Herefordshire Green Network Data Protection Policy



means Herefordshire Green Network


means the General Data Protection Regulation.

Responsible Person

means Temi Odurinde

Register of Systems

means a register of all systems or contexts in which personal data is processed by HGN.

1. Data protection principles

Herefordshire Green Network (HGN) is committed to processing data in accordance with its responsibilities under the GDPR.

Article 5 of the GDPR requires that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. collected for specified, explicit and legitimate purposes and not further processed in amanner that is incompatible with those purposes;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for whichthey are processed;
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken toensure that personal data that is inaccurate, having regard to the purposes for which it isprocessed, is erased or rectified without delay;
  5. kept in a form which permits identification of data subjects for no longer than isnecessary for the purposes for which the personal data is processed;
  6. processed in a manner that ensures appropriate security of the personal data, includingprotection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
2. General provisions
  1. This policy applies to all personal data processed by HGN.
  2. The Responsible Person shall take responsibility for HGN’s ongoing compliance with this policy.
  3. This policy shall be reviewed annually.
3. Lawful, fair and transparent processing
  1. To ensure its processing of data is lawful, fair and transparent, HGN shall maintain a Register of Systems.
  2. The Register of Systems shall be reviewed at least annually.
  3. Individuals have the right to access their personal data and any such requests made tothe Network shall be dealt with in a timely manner.
4. Lawful purposes
  1. All data processed by HGN must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).
  2. HGN shall note the appropriate lawful basis in the Register of Systems.
  3. Where consent is relied upon as a lawful basis for processing data, evidence of opt-inconsent shall be kept with the personal data.
  4. Where communications are sent to individuals based on their consent, the option for theindividual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the Network’s systems.
5. Data minimisation
  1. HGN shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  2. If a Member chooses not to renew their membership HGN will retain their personal data / contact information for a further year but will then delete it if that former Member does not wish to renew their membership.
  3. Personal data that is stored by HGN in relation to contractor agreements, bank details etc. must only be retained for the period of time recommended for accounting purposes, currently recommended as being no longer than 6 years.
6. Accuracy
  1. HGN shall take all reasonable steps to ensure personal data is accurate.
  2. Where necessary for the lawful basis on which data is processed, steps shall be put inplace to ensure that personal data is kept up to date. Personal and business contact information will be updated by the HGN Administrator within a week of being informed of the changes.
7. Security
  1. HGN & all personnel acting on behalf of HGN shall ensure that personal data is stored securely using modern software/hardware that is kept-up-to-date. This applies to data stored digitally and on paper / hard copies.
  2. Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
  3. When personal data is deleted this should be done safely so that the data is irrecoverable.
  4. Appropriate back-up and disaster recovery solutions shall be in place.
8. Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, HGN shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the Information Commissioner’s Office (ICO).

Last updated: 24/08/18

HGN Website – Shared data

HGH uses a number of software tools that run on our WordPress website as plugins, some of these utilise Cookies. Cookies are small pieces of text used to store information on web browsers. Cookies are used to store and receive identifiers and other information on computers, phones and other devices. Please refer to the links below for further privacy information by the providers of the tools and Cookies we employ.



We use a third party provider, MailChimp, to deliver our e-newsletters. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter. For more information, please see MailChimp’s privacy notice.


Social Media

We use a third party providers, Facebook, Twitter and Instgram to manage our social media interactions. For more information, please see:

Facebook privacy policy.
Twitter privacy policy.
Instagram privacy policy.
Yikes (Mailchimp Plugin) Privacy Policy.


Web analytics

We use Google Analytics to analyse our web traffic. For more information, please see Google’s privacy notice here

We also use the analytics tool included in Jetpack by Automattic. For more information please see the privacy policy.


Website Management

Our website is built on the WordPress content management system, please see their privacy policy.

Our cookies are collected and provided from a number of locations for more infomcation follow the links to their respective privacy policies


Between us we use several different e-mail providers. Follow the links by each provider to see each of their privacy policies




We use Google sheets for Herefordshire Green Networks administration and post articles via NextScripts: Social Networks Auto-Poster. For more information please see:

Google privacy policy

NextScripts: Social Networks Auto-Poster

Updated 24 October 2018


GDPR: Register Of Systems Introduction


In accordance with the General Data Protection Regulation which came into force on 25 May 2018, this document sets out the approach of HGN to the collection, use and management of the personal data of its members and others who interact with HGN, under the following headings:

The data we collect and in what way

On becoming a member of HGN individuals and organisations are asked to complete an application form and to supply name, address, email address, telephone number and website address, social media sites (if applicable).The data is entered on to a Google spreadsheet by the Administrator and updated either through the annual membership renewal process or as new data is made available throughout the year (e.g. change of name, email or residential address).Names and email addresses are also entered by the Administrator on to a Mailchimp contact database in order to facilitate the dispatch/receipt of an online newsletter. Individuals who have not signed up as Members may also opt-in and receive HGN communications, such as the Daily Bulletin, Friday Round-Up Bulletin by signing-up on the HGN website themselves. Names and email addresses are collected via the HGN website.

HGN will need to store personal and business data about contractors who deliver services for HGN. This data is required in order to fulfil contractual obligations on both sides. HGN will collect full contact details (name, address,, email address and bank account details when payment is required in fulfilment of a contract). The HGN Administrator and HGN Events Co-ordinator may collect this data when requesting contracts for HGN activities, such as leading a workshop, etc. The data will also be shared with the HGN Treasurer who will initiate payment of invoices. The data may also be viewed by members of the Steering Group who authorise said payments.

How the data are stored and who has access to them

Only the paid officers of HGN – i.e. the Administrator, Events Co-ordinator and the HGN Steering Group members have access to the personal data of Members of HGN and other participants who engage with HGN activities.

The Google spreadsheet maintained by the Administrator can be viewed by the relevant officers (as outlined above) each time it is updated. The spreadsheet is stored in the Google Cloud and is password-protected. Google have committed to meeting full GDPR security requirements in their storage of customer data.

The Administrator, Events Co-ordinator and some relevant HGN Steering Group members also have access to the data stored on the Mailchimp database.

Digital application forms are stored by the Administrator once he/she has entered the details on to the Google spreadsheet and Mailchimp contact database and will be stored in a secure folder on Google Drive.

Sharing the data

The complete data set is shared solely between the officers as described above.

The complete data set will not be shared with any third party unless legally obliged to do so.

From time to time it might be necessary to share the personal data of one member of HGN with another in order, for example, to arrange transport to an event of one member by another. This will not, however, be done, without the agreement of the member concerned.

Purpose for which the data are used

Our data is processed on the basis of legitimate interest and consent via opting-in.

The data is used primarily as a vehicle for disseminating information about HGN and its activities.

Each electronic newsletter provides the option to unsubscribe.
Data removal and archiving

A member who fails to renew his/her membership is kept on the membership database for one further year.

If a member fails to renew his/her membership after this further year, his/her data will be removed from the membership database, google spreadsheet and mailchimp database.

If a recipient selects the option of unsubscribing on the mailchimp newsletter, the mailchimp software will automatically delete’s the person’s data from the mailchimp database.

Updated August 2018