Hi

I've recently taken over responsibility for organising communications a University BSAC club, and planned to keep our member's details on a database which is accessible through a secure website - the committee can access all members details, the members themself can access only their own.

We have all this set up and working now, but in a convertation with the IT staff at the University they told me that we weren't allowed to keep any records about our members at all - not even a paper list of everyones name and e-mail address apparently. They say it is because they have to know where all information about the public (ie our members) are stored, and they need to be able to access or delete them if requested. Now, because we are also a sports club at the University as well as a BSAC club, i'm not sure what rules we follow exactly. They don't have the sorts of details we need about our members - there's little point in a University knowing how many dives each student has done is there!?!

The person I was talking to said he'd just pretend not to have heard what I said, but advised us (the club) to think about how we do keep records - apparently if we want to we have to register every field we keep with a description of why we need to keep that information.

Does anyone know the official position on this? If the University are right and we aren't allowed to store any information without registering that fact, how do other clubs do it, and how does BSAC recommend we do it? I really don't want to have to move all the data back to paper records, and according to the University we couldn't even do that!

If anyone does have any ideas i'd appreciate the advice. Would a simple opt-out policy do, whereby if someone really objects we won't put their details on there, or just get them to agree to the storage of their details when they join up? Being the start of our University term now we have a lot of new members joining, so really would like to get this sorted one way or the other - if we do it all one way, and then find out we have to do it another, i'll be very upset! :o(

Thanks

David Walker
Treasurer / Communications, University of Warwick Sub Aqua Club

David,

You may be helped by the last debate of this subject, though there are more if you search further back through this forum.

HTH

Mike

David,

I think your IT contact is going over the top, or at least applying the data protection requirements of the university to your club.

There is definitive information at:
<a href="http://www.dataprotection.gov.uk/" >http://www.dataprotection.gov.uk/</a>
<a href="http://www.dpr.gov.uk/downloads/selfassess.pdf" >http://www.dpr.gov.uk/downloads/selfassess.pdf</a>

Members' clubs do not need to notify the Data Protection Commission of use of personal data solely for the administration of the club, but they need to follow the Data Protection Principles. It simplifies things to have written consent from members to process personal data about them.

Philip Smith

David,

You may be helped by the last debate of this subject, though there are more if you search further back through this forum.

HTH

Mike

Hi
I did read that thread before I posted, but it was addressing what was a slightly different issue, that is sending details around to all members. I did get the idea for just having an agreement or statement saying they agree to us using their information in that way from that thread, but wasn't sure whether the same sort of thing applied in these circumstances as there.

David

Hi David

Can I ask you to contact Edward Haynes (<a href="mailto:edward.haynes@bsac.com">edward.haynes@bsac.com</a>) and/or Wendy Davies (<a href="mailto:wendyd@bsac.com">wendyd@bsac.com</a>). Edward advises the IT Team on DPA matters, Wendy administers our DPA registration and compliance documentation at HQ, either or both should be able to tell you exactly where you stand as a voluntary club within the BSAC. I believe that the DPA contains an exemption for small voluntary clubs and organisations, we are certainly not exempt as a whole and the BSAC itself is fully registered under the DPA and to the very best of my knowledge complies fully with the act.

The university itself cannot dictate to its students or its staff what data is held by external organisations, that is up to the individual concerned. I doubt very much whether they could put any ban at all on paper records administered by you unless you asked them to administer the records on your behalf. However, if you intend to use one of their computers to hold the data then they may well be able to have a say. There may be something that we could do to help you if we can get the compliance officers talking to each other.

Did you actually speak to your DPA compliance officer or somebody who THOUGHT that they knew what they were talking about? An awful lot of barrack room lawyer rot is talked about IT security and the DPA by people who quite frankly haven?t got a clue. The bit about registering every field is complete rubbish for instance, under the DPA you register class of data, usage categories and geographical relevance - not individual data items. If you?ve got some jobsworth of a compliance officer who interprets things in that way then I?d be tempted to send him the database schema with all of the field descriptions in that :-)

Regards

Keith Lawrence
BSAC IT Team Leader

Thanks for your reply Keith - i'll contact one of those people over the weekend sometime.
The person I was talking to was the IT Manager for the Student's Union, who essentially control the club - they give us a budget every year, members have to join us via the Union, and the Union provide us with e-mail, webspace, work areas, storage, etc. It was only mentioned in passing, I wasn't called down to see them specifically about Data Protection. I happened to mention that we had this database, and at that point he told me about the restrictions and that we were breaking the DPA.
I don't see it as a big issue, since he said that he was just letting me know of the situation, but if there ever was a problem and someone complained we could get into all sorts of trouble. Essentially, it was one of those "you're not allowed to, but I will pretend I never heard anything" type conversations. I just thought i'd get a bit of advice about what other clubs do, and whether this is really an issue I should consider, and potentially change the way we do things, or whether its something every club just ignores and hopes there's never a problem.
As I say, I will get in contact with one of those two people you suggest over the weekend at some point, and then see what they suggest, as well as anything else anyone can offer on this forum.
Thanks for your help
David

