As you may be aware, the General Data Protection Regulation (GDPR) comes into force on 25 May 2018, replacing the existing Data Protection Act. The GDPR aims to bring our data protection laws up to date, giving individuals new rights and protections with regard to their personal information.
Details on the GDPR can be accessed here:
The following outlines the ways in which the new GDPR applies to the AEA, and our obligations to our members under the new Act.
The GDPR strengthens the rights of individuals with regards to their personal data.
This is any information which, on its own, or with information already held, would identify an individual – such as your name, address, NI number, a photo, or a computer IP address.
The categories of personal data you may have supplied to the AEA upon joining us can be found at our online membership form (https://envarch.net/register/). Key data are your name, address and email – all essential for us to communicate with our membership, and to supply you with hard copies of our journal. Additional information we ask you to provide – for example, your own research interests, or where you heard of us – are of interest to us in understanding our membership base and the efficacy of our communication tools and public profile – but we don’t require you to provide them, and all members can leave these sections of our membership form blank if they prefer.
The conditions for consent have been strengthened.
A request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.
Consent from AEA members for their relevant personal data to be shared with our journal publishers is essential in order for the Association to provide hard copies of the Journal. From May 25th, our online membership form will include a specific consent agreement, so that members can authorise us to share name and address details with the publishers for the purpose of posting hard copy journals. Members who pay by Standing Order and our Honorary Members, who don’t use our online registration/renewal facility, will be receiving a separate email asking them to confirm this consent.
We also add member email addresses to our two jiscmail mailing lists: the AEA-jiscmail list, used for communication between the AEA and the membership, and the Env-Arch discussion list. We will now require specific consent to retain member emails on both. All members will be receiving an email through each list asking them to confirm their consent to remain a list member. Please take the time to reply to these emails – in particular, our AEA-jiscmail list is our primary means of disseminating information to members – we want you to remain on it!
Data sharing good practice: data minimisation
The AEA only shares member details with our publishers, Taylor & Francis. This is strictly limited to names and addresses: we do not, for example, include member emails on the address lists we compile for the use of T&F. In doing this, the AEA already complies with the new GDPR, which calls for controllers to ‘hold and process only the data absolutely necessary for the completion of its duties (data minimisation) as well as limiting the access to personal data to those needing to act out the processing’.
Rights to Access and the Right to be Forgotten (Data Erasure)
The GDPR gives the right for individuals to obtain confirmation as to whether or not personal data concerning them is being processed, where and for what purpose, and to be given a copy of that data, free of charge, in an electronic format. Data Erasure, or ‘the right to be forgotten’ entitles the data subject to have his/her personal data erased, cease further dissemination of the data, and potentially have third parties halt processing of the data. Any members wishing to discuss or exercise either of the above Rights are asked to contact the Membership Secretary (firstname.lastname@example.org).
Privacy, Security and Data Management
Within the AEA, your personal data is held by, and is only accessible by, the Membership Secretary. AEA member data is held securely in a format which meets the standards required by the GDPR. In order to be able to respond effectively to member queries, the AEA will now ask for consent on joining/renewing to retain the personal data of lapsed members for three years, after which time the data will be anonymised and moved to our data archive.
Sensitive data (e.g. ethnic origin, political opinions, religious beliefs, health, sexual orientation, trade union membership, crime) is now known as ‘special category’ data. This cannot be held unless there has been explicit consent given or meets very specific conditions as stated in the GDPR.
The AEA collects no such data on its members.
If you have any further queries, please contact the Membership Secretary at email@example.com.