.
- appropriate technical and organisational measures must be taken to prevent unauthorised/unlawful processing of personal data and against accidental loss, destruction, damage; so if the club is holding its data on computer, you need to be careful about who is able to access and process the data; even if your records are paper-based, they must be kept secure
- personal data must not be transferred, without the subject’s consent, outside the European Economic Area unless the country concerned ensures an adequate level of protection for the rights and freedoms of data subjects; this needs to be borne in mind by clubs with an international focus or whose officers may be taking club records out of the UK (e.g. on a lap-top computer) when returning home during the vacation
The University data protection information and the Information Commissioner’s Office (ICO) provide useful information and tips for complying with data protection regulations. Their 'introduction to data protection', 'top tips for beginners' and 'getting started with data protection' pages are useful starting points. You can also access the Oxford SU's Data Handling Training by logging in to the SU website with your SSO.
When people become club members, or renew their subscriptions, it is important to make clear to them what personal data will be held and what use the club wants to make of this. But please bear in mind that data-subjects can withdraw their consent for particular uses at any time; and the club will need to keep under review what personal data are held; where and how securely held; and what the data are being used for.
It is particularly important NOT to use a club’s electronic membership or mailing-list to circulate information from third parties (e.g. companies advertising trips abroad targeted at students) unless the officer controlling the mailing-list is absolutely sure that the information is directly relevant to recipients and that those in the list have expressed an interest in receiving that kind of information. Under no circumstances should the club’s membership register or mailing-list be given to third parties. Otherwise, the club will potentially be in breach of the Data Protection Act and, where unsolicited material is distributed over the University’s IT network, in breach of the IT User Regulations that prohibit ‘spamming’.
The club should carefully control the procedures under which individual members may use its mailing-list to contact all other members. Messages must not be sent in a form which enables a recipient to ‘capture’ the whole list of addressees.