David

Your post has raised some interesting points, which may affect all Uni clubs across all sport and hobby activities. In preparation for the full implementation of the Freedom of Information Act 2000 (FOI) in January 2005 all Public Bodies (which includes most Univisities) are reviewing how they store, communicate and use information. This area is going to become full of ?experts? (with their own agenda), unfortunately like the Data Protection Act 1998 (DP) until there are some prosecutions we wont know how the Courts are going to act. However, the damage to the reputation of a Uni by just being taken to Court could be considerable.

I have placed some comments that are my personal opinion, within your text.

I've recently taken over responsibility for organising communications a University BSAC club, and planned to keep our member's details on a database which is accessible through a secure website - the committee can access all members details, the members themself can access only their own.

A question: from your Branch Bye-Laws, ?is your branch a ?special? or ?ordinary? BSAC Branch??

If special then you are linked to the Uni and they can specify how you handle information including personal data. I agree with Keith what you?ve been told sounds over the top for the DP, but not for the FOI, if it applies? (I now need to go and have a read.) Your Uni has quite a comprehensive DP Notification and if the Uni supports the diving club (as a special branch) then (most likely) you will have to comply with that Notification.

if you?re an ordinary Branch then it?s just the DP we need to deal with.

We have all this set up and working now, but in a conversation with the IT staff at the University they told me that we weren't allowed to keep any records about our members at all - not even a paper list of everyones name and e-mail address apparently. They say it is because they have to know where all information about the public (ie our members) are stored, and they need to be able to access or delete them if requested. Now, because we are also a sports club at the University as well as a BSAC club, i'm not sure what rules we follow exactly. They don't have the sorts of details we need about our members - there's little point in a University knowing how many dives each student has done is there!?!

It is most likely your Uni is a Public Body (FOI, Schedule 1, Part 4 - <a href="http://www.legislation.hmso.gov.uk/acts/acts2000/00036--s.htm" >http://www.legislation.hmso.gov.uk/acts/acts2000/00036--s.htm</a>) and the FOI will apply. So yes they do need to know where ALL information is located and used. For information read; letters, e-mails, minutes of meetings and anything else that contains data ? not just personal data. As a special branch that includes you and unfortunately the number of dives could come into it, if a member of the Public where to ask such a question.

As an example of the problem of information control; Under the FOI a record needs to be maintained of, say, each copy of the Branch Committee Minutes, including ones that have been destroyed.

The person I was talking to said he'd just pretend not to have heard what I said, but advised us (the club) to think about how we do keep records - apparently if we want to we have to register every field we keep with a description of why we need to keep that information.

Sounds like he?s referring to the FOI not the DP. As an ordinary BSAC Branch not affiliated to the Uni you need to notify all members of the purpose(s) you?re going to use their personal data for (mandatory). This can be done by placing a Notification on the Information Commissioner?s ?Notification? register, but not mandatory for a club. For sensitive personal data you require their consent (best way of proving that is to have a signature).

Does anyone know the official position on this? If the University are right and we aren't allowed to store any information without registering that fact, how do other clubs do it, and how does BSAC recommend we do it? I really don't want to have to move all the data back to paper records, and according to the University we couldn't even do that!

The DP and the FOI both cover paper records.

If anyone does have any ideas i'd appreciate the advice. Would a simple opt-out policy do, whereby if someone really objects we won't put their details on there, or just get them to agree to the storage of their details when they join up? Being the start of our University term now we have a lot of new members joining, so really would like to get this sorted one way or the other - if we do it all one way, and then find out we have to do it another, i'll be very upset! :o(

Unfortunately even one person opting out will make your records near useless. Think carefully about what use (purpose) the Branch is going to make of personal data and then make acceptance a condition of membership. After all the Committee of each Branch must approve each member on entry and renewal, providing it?s not been removed from the Bye-Laws.
If the branch is a special then the Uni may have specified additional conditions which apply, including compulsory membership if medically fit.

Thanks
David Walker Treasurer / Communications, University of Warwick Sub Aqua Club

If the Uni funds you they may have placed special restrictions on membership. After all they will control the funds.

