SHED - GDPR (General Data Protection Regulation) Privacy Notice
SHED (Blackshaw Local History Group) will be what is known as the ‘Controller’ of the personal data you provide to us.
For administrative and operational purposes, we only collect basic personal data about you. This includes name, address, email, phone number.
We may collect more complex data, where it is fundamental to the items and collections contained in our local history archive, or the metadata contextualising such items.
Why we need your data
We will not collect any personal data from you we do not need in order to provide and oversee our local history archive services, in the public interest .
We need your basic personal data for one of the following reasons:
- Administrative / operational data collected as part of the process of running a small, community-based organisation. This would mainly be current and past SHED members (as the group operates an ad hoc / informal membership policy, attendance at one or more meetings and / or participation in the organisation of the group’s activities is considered to constitute membership), for example: the names, addresses, telephone numbers and email addresses of members.
- As part of the SHED local history archive itself. For example: names, addresses, occupations and events contained within letters, documents or photographs relating to living people.
- As the registered users of an archiving software platform (generally these are members of SHED, but maintained as a separate user base from the membership contact list). For example: names and email addresses are stored.
- From online guest contributors to the archive - using an archiving software platform, which requires their registration as guest users (name, email address).
- Stakeholders and partners - people who donate items to SHED, people who come and give talks at SHED events, volunteers. For example: names and email addresses.
What we do with your data
All the personal data we process is managed by our members in the UK. However, for the purposes of computer-based hosting and backing-up this information may be located on servers outside the European Union.
Where this is the case, SHED will endeavour to ensure that, where possible, all companies involved in hosting your data are compliant with GDPR.
However, the non-profit nature of our activities may make it necessary to host some of your personal data on ‘free’ cloud services, such as Google Drive, OneDrive, Dropbox etc..
SHED will always try to ensure that no third parties have access to your personal data, unless the law allows them to do so.
How long we keep your data
Personal data that we hold for administrative / operational reasons will only only be retained while current and then for a further, reasonable period of time. SHED will periodically review data of this nature and (if its continued relevance is in doubt) we will contact you to ask if you still wish to hear from us. If no answer is received, we will erase your data.
If your personal data is in our local history archive, it will be retained indefinitely. This is on the basis of public interest - as permitted under exemptions for archives in the UK Data Protection Act 2018.
What we would also like to do with your data
Where we have your name and email address for administrative / operational reasons (you are or have been a member, or you have donated to SHED, collaborated with us in the past), we would like to be stay in touch to inform you about our future activities and events.
This information is not shared with third parties and you can unsubscribe at any time by emailing: email@example.com
Personal data associated with items in our local history archive will be retained on the basis of public interest.
UK law exemption from specific GDPR articles for the activity of ‘archiving in the public interest’
As the keeper of a local history archive, SHED is exempt from specific GDPR articles, as detailed in:
Data Protection Act 2018 (2018 c.12) - SCHEDULE 2 (Exemptions etc from the GDPR), paragraph 28, which states:
“The listed GDPR provisions do not apply to personal data processed for archiving purposes in the public interest to the extent that the application of those provisions would prevent or seriously impair the achievement of those purposes”.
The list of exempted GDPR articles (specifically relating to public archives are): 15 (1-3),16,18,19,20,21. For an explanation of these articles, see: Rights of the data subject - https://gdpr-info.eu/chapter-3/
These exemptions mean that some of your rights under GDPR will have a more limited application, than for your information held by other data controllers (banks, utilities companies, social media companies etc.).
See the next section (‘What are your rights’) for further details.
What are your rights
If at any point you believe that the administrative and operational personal data about you is incorrect, you can request to see this information and have it corrected or deleted (our responsibilities for correcting your archive-based personal data differ from this - see below).
Please note: under the UK Data Protection Act 2018’s archive exemptions, SHED is not obliged to correct archival records, but we will always respond to such requests in a sympathetic manner, explaining our decision to you and adding detailed notes about the request to any metadata relating to the contested archive item.
You may request the erasure of your personal data held in our history archive, but we are generally only required to comply, where it is no longer necessary for us to retain it. As our need to retain your data indefinitely is essential to the purposes of maintaining a history archive (and is in the public interest), it is unlikely that we will agree to erasure.
However, we may consider withdrawing public access to it, at least on a temporary basis, to allow further discussion. Requests concerning archive data relating to you, would need to be made in writing (this may be the scan of a signed letter attached to an email to: firstname.lastname@example.org).
If you wish to raise a complaint on how we have handled your personal data, you can contact us to have the matter investigated: email@example.com
If you are not satisfied with our response, or you believe that we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office https://ico.org.uk/