This document is an advisory document only and does not set out a policy for anyone
to follow. It is intended only as guidelines for Clubs to construct their own policy.
Whilst the document has been researched and we believe it to be accurate, the PAGB
can accept no responsibility for any errors or incorrect statements and cannot be held
liable for any consequent actions which may arise.
A list of sources consulted during the preparation of this advice is at Appendix One
This document is primarily written as advice to affiliated Clubs, but also applies to member
Federations and to the Photographic Alliance of Great Britain. Each of these is an
independent data controller.
The Data Protection Act 2018, which incorporates the European Union General Data
Protection Regulations (GDPR), replaces the current legislation (the Data Protection Act
The current data protection principles, as first introduced by the Data Protection Act 1984,
are continued effectively unchanged.
The new legislation adds a requirement for all data controllers to demonstrate their
Clubs need to inform volunteers about the requirements for holding and using personal data.
Clubs do not need explicit consent to collect personal data, but implied consent is only valid
within a published policy.
The data controllers of Inter-Club and similar events will need to ensure they have consent
from individual photographers whose work is entered via a third party.
No additional requirements arise for vulnerable individuals.
Subject access to personal data continues.
The ‘right to be forgotten’ will not apply in practice.
Existing restrictions on electronic marketing are not affected and continue.
There has been data protection legislation based on European Union Directives, since 1984.
The Data Protection Act 1984 was replaced by the Data Protection Act 1998, which in turn is
replaced by the European Union General Data Protection Regulations (GDPR), as
incorporated into UK law by the Data Protection Act 2018.
Throughout, data protection has been based on a set of principles, with which all data
controllers must comply. A data controller collects and uses personal data. The principles
apply to personal data collected by the controller on any data subject, meaning a natural
GDPR Article 5(1) gives the principles in detail, but they can be summarised.
The controller may only collect personal data relevant for lawful purposes, and where
the data is sufficient and adequate, is not excessive, and is kept accurate and up to
date. Personal data must be destroyed when it is no longer relevant or required.
The controller must keep personal data secure, but also available for the relevant
The controller must respect the rights of data subjects, including the right of access.
Previously, compliance with the principles by data controllers was checked via notification to
the Information Commissioner (ICO). Non-profit organisations, such as Clubs, were exempt
from notification, and all notification was abolished by the Digital Economy Act 2017.
GDPR Article 5(2) introduces a new and important requirement for all data controllers to
demonstrate their compliance with the principles in Article 5(1). For non-profit organisations,
this will be an additional duty. In practice this would appear to fall into two parts:
Action: Clubs will need to prepare and publish a data protection policy containing an
adequate description of what personal data will be collected and for what purposes.
Action: Clubs will need to review and document their compliance with their own policy.
Regardless of these actions, effective compliance is an ongoing requirement, and it will
always rely on a proper understanding by all relevant Club officials of their responsibility to
act within any policy.
As a simple example, it is desirable for the contact details of all Club members to be
restricted to the executive committee. If a committee member then circulates information to
all members by email, the sender should place the circulation list in the ‘Bcc’ section of the
email header, and not in the ‘To’ section. That will only happen if senders are advised
Clubs have volunteers working from home. A volunteer may work for several different
organisations, each being a different data controller. The previous practice, whereby
personal data kept solely for domestic use is exempt from data protection legislation, is
continued. However, volunteers need to be advised that personal data acquired via one data
controller may not be used for the purposes of another data controller.
Action: Clubs will need to inform their volunteer officials about maintaining a separation
between personal data from different data controllers, and between controlled and domestic
use of personal data.
There is a common misunderstanding that all collection of personal data requires explicit
consent. It does not.
GDPR Article 6(1) sets out the available lawful purposes for processing personal data. It will
be simplest for Clubs to rely on Article 6(1)f, where personal data may be collected for the
legitimate interests of the data controller. For a Club, it is obviously necessary to know who
its members are, and to have sufficient contact details so that the members can be uniquely
identified. It is also normal for Clubs to handle images from members and make records of
entries to events and of any results.