As I stated above this is just my personal interpretation.

Hope it helps.

Edward Haynes
e-mail: <a href="mailto:edward.haynes@bsac.com">edward.haynes@bsac.com</a>

It is most likely your Uni is a Public Body (FOI, Schedule 1, Part 4 - <a href="http://www.legislation.hmso.gov.uk/acts/acts2000/00036--s.htm" >http://www.legislation.hmso.gov.uk/acts/acts2000/00036--s.htm</a>) and the FOI will apply. So yes they do need to know where ALL information is located and used. For information read; letters, e-mails, minutes of meetings and anything else that contains data ? not just personal data. As a special branch that includes you and unfortunately the number of dives could come into it, if a member of the Public where to ask such a question.

OK - i've had a look at that, but i'm not 100% sure where our club would stand within that. We are actually a club which is run by the Student's Union rather than the university directly (I didn't mention that difference before since I didn't think it would be relevant). The Union gets some money from the University, but is basically financially independent. Whether that changes anything i'm not sure, since I don't know for certain exactly how our club is classed - I assume we're just part of that company, the Students Union, in which case. That act doesn't seem to make requirements for companies which receive small amounts of funding from a public body, and as the Union is a registered charity that may mean donations from the University to the Union may not require the FOI to apply to them??? Also, it gives exemption where cost of compliance with the act "exceeds appropriate limit", which would sort of apply within the club, but not within the Union as a whole.

Sounds like he?s referring to the FOI not the DP. As an ordinary BSAC Branch not affiliated to the Uni you need to notify all members of the purpose(s) you?re going to use their personal data for (mandatory). This can be done by placing a Notification on the Information Commissioner?s ?Notification? register, but not mandatory for a club. For sensitive personal data you require their consent (best way of proving that is to have a signature).

OK - if I assume for now the FOI doesn't apply to the Student's Union, we don't hold any sensitive data that I can think of, so in theory we should be OK, but I will probably give a notification anyway, and give them a chance to say no.


Unfortunately even one person opting out will make your records near useless. Think carefully about what use (purpose) the Branch is going to make of personal data and then make acceptance a condition of membership. After all the Committee of each Branch must approve each member on entry and renewal, providing it?s not been removed from the Bye-Laws.
If the branch is a special then the Uni may have specified additional conditions which apply, including compulsory membership if medically fit.

Yeah, we do have certain rules on accepting members. Anyone can join the club, we can't stop anyone, we don't even necessarily know until after they've joined. Diving remains at the discretion of the DO, which is exactly as it should be - the Union are aware of the potential dangers of diving, and that we are also a BSAC branch, so allow us to go with the BSAC rules on what the DO can do. We do tend to break their (very big and apparently good) Equal Opportunities policy every year when we choose who we will let on the Ocean Diver course. Having a limited number of places means that we can't accept everyone - in theory we should have completely random selection, but in general after the try-dives and a few weeks of social events and things we can tell who is really interested and likely to stay, and others who might do it for a while and then give up. We shouldn't, it would be nice if we didn't have to, but for the club to survive we need people who we think will stay with the club and become instructors.

For opting out, I don't really think anyone would. That is the plan anyway. We have it there saying that they can, so no one can complain later, but hopefully no one will. I'll just put a statement there saying that if they won't let us hold their details, especially things like emergency contact, then we can't let them dive, and if we can't have details about diving qualifications and contact details, then they won't find out about any trips. Should be OK, but i'll have to consult the rest of the committee, probably talk to the IT Manager again, and then see what we can come up with.

I think most importantly is that, if I do find out the club isn't covered by FOI, then the only restriction is really to notify, and any possible University / Union policy. For the latter, the Uni/Union are prepared to ignore it, so that would be fine. I can notify people easily, and then i'll just have to see what they say about FOI.

Hope it helps.

Yep - that was brilliant thanks! I'll look into it a bit more to find out the legal position of our club, and then work out what to do. I never realised there were so many rules about all this! :o(

Thanks

David

Hope it helps.

Hi again

I've been through all of what everyone has said, and the document you e-mailed to me, and i've written a preliminary document about the DPA and how it applies to the club, and how it will affect our members. I still need to check our status regarding FOI, but I think this should probably be enough to get us out of any possible problems (not that I suppose there ever will be any). I'm planning on getting this agreed by the rest of the exec/committee, and then sending it to all current members and then every new member who joins.

It is quite long, and I need to refine it a bit, but the first bit i've done is in the link if anyone wants a look - any comments welcome, otherwise i'll just use it.

I have written it so it makes sense to someone who has absolutely no knowledge of the DPA, the Student's Union, or Diving really, so it might appear a bit basic to some of you.

