Orpington Astronomical Society
Data Protection Policy

Data Protection Policy

Updated: November 2021. View as PDF

1. Overview

1.1 Orpington Astronomical Society (hereafter referred to as the ‘OAS’) is
a registered charity [1] with the sole objective of promoting an interest in
the science of astronomy. Its area of operation is centred on Orpington,
but extends to Bromley, Sevenoaks and their environs.

1.2 In order to effectively carry out this objective the OAS is obliged to
hold some personal data of its members. It also operates a website for
the purpose of disseminating Society information and which includes a
forum for the discussion of items of astronomical interest.

1.3 The membership data thus held is solely used for the purposes of
running the OAS and making its membership aware of society activities,
opportunities to attend related events and news. The data is kept with the
approval of the individual members and the amount held is kept to the
absolute minimum necessary for the Society to function.

1.4 The OAS Membership form shown in Annex A details the personal
data collected along with the individual member’s consent for the OAS to
hold and use their personal data in order to carry out its activities
according to this policy.

1.5 It is the policy of the OAS that upon joining the Society only the
following information is collected and held:

  • Full name;
  • Home address;
  • Email address;
  • Home and mobile telephone numbers;
  • Date of birth if under 18 years old;
  • The date the Society was joined.

1.6 The OAS does NOT collect NOR hold any personal financial data,
although it may on occasion contract with an approved transaction
processor who has demonstrated compliance with GDPR, in order to
facilitate legitimate payment for subscriptions or other services.

1.7 The membership data is only held by elected members of the OAS
Committee, Sections 2.4 and 2.5 refer.

1.8 Member’s data will NEVER be passed to any third party organisation
without the individual’s prior explicit consent, however see Section 2.7.

1.9 The responsibility for implementation of this policy lies with the Chair
of the OAS who has the role of ‘Data Controller’ as required by General
Data Protection Regulations, but in practical terms maintenance of current
personal data lies with the OAS Membership Secretary and the Website
Manager in respect of the OAS Website. More details on data protection
principles and GDPR can be found on the Information Commissioners
Office (ICO) website https://ico.org.uk/.

2. Personal Data Management

2.1 OAS membership data is held in an encrypted, password protected
data file (hereafter in this document referred to as the ‘Membership
Spreadsheet’).

2.2 The Membership Spreadsheet shall be kept up to date by the OAS
Membership Secretary, who alone can edit or update it.

2.3 The Membership Spreadsheet shall only be held or accessed using
computers that have up to date antivirus protection.

2.4 Other than the Membership Secretary, the only OAS Committee
members permitted to view a (password protected) copy of this
spreadsheet are:

  • The Chairman;
  • The Vice Chair;
  • The Website Manager;
  • The Treasurer.

2.5 In exceptional circumstances other members of the OAS that have
been co-opted on to the Committee or have become an Associate
Committee Member for a specific reason, may be permitted to access the
Membership Spreadsheet for a limited period.

2.6 For OAS officers who need to communicate with the membership by
email, such as the editor of TOAST (the OAS quarterly magazine), a
confidential email group called the ‘Toast-list’ is available to protect the
privacy of individual members.

2.7 The OAS may contract with Membermojo to act as their Data
Processor [2]. Membermojo provides membership services to a number of
UK organisations. Membermojo has confirmed that all Membermojo
servers and backups are hosted in secure UK facilities and that
Membermojo complies with UK GDPR requirements.

3. Data Retention and Members’ Rights

3.1 Members’ data shall only be held for as long as they are a paid up
member of the OAS, after 6 months it will be deleted.

3.2 OAS committee members holding a copy of the Membership
Spreadsheet shall permanently delete their copy if they change or end
their OAS Committee role.

3.3 Any member has the right to view the data held by the OAS (or on
their behalf by Membermojo) and have it corrected or deleted at any
time, the request shall be in writing via the Chair of the Society (Section
1.9 refers). However Membermojo undertakes to provide security and
access controls for members’ data and functions that assist members to
exercise their rights under GDPR. They include:

  • The right to access – members will be able to sign in to view their
    own personal data.
  • The right to rectification – members will be able to sign in and
    amend their personal data.
  • The right to erasure – OAS administrators can securely delete
    personal data for members requesting their data be erased. Erasing
    a member will remove their member record and anonymise any
    activity, attendance and (optionally) payment records.

Membermojo’s Privacy Policy describes how they handle membership
data. See https://membermojo.co.uk/mm/help/privacy

3.4 Deletion of all of a member’s data at the request of a member will
result in termination of membership.

4. Website Operation

4.1 General Operation

4.1.1 The OAS Website is available to anyone, however some parts of the
Forum can only be accessed by OAS members and who have had an
account set up by the OAS Website Manager.

4.1.2 Anyone with an account logging into the site will have a temporary
cookie set up to determine if the browser accepts cookies, this cookie
contains no personal data and is deleted on closing the browser.

4.1.3 Upon logging in several cookies will also be set up to save login
information and screen display choices. Login cookies last for two days,
and screen options cookies last for a year. If “Remember Me” is chosen,
the login will persist for two weeks. Upon logging out of the account, the
login cookies will be removed.

4.1.4 Upon editing or publishing an article, an additional cookie will also
be saved in the browser. This cookie includes no personal data and simply
indicates the post ID of the article just edited. It expires after 1 day.

4.2 Embedded Content From Other Websites

4.2.1 The OAS Website may include embedded content such as a Twitter
feed, videos, images, etc.; such content will behave in the exact same
way as if the visitor has visited the other website, and hence may collect
data, use cookies, embed additional third-party tracking, and monitor
interaction with that embedded content, as if logged in to that website.

4.3 User Accounts and Data Retention

4.3.1 Forum users can set up a profile which can contain personal
information they choose to include and which is then visible to any logged
in user. Individuals can edit, or delete their personal information at any
time (except they cannot change their username). Similarly the OAS
Website Manager can also see and edit the profile information.

5. Action to be Taken in the Event of a Possible Data Breach

5.1 With reference to Information Commissioner’s Office (ICO) Website
the risk to individual members associated with a breach of OAS data is
assessed as at worst being ‘neutral’, or more probably ‘unlikely’.
Nethertheless on becoming aware of a possible data breach, the OAS
Chair shall within 72 hours contact the ICO by telephone to discuss the
breach to decide what if any action needs to be taken.

5.2 OAS Chair shall inform in writing any member that may be affected
that there has been a breach and what personal data may have been
accessed.

© Orpington Astronomical Society 19 November 2021

[1] Registered in England and Wales No. 289661

[2] Information Commissioners Office (ICO) key definition