Is your association storing unnecessary data on its members?
Many kinds of personal data, such as names, personal identity codes, addresses, allergy information, bank account numbers, dates of birth, photographs and videos are processed in hobby activities. Personal data cannot usually be stored indefinitely. Instead, a specific storage period must be defined for them, and the data must be erased when that period has elapsed. As a rule, personal data may only be stored for as long as necessary. Read the article for tips on the storage of personal data.
It is essential for the hobby organiser, such as a sports club, to determine how long they are permitted to store their members’ personal data. If an organisation does not take care to erase unnecessary personal data on a regular basis, it can end up storing data for years without a lawful basis for processing. If this is the case, more personal data can be disclosed to outsiders in the event of, for example, a data leak, than if the unnecessary personal data had been appropriately erased.
How is the storage period of personal data determined?
The storage periods of certain types of personal data, such as data related to employment or accounting, are specified by law. When this is the case, the data is stored for the statutory period and then erased.
The law does not lay down specific storage periods for all types of personal data, however. In the absence of legislation, the hobby organiser, in its capacity as controller, must determine its own storage periods for each type of personal data. The hobby organiser should first review the types of personal data it is processing and determine the purpose of each type. The organiser can then specify a storage period for category of personal data according to its purpose. A good rule of thumb for determining the storage period is to only store personal data for as long as necessary for the purpose for which it was collected.
When determining storage periods, the hobby organiser should also take into account different scenarios, such as when someone quits the hobby. Some data can be erased immediately, but the law may require some types of data to be stored longer.
Some types of personal data are more sensitive than others, and these must be protected especially well. When storing health data, for example, the organisation needs to take into account the sensitive nature of the information and the potential harm to the data subject should it be leaked. This is especially true of children’s health information. Health data must be stored so that outsiders cannot access it and may not be disclosed to people who do not need it.
What do I need to take into account in the storage of personal data?
Personal data is stored in electronic format in, for example, case processing systems, enterprise resource management systems, applications and electronic documents. The hobby organiser must ensure that data can only be accessed by people who have the right to process it, for example in their work.
The same applies to the processing of data on paper. For example, documents can be stored in a locked cabinet and keys given only to those entitled to access the data.
Changes in staff must also be taken into consideration in the storage of personal data. It is important for hobby organisers to ensure that people who are no longer involved in the activity do not store data without a valid reason, for example on their personal computers or in their email.
When should personal data be erased and how?
Personal data must be erased at the end of its storage period. Depending on the type and storage period of data, data may also be erased differently and at different times.
The data can be erased automatically or manually, depending on its form and place of storage. The data must be erased from everywhere: data in cloud storage must also be deleted from the downloads folder and email folders, for example. Also remember to delete any backups.
Personal data stored on paper must be destroyed appropriately, so that no unnecessary personal data is left forgotten in binders or at the back of filing cabinets. Paper documents can be destroyed by shredding or deposited in a confidential waste bin, for example.
The hobby organiser is responsible for ensuring that personal data is not processed for longer than necessary. The organiser must provide people processing personal data in hobby activities, such as coaches, instructors, team managers, treasurers, volunteers and equipment managers, with instructions on how to erase data appropriately. When drawing up such instructions, the hobby organiser should remember that the roles of people involved in hobby activities can change at short notice.
When the hobby organiser takes appropriate care of the storage and erasure of personal data, people can focus on the hobby, safe in the knowledge that their personal data is in good hands.
Author
Iida Lautsi
Iida Lautsi is a Senior Inspector at the Office of the Data Protection Ombudsman and participates in the GDPR4CHLDRN project as an expert.