Thomson Terrace Allotments CIC Data Protection Policy (GDPR)
Data protection law requires us to tell you why we hold personal data, what we hold, the source of the data, who can access it, and how long we keep it for. We also have to let you know your rights with regard to your personal data. This document sets out those details. It is mainly about Members, including Committee Members, but also applies to others whose contact information we hold (e.g. contractors, landlord, neighbours, environmental agencies).
Some definitions may be useful. The law is called the ‘General Data Protection Regulation’ or ‘GDPR’. There is a lot of information about it on the Information Commissioner’s website (https://ico.org.uk/).
Thomson Terrace Allotments C.I.C.(‘TTACIA), ‘the Association’, or ‘us’ is what is known as a ‘Data Controller’. ‘Personal data’ means as any information by which you can be identified individually, for example, your name or phone number.
We may make changes to this Policy from time to time, to reflect any changes to our use of personal data, or to comply with changes in the Law or regulatory requirements. Substantive changes will be agreed by the Committee and Members will be informed.
If you have any questions about personal data that are not answered below, please contact the Association Secretary and data protection lead, Secretary@ttacic.org
Members: The Data we hold and how we hold it
Before you become a member there is usually email contact between you and a Committee Member. If you do not take up membership, it is not practical to delete these emails but they are not used.
Once you become a member, the main personal data we hold is your
- Phone number (landline and/or mobile)
- Email address
- Plot number
You are the source of this information, initially from your Membership Subscription Agreement, then changes
you notify us about. We keep this information in our electronic Membership file. The Secretary keeps the spreadsheet up to date with changes notified by you. Once a year, at membership subscription renewal/AGM time, members are prompted to let the Secretary have any changes to their details. The information held is also printed on the annual invoice sent individually to members, with a reminder to let the Secretary know if it is out of date.
A copy of your original, signed Membership Agreement is retained on paper in a file at the home of the Secretary or delegated Committee member.
As well as the Membership file, we use other electronic files to manage our finances and audits. All these files are held on the responsible Committee members’ computers or on secure ‘Cloud’ storage (Microsoft OneCloud) to which the Secretary and Treasurer have access to.
They may also be emailed between Committee members on a need-to-know basis.
We use WhatsApp and email to handle one-to-one administration and communication. For bulk emailing (usually AGM, EGM and rent notices), we use a group email via Outlook and never sell your data.
When you come to a working party, we record your name and plot number on paper, which is subsequently transcribed and circulated around the Committee by email.
The Committee holds a management meeting once a month. Electronic committee minutes, which may refer to member names and plot numbers, are emailed to Committee members. In the future, we intend to store minutes securely in the ‘Cloud’.
Once a year, TTACIC holds an AGM. The minutes of the AGM, including names and plot numbers of attendees, are posted on our website.
Our bank account is with Metro Bank. Committee members who are signatories on the bank account are able to see Metro Bank statement of members’ electronic payments.
When you end your membership there is likely to be a period during which TTACIC still need to contact you, for example, about returning key deposits and clearing your plot. We may therefore continue to use your contact details after your membership ends, but only for the purpose of resolving any outstanding matters.
Non-members: the data we hold and how we hold it.
Members of the Committee hold personal data (largely names and contact information) about non- Members, for example contractors who do work for us onsite, suppliers and other agencies and stakeholders of various kinds (Oxford City Council, RHJYC, ODFAA, environmental agencies, those whose venues we book…) They may be held electronically and access from home computers, or via Smartphones, or on paper. Where such informatioon is not in the public domain, and has been provided only to manage TTACIC business, its use is limited to that business and will be viewed only by the Committee. The retention period will depend on the nature of the relationship with TTACIC and whether further contact is likely to be necessary. In the case of data linked to contractual arrangements, it will normally be 6 years.
The Legal basis on which we hold personal data
Data protection law has six possible bases on which to hold personal data. Membership data is held on the basis of ‘Legitimate Interests’. This means in ways one would ‘reasonably expect…and which have a minimal privacy impact, or where there is a compelling justification for the processing’ (see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulationgdpr/ lawful-basis-for-processing/legitimate-interests/).
The data we hold on non-members, such as contractors and other agencies, may be on the basis of legitimate interests or on a contractual basis.
The Purposes for which we hold personal data
The over-arching purpose for holding personal data is the administration of the Association and the custodianship of the Thomson Terrace Allotments C.I.C (‘the Site’). In detail, this means
- The management of prospective members (waiting list, site tours…).
- The offer of a plot, acceptance of a plot and associated terms.
- Any moves from one plot to another, additional plots.
- Relinquishing of plots, and termination of membership.
- Payment for membership, the plot and associated sundries.
- The management of key deposits.
- Payment for services.The management of permissions associated with plots (e.g. shed and tree permissions).
- Communication about the site and plots (e.g. social events, working parties, policy reminders, gardening advice, shop opening hours…). Communication on individual
- circumstances affecting the plot holder or plot.
- Communication about the Association (e.g.AGM).
- Communication about ODFAA (Oxford and District Federation of Allotment Associations, Oxford’s allotment umbrella group), to which TTACIC belongs.
- Communication about contracts, leases, insurance and so on.
- Issues with plots, and enforcement of site and plot rules, including any follow-up required with individual members and co-workers, within and outside of the regular audit process.
- Urgent contact for plot or site problems.
- Recording the history of plots over time, including characteristics and problems associated with that plot.
- Recording of sales at the Trading Shed/Shop.
- Recording Working Party attendance.
- Management of the Site and Association as a whole, for example, meeting minutes, analysis of plot vacancies, late payments, working party hours.
- Engaging and managing external suppliers, service providers and contractors.
- Relationships with key stakeholders (e.g. landlord, insurers, neighbours, environmental agencies) so that we can work together on necessaray joint arrangements, handle issues etc.
Your Rights Who can access personal data and how long is it kept for ordinary members
If you are an ordinary member (i.e. not a Committee member), the only people who have access to your personal details are Committee Members.
Our files are kept for up to 6 years (we have had membership and payment queries after many years). After this, they are destroyed.
When a Committee member stands down, they hand over their files to their successor. It is not practical for all old emails to be deleted, but they are not used.
The names of all Committee members are in the public domain. It is occasionally necessary for their contact details to be shared with outside bodies, for example, for the purposes of insurance.
Confidential and sensitive information
Members may from time to time share confidential information with the Committee, for example if illness or family problems are making it difficult to maintain their plot, or where financial problems are making payment difficult. This information is only shared between Committee members, and only on a ‘need to know’ basis.
Data protection law gives you certain rights. Full details are available on the Information Commissioner’s website. For a small organisation like ours with relatively simple records, the relevant rights are for you to see what data we hold about you and to correct any errors in it. For
Members, when we send you your annual subscription notice, we include the address and email details that we hold, so that you can check they are correct.
You can contact the Secretary (Secretary@ttacic.org) at any time to confirm what details we hold on record for you.
You also have a right to complain to the supervising authority, ie. to The Information Commissioner’s Office (ico.org.uk)
Our website address is: https://ttacic.org.
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
If you leave a comment on our site you may opt in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
Who we share your data with
If you request a password reset, your IP address will be included in the reset email.
How long we retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where your data is sent
Visitor comments may be checked through an automated spam detection service.