Our reader is the honorary secretary of a newly-founded association which has been set up for philanthropic purposes. He is asking whether there are any obligations under the Data Protection Act.

Indeed there are certain obligations to be complied with - as the association is made up of members, a list of these individuals is kept and this membership list or roll will, as a minimum, contain in relation to every member the name and surname, the address and other contact details. This information is termed as personal data - personal data is defined to mean any information relating to an identified or identifiable natural person (not a company or other body) - in this case the member. The association collects this data, retains it in its records and uses it for its purposes. These operations are termed as processing and the association is called the data controller.

The first obligation of the association is therefore that of a data controller: to file a notification form of the processing operations with the Data Protection Commissioner. This form is available from the office or from the Website with easy-to-follow instructions. This is a once only obligation, unless there is a change in this processing or in the details submitted in the form.

In this case, only such changes need to be notified to the Commissioner when and if they arise. An annual notification fee of Lm10 is normally due, however if the association is a philanthropic institution or similar organisation, or band club, or a sports club or other organisation which qualifies for an exemption from the payment of income tax (Art. 12 (1)) of the Income Tax Act) there will also be an exemption from the payment of any fee under data protection.

In many cases, personal data may only be processed subject to consent being given. In this case, the fact that a member has applied for membership with the association and filled in the form, is considered to be consent. However, the personal data may only be used for the association's legitimate activities and such consent will be limited to the association's objectives as contained in the statute of constitution; any further use or processing will require the member's specific and informed consent.

Therefore the data can neither be passed on to a third party, unless this falls within the scope of the association, nor can it be used for marketing purposes. By way of example, there is nothing wrong if the association uses the information to publicise an event which it is organising for fund-raising purposes, but it is incorrect if the association passes on the members list to a third party for advertising or for any another communication purpose unconnected with the activities of the association.

In any case, sensitive personal data (which reveals race or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health or sex life) may only be provided to third parties with the explicit consent of the member.

On the other hand, a member has a right of access, that is, he has a right to be informed on the personal information kept by the association about him, and if such information is incorrect or not updated, the member will have the right to ask the association to delete or rectify the information. If this right is not granted, then a person may seek the assistance of the Commissioner to intervene and remedy.

Readers are invited to address any queries on data protection, which may be discussed in this column, to the Office of the Commissioner for Data Protection by e-mail commissioner.dataprotection@gov.mt or at its address, 2, Airways House, High Street, Sliema SLM 16.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.