Implied consent will be an essential feature of membership, given that membership is
voluntary. But consent will only be valid if members and potential members are adequately
informed eg, via a published policy.
A Club may also need to know about members in the recent past, about potential members
and about contacts within other organisations. There will also be retained historical records
eg, programmes, catalogues and award winners.
Consent via a Third Party
Normal activity for many Clubs includes facilitating submission of members’ images to Inter-
Club, Federation or PAGB events. In that case, the Club is passing personal data to another
data controller. The receiving data controller has no direct relationship with the data subject,
and has to rely on consent passed on by the Club.
Action: Organisers of inter-Club and similar events will need to review their entry conditions
to ensure that any third party entrant confirms explicit consent for the organiser to hold
personal data about the photographers entered to the event.
A similar issue arises with contact lists circulated in handbooks or placed on web sites,
where policies and documentation also need to be reviewed.
The PAGB has published separate guidance on the safeguarding of children and others,
collectively referred to as ‘vulnerable individuals’.
The guidance remains applicable, and no additional issues arise for Clubs from the change
of data protection legislation.
Data subjects are entitled to access their personal data held by a data controller. That is in
addition to making a data protection policy generally available. The data subject does not
have to give a reason for the request, and the few exemptions are unlikely to apply.
The ‘Right to be Forgotten’
GDPR includes the right to be forgotten ie, to have personal data erased. The right is not
automatic and there are exclusions which in practice mean that the right does not apply to
the circumstances discussed in this document.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 are separate
from and additional to the data protection legislation. Essentially, the circulation of marketing
material by electronic means is prohibited without express consent by the data subject, and
a data subject is entitled to withdraw consent at any time.
The definition of marketing material includes any offer of goods or services addressed to an
individual. The Information Commissioner’s Office has more detailed guidance.
Marketing material would not include information to members about events directly related to
a Club’s activities. There is no prohibition on general advertising, or material not directed to
an individual eg, a pile of leaflets at a Club meeting.
Action: Clubs must not make their membership contact information available for electronic
marketing. Clubs must refuse any request to cascade marketing material to members by
Summary List of Actions
Clubs will need to prepare and publish a data protection policy containing an
adequate description of what personal data will be collected and for what purposes.
Clubs will need to review and document their compliance with their own policy.
Clubs will need to inform their volunteer officials about maintaining a separation
between personal data from different data controllers, and between controlled and
domestic use of personal data.
Organisers of inter-Club and similar events will need to review their entry conditions
to ensure that any third party entrant confirms explicit consent for the organiser to
hold personal data about the photographers entered to the event.
Clubs must not make their membership contact information available for electronic
marketing. Clubs must refuse any request to cascade marketing material to members
by electronic messages.
More in depth information and explanations can be found on various pages of the
Information Commissioner’s Office website at: https://ico.org.uk/for-organisations/
Should you have any specific questions or require any further clarification, please contact
the Secretary of the PAGB. Contact details can be found in the PAGB Handbook and on the
Sources consulted during the preparation of this advice.
DPA84: “The Data Protection Act 1984” and subordinate legislation. Repealed by DPA98.
DPA98 : “The Data Protection Act 1998” and subordinate legislation. Partly repealed by
DEA17. Repealed by DPA18.
PECR: “The Privacy and Electronic Communications (EC Directive) Regulations 2003”.
Rules controlling electronic marketing which are additional to data protection legislation.
PAGB: PAGB Advice for Clubs on Children, Young People and Vulnerable Adults attending
Club Meetings. February 2015.
GDPR: “The General Data Protection Regulations”. More specifically – “Regulation (EU)
2016/679 of the European Parliament and of the Council”.
DEA17: “The Digital Economy Act 2017”, where it repeals that part of DPA98 concerned
with notification by data controllers to the Information Commissioner.
DPA18: “The Data Protection Act 2018”, repealing DPA98 and implementing GDPR into UK
ICO: “The Information Commissioner’s Office”.
Note at February 2018: DPA18 is currently a Bill before Parliament, where any subordinate
legislation is not yet made.