Data Protection and Privacy

Data Protection Policy and Website Privacy Policy for

Download this Data Protection and Privacy document as a PDF


The data that members provide the Association are kept in documents that are held and processed both as hard copy and electronically. This means that the Association is subject to the General Data Protection Regulation 2016 (GDPR) which comes into force in the UK on 25th May 2018. It replaces the Data Protection Act 1998 and will harmonise data protection law throughout Europe. Under GDPR we have responsibilities of care to uphold. This document outlines our policies.

What sort of data we hold and how are they held?

What data do we keep?

We are only allowed to keep data that are necessary for our Association activities. We keep some or all the following:

  1. Name
  2. Plot number
  3. Email address
  4. Postal address
  5. Landline phone number and/or mobile phone number
  • The Association uses electronic spreadsheets to manage personal data (including membership and finances). These spreadsheets are held securely on cloud servers or on individual Committee members’ computers and are emailed between Committee members on a need-to-know basis.
  • When you pay money to us (for example, your annual plot rental), we may keep a record of your payment and what it was for, together with your plot number and name (or payment reference).
  • Committee meetings are held at least quarterly. Committee minutes, which may include member names and plot numbers, are emailed to Committee members. However, these minutes are redacted to remove personal data if posted on noticeboards and website.
  • The minutes of the Association AGM, including names of attendees, are posted on our website.
  • Our bank account is with Lloyds. Committee members who are signatories on the bank account are able to see Lloyds statement of members’ electronic payments.

Confidential or sensitive information

  • Members may occasionally disclose confidential information to the Committee, for example if illness or family problems are making it difficult to maintain their plot, or where financial problems are making payment difficult.
  • This information is only shared between Committee members, and only on a ‘need to know’ basis.


  • You are the source of your own personal information, initially from when you joined the Association, and then changes that you notify us about.
  • We will endeavour to maintain accurate records, but we rely on members keeping us up-to-date.
  • All information is checked annually when plot rents are due for renewal.

Email usage

  • The Association uses email to handle most administration and communication tasks.
  • The Association Chair and Membership Secretary, who are responsible for bulk emails have email accounts used for this purpose ( and ) All initial email traffic to the committee is on one of these accounts and not now on a personal email account.
  • These accounts contain members’ email data.
  • In cases of bulk emailing (e.g. to send out notice and paperwork for the AGM), we make sure to use the Blind Carbon Copy (Bcc:) function to ensure other members’ email addresses are not visible.

What are the data used for?

The data are only used for legitimate Association uses; these include:

  • Communication between committee members and other members as part of the daily running of the Association
  • Notification of Association meetings and the minutes of those meetings
  • Provision of news to Association members.

What are the data NOT used for?

  • We will not disclose your data to other members or to third parties or use it on behalf of third parties.
  • For example, members may sometimes be lobbied to advertise a service or product that might be useful to other members of the association.
  • We will not use your addresses to do this (no “spam” allowed).
  • GDPR data protection law has six possible bases on which to hold personal data, including Obtaining Consent, and as Legitimate Interests.
  • Like other membership organisations we hold your personal data on the basis of ‘Legitimate Interests’.
  • This is defined as meaning in ways one would “reasonably expect … and which have a minimal privacy impact, or where there is a compelling justification for the processing” such as being able to communicate with our members – we cannot rent plots to members with whom we have no way to communicate.
  • See: basis-for-processing/legitimate-interests/ ).

Who can hold, process or access personal data and how long are data retained?

Who has access to the data?

  • Only those who need access to the data have access and they do not share it with anyone else.
  • The following Committee members have access to the full membership data: Chair, Membership Secretary, Treasurer.
  • The names of all Committee members and Trustees are in the public domain. It is occasionally necessary for their contact details to be shared with outside bodies, for example, for the purposes of insurance.

How do we protect the data?

