GUIDANCE NOTE ON DATA PROTECTION
- This document sets out guidance that is intended to provide assistance to those advising Lodges and Chapters in relation to how personal information relating to
individual Masons must be handled by each Lodge and Chapter of which the Mason is a member.
- An earlier Guidance Note dated 15 November 2016 was circulated which reflected data protection law as it was at that time. On 25th May 2018,
the law will change in a number of ways, some of which will affect the way that Lodges and Chapters process personal data. This is as a result of the European General Data Protection Regulation
(GDPR), which takes effect on that date.
- This Guidance reflects data protection law as it will be under the GDPR, and is intended to replace entirely the Guidance Note dated 15 November 2016.
Whilst many of the requirements and obligations will not change under the new law, Lodges and Chapters are kindly requested to have regard to this Guidance Note only for an overview of their
responsibilities from 25th May 2018 onwards.
- As previously, the Guidance does not set out an exhaustive overview of the provisions of the GDPR: its purpose is to identify the principles and requirements
of key importance that are likely to be relevant to the way in which individual Lodges and Chapters deal with the information that they maintain about their members. As ever, any specific
queries or concerns in relation to data protection should be raised with the Province or District in the first instance.
- The requirements of the GDPR: a brief overview
The meaning of ‘personal data’
- This Guidance is concerned with the processing (meaning the handling of) of ‘personal data.’ Broadly speaking, ‘personal data’ is information that
relates to a living individual. Whether or not the requirements of the GDPR apply when such information is processed depends upon the way in which the information is recorded or handled.
- Information that is held on a computer, or is intended to be held on a computer, is covered by the GDPR. Therefore, the information about individual
Masons that is recorded on the UGLE database (ADelphi) is clearly covered, and the way in which that information is handled and maintained by the UGLE, the Provinces, London and Districts, all of
which have access to ADelphi, must comply with the requirements of the GDPR.
- In addition, information that is not held on a computer but which is part of what the GDPR calls a ‘filing system’ is also covered by the GDPR. Again,
whenever that information is handled in any way, the requirements of the GDPR must be complied with.
- The GDPR provides a definition of a ‘filing system.’ UGLE considers that it is very likely to cover the kind of information that Lodges and Chapters
collect and maintain about their own members. It is therefore imperative that all such information is handled in accordance with the principles of the GDPR by the nominated ‘data controller’
(which would include both individual Lodges and Chapters – see section B below for more detail).
- As a caveat to that, there are also a number of exempt ‘types’ of information, to which the GDPR will not apply. This Guidance does not explore those
exemptions in any detail, as they are unlikely to cover the information maintained by Lodges and Chapters.
The key data protection principles
The conditions for processing
- There are particular conditions that must be met before personal data can be processed at all. Very broadly, there are general conditions that apply
to all ‘personal data’, and other more stringent specific conditions that must be met in relation to ‘special categories’ of personal data (which include, inter alia, information that reveals the
individual’s racial or ethnic origin, and religious or philosophical beliefs). Information relating to an individual’s previous criminal convictions is not actually classed as a ‘special
category’ of personal data, but again, specific and more stringent conditions apply in order for this to be lawfully processed also.
- As to the general conditions, data processing which is required for a Lodge or Chapter’s day to day Masonic operations is permitted because it is in the
‘legitimate interests’ of a Lodge or Chapter, as a membership organisation. In addition and overlapping, there is arguably a contract between a Lodge or Chapter and each paying member, and the
Lodge or Chapter is permitted to process data which is required for it to perform that contract. These justifications cover internal processing by the Lodge or Chapter and also cover sharing
members’ data with other relevant Masonic entities including UGLE and the Metropolitan Grand Lodge, Province or District (but not with the Masonic charities, which is subject to different
considerations as addressed below).
- Lodges or Chapters may sometimes wish to undertake other types of processing. UGLE’s standard application forms now requests applicants’ consent to
the processing of their personal data relating to previous criminal convictions, for the purpose of considering their application. If an applicant withdraws his consent at any point before he
becomes a member then the Lodge or Chapter must cease to process this data. Similarly, a Lodge or Chapter may sometimes wish to process its members’ data for charitable or other non-Masonic
events, or be asked to share their members’ data with a charity or non-Masonic entity. This processing or sharing must only be done with the explicit, informed consent of each member.
Unless such consent has been obtained from the member, none of these other kinds of processing must be carried out.
The data protection principles
- Once it has been established that the processing of the information is permitted, the GDPR then requires that the information is processed in accordance
with the data protection principles. There are seven data protection principles in total, and this Guidance does not address all of them. In very broad outline, some of the key principles
to note are that:
- Personal data must be processed in a way that is transparent, and individuals must be given an appropriate ‘privacy notice’ when their personal data is collected.
- Personal data must be accurate and kept up to date where necessary.
- Personal data must be not be kept for any longer than is necessary to fulfil the purpose for which the data is kept.
- Measures must be taken to ensure that the personal data is not processed in a way that breaks the criminal or civil law, and to ensure that the personal data is not
accidentally lost, destroyed or damaged.
