With changes to the data protection rules and regulations, there is more scrutiny on the personal data held by organisations. One of the themes for good practice for data protection is that personal data should be kept up to date, and deleted when no longer required.
For UK organisations that are companies, section 121 of the Companies Act 2006 (Removal of entries relating to former members) sets out the relevant provision:
“An entry relating to a former member of the company may be removed from the register after the expiration of ten years from the date on which he ceased to be a member.”
For CIOs in England, paragraph 3 of Schedule 1 of the Charitable Incorporated Organisations (General) Regulations 2012 states something similar:
“An entry relating to a former member of a CIO may be removed from the register of members after the expiration of 10 years from the date on which that person ceased to be a member.”
Note that both provisions say that the personal data MAY be deleted – it is not obligatory under the Companies Act, but, there could be an argument under the Data Protection Act that keeping the personal data for much longer is not consistent with the data protection retention rules. It is also possible to retain the personal details for other reasons – for example, if the ex-member has consented to receive marketing and fundraising emails.
For UK organisations that are clubs or societies that are unincorporated, there is no statutory guidance. Some constitutions may set out specific provisions, which, if present, must be followed. In all cases, it will be necessary to comply with data protection regulations.