All committee members will be aware of this policy and will act in accordance with it.
The Campaign will hold only necessary personal information about individuals to allow it to manage its membership, to engage in local cycle campaign issues and to organise cycle rides.
- Membership data may be held on spreadsheets and databases maintained by committee members, or on secure third party websites (e.g. Mailchimp)
- Membership data may include:
- Telephone (landline and/or mobile)
- Email address
- Membership paid for including start, renewal and end dates
- Payment method
- Emergency contact details (in the case of ride participants)
- The individual’s roles within the Campaign, e.g. as ride leader or committee member
- A note of any consents to receive the Campaign’s newsletter (opt-ins)
- A note of any request not to use the member’s data for marketing purposes
- Bank account or PayPal account details of individuals shall be used only by the Treasurer and account signatories for the purposes of processing payments from or to the individuals and shall not be included on the membership database.
- The Campaign will hold only necessary personal information about individuals who have signed paper or online petitions on cycling matters for the purposes of campaigning on specific issues.
- Petition data may include
- E-mail address
- The nature of the petition signed by the individual
- Consent to be contacted by the Campaign
- The Campaign will hold only necessary personal information about individuals who have made other enquiries.
- Enquiry data may include, depending on the information supplied by the enquirer:
- Postal address
- E-mail address or other online identity (e.g. Twitter handle)
- Telephone number (landline and/or mobile)
- The nature of the enquiry made by the individual
- This personal data will be held separately to other, everyday campaign data and content;
- Only committee members with duties to conduct which require access to this personal data, shall have access to this data;
- Emergency contact details will only be held by approved ride leaders for the duration of the ride or event, unless explicitly agreed otherwise for the purpose of future rides. If so agreed, the Social Ride Co-ordinator shall maintain in a password-protected location the following details:
- rider’s name
- rider’s mobile telephone number
- name of rider’s emergency contact person
- mobile telephone number of rider’s emergency contact person
Only the Social Rides Co-ordinator and approved ride leaders shall be able to access this information.
- Personal data will not be shared by the campaign with any third party organisations, unless explicit permission has been sought from and given by the Data Owner. The Campaign has a published policy of not passing information to third parties.
- Local copies of personal data may not be stored on personal devices or storage (laptops, tablets, desktops or mobile phones) unless it is in password protected files with only key committee members knowing the password.
- Paper copies of members’ personal information shall not be held unless there is a specific justification for this – these paper copies will be treated just as sensitively as electronic records.
- Membership data will only be retained for 2 years after a member has cancelled their membership or failed to renew it, or such shorter period as they may request.
- Petition data will not be used for purposes other than submitting the petition and informing the persons signing it of the progress of the specific campaign issue.
- Petition data will only be held for 2 years after the petition has been submitted, or 1 year after the last update on the issue has been sent to those who signed the petition, whichever is the later.
- Enquiry data will not be used for purposes other than answering the enquiry and enabling the enquirer to join the Campaign.
- Details of persons who have made enquiries but have not become members of the Campaign will not be retained for longer than 1 year after the last correspondence relating to the enquiry
RIGHT OF ACCESS REQUESTS
- Any request for release of an individual’s data shall be responded to within the one month permitted by the GDPR and in accordance with the provisions of those Regulations.
OTHER REQUESTS (including 'opt-outs')
- Any request not to use an individual’s data for the purposes of the Campaign (other than to keep a record of membership) shall be complied with within the “reasonable period” required by the Act, which the Campaign considers to be 14 days.
Leeds Cycling Campaign Data Protection Policy
Version 6 – July 2019
 An example of this might be holding paper copies of Standing Order and joining/renewal forms in case they are needed for audit purposes.