- Lodges and Chapters are urged to keep these key principles in mind when handling the personal data of their members. New applicants to every Lodge or
Chapter will receive a privacy notice as part of their application form, but privacy notices must also be made available to existing members if they request it.
- Significantly, as a new requirement under the GDPR, the ‘data controller’ (as to which see Section B below) must be able to demonstrate that the principles
are being complied with. In practical terms, this means that any decisions that are taken by Lodges or Chapters in relation to the personal data they collect and maintain should be carefully
considered, and those thought processes documented (in emails, meeting notes, and so on). Such decisions could include, for example, decisions in relation to the type of personal data that a
Lodge or Chapter may collect and maintain; decisions in relation to the way that the Lodge or Chapter records the personal data; or decisions in relation to the way that the Lodge or Chapter uses the
Personal data breaches
- A further new requirement under the GDPR is for data controllers to report, in certain circumstances, any ‘personal data breaches’ to both the Information
Commissioner and to the data subject himself.
- The GDPR provides a fairly broad definition of a ‘personal data breach.’ It would include, for example, the loss of personal data; the accidental
disclosure of personal data to a third party; and the inappropriate alteration or amendment of personal data held by the Lodge or Chapter.
- The requirement to report a breach does not always arise (if, for example, the consequences of the breach are likely to be non-existent or very
insignificant). Each breach can only be considered on an individual, case-by-case basis, with advice being taken from the District or Province as to the appropriate action to take. The
important point for Lodges and Chapters to note is that individuals who have access to personal data must be made aware of the need to bring such breaches to the attention of the relevant person with
the Lodge or Chapter, so that the matter can be dealt with effectively and promptly.
Rights of the individual
- It must also be noted that every Mason has, under the GDPR, a number of rights in relation to his personal data that is held by the Lodge or Chapter.
These include the right to:
- Access a copy of the information held;
- Object to the processing of that data in certain circumstances;
- Prevent the processing of that data for the purpose of direct marketing, which includes fundraising communications from charities;
- Require that the data be permanently erased in certain circumstances.
- Any more detailed consideration of those rights is outside the scope of this Guidance. However, Lodges and Chapters should be aware that they exist,
and that advice may need to be sought in the event that any issue arises.
- Lodges and Chapters as ‘data controllers’
The meaning of ‘data controller’
- The GDPR states, in summary, that a ‘data controller’ is a person (which can include an organisation) who, acting alone or with others, determines the
purposes for which and the means by which any ‘personal data’ are, or are to be, processed.
- As noted in Section A above, UGLE considers that the kind of information collected and held by individual Lodges and Chapters concerning their members is
likely to meet that definition. It therefore follows that the Lodges and Chapters as entities in themselves are ‘data controllers’, since the Lodges and Chapters make decisions (through
individuals acting on their behalf) as to the purpose for which and the means by which the information about their members is handled.
- UGLE also considers that the individuals within Lodges and Chapters who make decisions on the organisation’s behalf as to how the personal data is to be
handled, similarly meet the definition of ‘data controllers’ under the GDPR.
- UGLE considers that it is necessary, in the interests of clarity and to ensure compliance with the requirements of the GDPR, to formally appoint one or
possibly two individuals within each Lodge and Chapter to have sole responsibility for determining how the personal information that is held by the Lodge or Chapter is handled. UGLE believes
that this will help to ensure compliance with the requirements of the GDPR and consistency of approach to data processing issues within each Lodge or Chapter. UGLE expects that the Lodge
Secretary or Chapter Scribe will often be the most appropriate person to discharge this duty.
The requirement to register and payment of fees
- Under the old law, all data controllers were required to notify and register with the Information Commissioner’s Officer and to obtain a licence, subject to
a limited exemption for not-for-profit organisations. All notifying data controllers were also required to pay a modest fee (currently set at £35).
- In principle this requirement still exists until the GDPR comes into force, unless of course the not-for-profit exemption applies. As set out in the
earlier Guidance, whether or not the exemption may apply depends on the particular circumstances. Lodges and Chapters should already have given consideration, seeking advice as necessary, as to
whether its handling of the personal information of its members would fall within the exemption and consequently whether or not registration is required. If such consideration has not yet been
given to this issue for any reason, Lodges and Chapters are reminded that this is necessary and, as stated, that the requirement to register as a data controller (if the exemption cannot be relied
on) continues to apply for the time being.
- As to the position from 25th May 2018 onwards, there is no requirement to notify under the GDPR and therefore this falls away. However,
Lodges and Chapters should note that fees will continue to be payable by data controllers, the amount of which will vary according to the size of the organisation and the nature of the processing
being carried out. For small entities with low processing levels, the ICO has indicated that the fee is likely to remain modest (£55 – see the ICO blog post at https://iconewsblog.org.uk/2017/10/05/ico-fee-and-registration-changes-next-year/).
- The law on this issue has not however yet been set in stone, and Lodges and Chapters are advised to keep an eye on the ICO website for announcements as to
the process for paying the fee, the amount, and whether there are any exemptions that could apply to Masonic entities. UGLE will issue further guidance when the law is established, if this