  • Data are held as documents on password-encrypted computers and data is stored on a GDPR-compliant Cloud server
  • Mobile (“smart”) phones are sometime used for email purposes. Phones are vulnerable to loss and theft so if they are used for Association business they must at least use a 4-character PIN.
  • Spreadsheets containing multiple records will not be kept on phones.

What happens when a member leaves the Association?

  • We do not keep data that is not needed for operation of the Association. The data for members who leave is usually held for at most 6 months, after which time it will be deleted from our records.
  • We keep the data for a short period in the event that we need to communicate with a member who has recently left, and only for the purpose of resolving any outstanding matters.
  • We aim to retain limited non-identifiable data to monitor how well we operate as a community resource

The purposes for which we hold personal data

The key purpose for holding your personal data is for the administration of the Association and the management of the allotment site. In practice, this means:

  • Dealing with prospective members (initial/follow-up contact, waiting list, site tours, site access codes …)
  • The offer of a plot, and acceptance of a plot. Any moves from one plot to another, additional plots. Relinquishing of plots, and termination of membership.
  • Payment for membership, the plot and associated sundries.
  • Management of permissions associated with the plot (e.g. shed and tree permissions).
  • Communication about the site and plots (e.g. social events, working parties, policy reminders, gardening advice,…). Communication on individual circumstances affecting the plot holder or plot. Communication about the Association (e.g. AGM). Communication about ODFAA (Oxford and District Federation of Allotment Associations, Oxford’s allotment umbrella group), to which the Association belongs.
  • Issues with plots, and enforcement of site and plot rules, including any follow-up required with individual members and co-workers, within and outside of the regular audit process.
  • Urgent contact for plot or site problems.
  • Management of the Site and Association as a whole, for example, meeting minutes, analysis of plot vacancies, late payments, working party hours.

Data Policy Implementation

  • A nominated member of the committee is responsible for ensuring that this policy is adhered to.
  • The GDPR Data Controller is the Membership Secretary who will undertake this role.
  • Other Committee members act as GDPR Data Processors – collecting data e.g. from new tenants or at rent renewal time.

Your rights

  • Data protection law gives you certain rights. Full details are available on the Information Commissioner’s website.
  • For a small organisation like ours with relatively simple records, the relevant rights are for you to see your record and to correct any errors in it. Members can at any time ask the Chair or Membership Secretary for a copy of their recorded data. To request this, send an email to either – or
  • When you come to pay the plot rent in February of each year you can check the information we hold on you is correct.
  • You also have a right to complain to the supervising authority, ie. to The Information Commissioner’s Office (

Website Privacy Policy

We are committed to safeguarding the privacy of our website visitors; this policy sets out how we will treat your personal information.

What information do we collect?

We may collect, store and use the following kinds of personal data:

  • information about your computer and about your visits to and use of this website (including your IP address, location, browser type, referral source, length of visit and number of page views)
  • information that you provide to us for the purpose of subscribing to our website services, email notifications and/or newsletters
  • any other information that you choose to send to us


  • A cookie consists of information sent by a web server to a web browser, and stored by the browser. The information is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser.
  • We may use “session” cookies on the website. We will use the session cookies to: keep track of you whilst you navigate the website. Session cookies will be deleted from your computer when you close your browser.
  • These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and pages visited.
  • Most browsers allow you to reject all cookies, whilst some browsers allow you to reject just third party cookies. For example, in Internet Explorer you can refuse all cookies by clicking “Tools”, “Internet Options”, “Privacy”, and selecting “Block all cookies” using the sliding selector. Blocking all cookies will, however, have a negative impact upon the usability of many websites.

Using your personal data

Personal data submitted on this website will be used for the purposes specified in this privacy policy or in relevant parts of the website. We may use your personal information to:

  • administer the website;
  • improve your browsing experience by personalising the website;
  • enable your use of the services available on the website;

Third party websites

The website may contains links to other websites. We are not responsible for the privacy policies or practices of third party websites.

Updating information

Please let us know if the personal information which we hold about you needs to be corrected or updated.


If you have any questions about this privacy policy or our treatment of your personal data, please write to us by email to or