David

David

My 2 comments on you DP procedure are:

1. By deleting all records when a member leaves you are robbing the Branch of historical data that might be use for 21, 25, 30, etc anniversaries. Not that you would keep all information on an individual, but date joined/left and any special antidote might be useful.

2. There is no mention of maintaining records of a disciplinary matter.

Edward

Not that you would keep all information on an individual, but date joined/left and any special antidote might be useful.
^^^^^^^^
Crikey, Ed -- you must have had some problem members in your time!

Philip

1. By deleting all records when a member leaves you are robbing the Branch of historical data that might be use for 21, 25, 30, etc anniversaries. Not that you would keep all information on an individual, but date joined/left and any special antidote might be useful.

Ahhh yeah - could do that easily enough. I'll look into the best way to do that, and what we'd want to keep.

2. There is no mention of maintaining records of a disciplinary matter.

Ummmm - like what? I don't think we've ever had any real disciplinary things. If there ever was a problem with a member they either wouldn't come back, which is easiest, or if they had a complaint about us we have to refer that to the Student's Union if theres no easy solution. Its never something thats cropped up, so I suppose we could deal with that as and when it happens and most likely with paper records, or adding the required table / values when we know what they are.

David

David

It isn't how you deal with it, and I hope your never have to, but you wouldn't even be able to provide evidence to the the Student Union if it's not a process you have declared in the first place.

Scenario: Branch Diving Officer reprimands a member for some minor ?Safe Diving Practice? infringement, neither the Branch Diving Officer or the Branch can keep any record of it without contravening DP. This includes the Minutes of Committee Meetings.

Edward

It isn't how you deal with it, and I hope your never have to, but you wouldn't even be able to provide evidence to the the Student Union if it's not a process you have declared in the first place.

Scenario: Branch Diving Officer reprimands a member for some minor ?Safe Diving Practice? infringement, neither the Branch Diving Officer or the Branch can keep any record of it without contravening DP. This includes the Minutes of Committee Meetings.

Right - i'm with you now. I wasn't thinking of that sort of thing. I'll have to come up with some way of recording that, although we may end up cheating a bit on that one... I supppose just simple text fields which we can add to people would make it easy enough to describe what happened, its just persuading our DO to use it.

Thanks for all this advice anyway though - it is all really useful for me!

David

Thanks for all this advice anyway though - it is all really useful for me!

Hi - just to let you know I think i'm about sorted now. I'm going to go with something along the lines of that notification to all members that we'll keep their details, and give them options about whether they receive e-mails etc. There'll also be a way for them to request we remove their details.
For the Union's part, they've agreed with a method that allows us to keep our records that they are happy with - basically, for the details they store, we use those instead of having our own copy, and then link the extra details we need onto there. The point in that is that when the Union delete their record, it will tell us that its gone and we should too. They are happy with that arrangement in that it protects against the main problem of contacting people who don't want to be contacted, and keeping records of people who have asked to be removed.

Thanks to everyone who'se offered advice - hopefully we'll be somewhere near legal as soon as I get round to making all these changes!

David!

Just a postscript to this thread. The office of the Information Commissioner has confirmed that Student Unions and their affiliated clubs and societies do not come within the scope of the Freedom of Information Act.

Philip Smith

Just a postscript to this thread. The office of the Information Commissioner has confirmed that Student Unions and their affiliated clubs and societies do not come within the scope of the Freedom of Information Act.

Great - thanks for confirming that. When I spoke to our IT Manager again, I did mention the differences between FOI and DPA, and he basically said that the requirement for individual fields to be registered came under DPA, not FOI. Whether this is true or he is misunderstanding the interpretation I don't know, but in the end he said that as long as our database was linked to theirs then that would be enough to not cause any problems and for him to be happy - basically, when (if) someone asks for their details to be removed from the Union database, our database will spot that they've gone and will now alert the club exec and temporarily disable access to their information - effectively hide the information. We can then check with the Union why they've gone, and then we can delete that information from our database too. If it just happens that there was an error, then we won't lose all their data.
Its a bit of a bodged solution, but the IT Manager is happy with that (well, he said it should be directly linked so they would be deleted as a single action, but this is close enough...) :o)

It definately does help to know that we aren't covered by FOI, so I can work on much more certainty now and probably make it fully legal, rather than "just about OK enough so that there aren't any problems".

Thanks

David

Philip

That's good news.

Edward

Just a postscript to this thread. The office of the Information Commissioner has confirmed that Student Unions and their affiliated clubs and societies do not come within the scope of the Freedom of Information Act.

Philip Smith