Briefing:Data Protection Guidance for Party Officers From: Shane Brogan For attention of: All Party Officers Published: 10th May 2018 Last updated: 26th July 2019 Printed: 22nd January 2021 Other formats: Print New data protection regulations are being introduced - find out how this affects your role and what you need to do. Significant changes to data protection legislation are being introduced across the European Union. The General Data Protection Regulation or GDPR will come into force on 25 May 2018 and helps strengthen the rights of individuals over their personal data. Like all organisations, the Co-operative Party will have to develop existing data protection practices to ensure compliance with the new regulations. The changes will apply to all units of the Party including branches, party councils and regional parties. This Briefing provides officers with an overview of the changes and some of the steps you may need to take to ensure you and your branch are compliant. What is GDPR? On 25 May this year, the General Data Protection Regulation (GDPR) will be implemented in the UK. The introduction of this new legislation will be the biggest change to data protection in the UK since the Data Protection Act came into force in 1998. GDPR aims to produce a new legislative framework around Data Protection and Information Governance that better reflects the modern realities of data usage by all organisations. In addition, it establishes a number of new rights for members of the public, allowing them to better understand and control how organisations use their data. The GDPR will also introduce a number of robust sanctions for data breaches and non-compliance, including the provision for fining organisations found to be in breach. You can read more information about GDPR on the Information Commissioner’s Office (ICO) website. Read more about GDPR from the Information Commissioner’s Office (ICO) How does this affect the Co-operative Party? The Co-operative Party takes its responsibilities around Data Protection seriously and is developing its Data Protection and Information Governance policies and practices to ensure organisational compliance with GDPR. In addition, the Co-operative Party is currently improving the mechanisms by which Data Subjects can exercise their information rights. One of the key changes will be the need for the Co-operative Party to prove that it has got the explicit consent to communicate with individuals by email and phone. We communicate in this way to keep supporters updated about Co-operative Party campaigns, events and opportunities to get involved. This means that we may need to contact some supporters to make sure we have their consent before the changes comes into effect on 25 May 2018 or they will no longer receive these communications. We will contact supporters direct if we need to confirm their consent. What do I need to do as a Party Officer? The work of the Co-operative Party is only possible thanks to the hard work of our voluntary officers across the UK. We know that some of these changes may seem daunting and so we will be doing our best to ensure you have all the tools needed to comply with GDPR. When you use data from the Co-operative Party such as membership lists, you are a processor for that data which belongs to the Co-operative Party and subject to the requirements of legislation such as GDPR. If the only Co-operative Party data you use is membership lists provided by Head Office or downloaded from our Officer Dashboard, then you will not need to ask your members for consent, as we will have already checked this before sending you the membership list. In this case you don’t need to contact members in relation to GDPR, however there are other things that we ask you to do to protect the data we hold – see our check list that explains what practical steps you need to take as a Party officer. If you have email addresses for supporters who are not members of the Co-operative Party (for example individuals who have expressed an interest in attending events) or use an email service such as MailChimp to send emails to your branch, then please contact us so that we can add this to our register and help ensure your branch or party is GDPR compliant. The Co-operative Party has now updated all online and paper membership, sign-up and event registration forms, and petition templates to reflect the new requirement to have explicit permission to contact individuals by email. If you are using old templates, please destroy those and request copies of the new versions from the Membership Team. Who can access membership lists? We provide membership lists to local branches to help you stay in touch with your members and support member activity in your area. These lists are provided to officers and must be used in keeping with our Privacy Policy and Data Protection Checklist below. Membership lists are normally only made available to branch secretaries. If you are a party council secretary you will also be able to access the lists for your branches. Membership lists can be requested by contacting the Membership Team or by logging in to your account on the Officer Dashboard (click here to register). These will normally include the name, email address, phone number, postal address and membership status of members. Data Protection Check List The Co-operative Party provides data about our members to party officers to help them carry out their role and build strong and active local branches. When using Co-operative Party data, officers are required to comply with regulations such as GDPR. The general tips in this check list are designed to help you with your role but is not exhaustive. Ask permission before you share someone’s personal data with an outside organisation. Where possible do this by email so you have a written record. When sending emails to branch members, always make sure that the email addresses are placed in the ‘BCC’ field. If you send regular email updates to members and supporters in your area, consider sending these through a special programme such as MailChimp, as this allows individuals to unsubscribe should they no longer wish to receive it. If you are a secretary, you should consider setting up a separate email address for your role, this means that you keep Co-operative Party data separate from your personal inbox and makes it easier to pass on to future officers. Any devices that you use to access or save Co-operative Party data such as membership lists should be protected with a strong password. Membership lists should never be saved on memory sticks that don’t have a password. Paper membership lists, sign-up forms and petitions gathered locally should be sent direct to Head Office to be recorded and stored. If you keep paper records, these should be kept in a secure cabinet and shredded when no longer needed. Only keep the most recent version of membership lists. When you receive a new list, delete or shred the previous copy. Updated lists can easily be requested from the Membership Team or downloaded from the Officer Dashboard. Never forward membership lists to other officers, instead ask them to request a copy of the membership list direct from Head Office. Similarly, never give your password for the Officer Dashboard or your email to anyone else. When working in a public place, be careful that other people do not see personal data that they have no right to view, e.g while working on a train or in a library. Remember, the Co-operative Party is an independent co-operative and political party. This means that organisations like the Labour Party and affiliated co-operative societies are treated as third parties. As with all outside organisations, only share data with these organisations when you have explicit consent from the individual concerned. How can I get more information? In the coming weeks, the Co-operative Party will be taking further steps to strengthen how we protect the data of our members and supporters and move towards GDPR compliance. If you have questions about how these changes may affect you and your branch, please get in touch with the Membership Team: membership@party.coop or 020 7367 4151. Further general information about GDPR is available from the Information Commissioner’s Office (ICO). You can also find out about what data the Co-operative Party collects and how it is used in our Privacy Policy. Action Points Check you're ready for GDPRRead our Data Protection Check List to make sure you're aware of your responsibilities Check what data you haveOnly keep the most recent version of the membership list - older versions must be deleted (or shredded if it's a paper copy) Check your data is secureOnly save membership lists onto a device that is password protected and never forward to anyone else For more information Get in touch if you have questions about data protection and your role within the Party. Shane Brogan Membership Manager Resources Further information on GDPR from the ICO Co-operative Party Privacy Policy