Data protection requirement on members using personal data


 This note sets out the requirement for data protection that is incumbent upon all members using the personal data on other members supplied through the Jesus Old Members’ Group (XL Network).


 The General Data Protection Regulation (GDPR) requires that the Group manages all the personal data it holds. Specifically the GDPR governs the use of documented data. This note provides advice to the Committee members of the Group, to those members who are kind enough to organize events on behalf of the Group, and to all members to ensure that they ensure that any personal data they hold is subject to appropriate data protection.


For the purposes of the Group, personal data is that held in the Members’ Database, the Members’ Directory, contact lists for any sub-Groups, and details of members and guests held to enable a social event to take place successfully.


 The use of personal data will include passing on data to a third party or asking a member to do something on the basis of known personal data. There will be many occasions when personal data can be passed amongst friends or colleagues without there being any link to the Group, for example, exchanging telephone numbers to arrange for members to meet with friends for coffee. This advice only comes into effect when it could reasonably be assumed that there was a Group involvement, for example the organization of an event.


When managing data on behalf of the Group during an activity:

  • Only record what you need to know;
  • Do not share information with people outside the Group except to enable an event to take place (e.g. providing names for permits, dietary requirements for restaurants);
  • Manage e-mails containing personal data with great care;
  • At the end of the activity:
    • Provide any financial information that must be retained (e.g. payment details) to the Group’s Treasurer who is responsible for ensuring such data is retained according to legal requirements;
    • Delete all other information that was created specifically for the activity, albeit the Events Coordinator may retain a list of attendees to assist in the profiling of future events.


If a member of the Group feels that he/she wishes to use personal data in a manner that might be construed as linked to the Group and that use has not been authorized by the Committee, the member should contact the Data Protection Officer (DPO) via the Contact Form on the website and discuss whether any formal procedure is necessary to safeguard the recipient of the information and the members whose information is being used.