Introduction
As part of the introduction of the General Data Protection Regulations (GDPR) in May 2018, Farnham Astronomical Society (FAS) has reviewed its policies and procedures in relation to the data held (electronically) on its membership. These have been further updated (in Aug 2022) to reflect recent changes to the hosting of membership data, which is now provided by MemberMojo.
Procedures are required to be established to handle the maintenance of the lists, their accuracy and dealing with member requests for details on information held, and for the removal of that information
This document also sets out the steps to be taken should FAS be notified that a data breach has taken place.
Data Processor and Data Controller
FAS manages its membership data using the software, services, storage and hosting facilities of online membership services provider MemberMojo. In GDPR terminology, they are our data processor, whilst FAS remains the data controller.
Important Links
- MemberMojo Website: https://membermojo.co.uk/
- MemberMojo GDPR overview: https://membermojo.co.uk/farnham-as/help/gdpr
Data Held
FAS holds the following data in an online database secured and hosted by MemberMojo…
Data Item |
First Name |
Last Name |
Email Address |
Membership Type |
Address |
Telephone No |
Mobile Number |
First Aider (y/n) |
Mailing List Subscriptions, currently: – Outreach Events – Observing Events – Newsletter |
Membership Number |
Membership Expiry Date |
System Emails (not used) |
Renewed On Date |
Member Since Date |
Site Role (Member or Admin) |
Linked To (other member – for family/group memberships) |
Membership State (Active/Pending Payment/Expired) |
Unsubscribe (all membership expiry emails) |
Unsubscribe (all group emails) |
Members are uniquely identified by their membership number. All members are asked to give their consent to hosting their data on MemberMojo when first applying to join the society and annually thereafter, when membership is renewed. They also consent to receive occasional communications from the society, and can further opt-in to other mailing lists.
We endeavour to track attendance at society events, and records of payments made.
Data Access
Members can access and amend their own details at any time, by signing in to their account on MemberMojo at https://membermojo.co.uk/farnham-as.
Only the Chairman and the Membership Secretary have access and administrator rights to the full membership database.
Mailing Lists
MemberMojo enables administrators to set up group mailing lists, with controls on who can send emails using these lists. These are used to send society communications, opt-in emails, and to manage individual membership renewals and fee payments. Permissions to send emails using these mailing lists are restricted to committee members.
Members agree to receive society communications and membership renewal emails when joining the society or when renewing their membership but can ask to be removed by emailing our Membership Secretary
Members can opt-in to additional email distribution lists when joining and can opt in or opt out at any time by signing in to their account and updating their preferences, or by sending an email request to or emailing the Membership Secretary. Unsubscribe links are also included in the footer of every email sent.
Our opt-in mailing lists are currently…
Distribution List | Purpose |
Observing | For people who wish to receive notifications about observing events |
Newsletter | For people who wish to receive the monthly newsletter |
Outreach | For people who wish to receive notifications about outreach activities |
Data usage
Data is primarily held for the purposes of maintaining a record of the membership of the society, attendance at meetings, managing the renewal of memberships and the collection of membership fees, communicating with members about society business, distributing newsletters, and contacting members in connection with society observing or outreach events.
Keeping records of attendance helps us understand the popularity of specific events and trends in attendance that feeds into our planning of future events, external marketing efforts, and in setting membership fees for the coming year. Storing addresses helps us understand where our members are located should we need to change our meeting venue or choose an observing site, or indeed to recover society property if this has not been returned following a loan.
Other potential usage scenarios might include proving society membership to an insurer in the event of a claim, contacting relatives in case of a medical emergency, or otherwise as required by law.
We do not sell or pass on membership details to commercial organisations, nor do we promote products and services to our members on their behalf.
Legal basis under which data is held
Farnham AS claims a legitimate interest to hold and process its members’ names and contact details, so that it can operate as a society, know who its members are, communicate with them about society meetings and other business, manage their membership renewals and expiry, loan equipment, distribute newsletters, etc.
We ask for minimal information consistent with the data usage scenarios described above.
In addition, we ask for explicit member consent to this storage and processing, and we make available facilities for members to view or edit their personal data, at any time, and to opt-in/out of group mailing lists.
FAS holds data as if we are a Data Controller.
Our Membership Secretary is the Data Protection Officer.
Membership
On applying to join FAS, new members will be asked to provide their personal data, select their opt-in choices, and to give their consent to our GDPR arrangements, as described above. Upon renewing their membership (at the start of each year), they are invited to update/confirm their details and opt-in choices and to give their consent again.
Members can also review/update their details at any time, by signing in to their account, or emailing our Membership Secretary.
Children
Anyone under age 18 is considered a child and cannot be a member without parental permission. This is obtained at the time of joining where the parent will be required to complete the membership form on the child’s behalf. Parental approval is also required should confirmation of membership data be required.
Member Request for information held (Subject data Access Requests)
Should a member request a copy of all information held by the society this must be made by email or by letter to the Membership Secretary. The Membership Secretary will reply within 30 days of the request to the email address of the sender (provided this matches with the address held on the society records) or to the address registered with the Society in the case of a request by letter, with a copy of the data above relating to the email or postal address provided.
Member request for deletion of information
Should a member request that all information held by the society be deleted this must be made by email or by letter to the Membership Secretary. The Membership Secretary will reply within 30 days of the request to the email address of the sender or to the address registered with the Society in the case of a request by letter confirming that the data above relating to the email address or postal address has been deleted. The member will no longer be considered a member of the society and no refund of fees will be paid.
Membership Expiry
Should a member’s membership of FAS expire due to non-payment of subscriptions, their account will be marked as expired, and they will cease to receive society communications and group emails thereafter. For the convenience of members wishing to make a late renewal, we will endeavour to keep their details online for a few months but will delete their details within 6 months of the membership expiry date if not renewed before then.
Data Breach
FAS only hold the minimum amount of data about its membership as it considers appropriate for the smooth running of the society and communication to members on the society’s business. Whilst the data held is not considered sensitive[i] for the purposes of GDPR, FAS takes seriously any breach of the trust confidentiality that members have given FAS in the management of their data.
If FAS is notified or otherwise becomes aware that a data breach has occurred it will write to all members, within 72 hours, advising of the circumstances, and the data that is likely to have been compromised.
Data Protection Impact Assessments (DPIA)
Under GDPR a DPIA should be conducted where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”.
FAS has reviewed the conditions identified in the GDPR and confirms that
- It does not perform a systematic or extensive evaluation of personal data, nor make decisions that result in a significant impact to a person
- It does not hold or process any special categories of data, or data relating to criminal offences
- Does not perform systematic monitoring of a public area on a large scale where subjects are not aware that their data is being collected.
In the opinion of FAS the data held does not fall into any of these categories and as such a DPIA is not considered to be necessary.
FAS Committee
Last Updated 10 Aug 2022
[i] Examples of sensitive data would be medical information, race, religion, criminal records political opinions.