Members and data – when do you have to disclose?

Data is a serious business

Maintaining that information is of course subject to the rules on Data Protection, but is also governed by the rights of members in the Co‑operative and Community Benefit Societies Act 2014 and in each coop’s rules. What is sometimes less clear, is how all these different rights and obligations work together (or don’t). 

What if a member wants to call a meeting themselves and asks for membership records? What if, during the lockdown period, members want to get together?  What if a society goes into administration, and the members want to call a meeting to discuss it? In all of these situations, access to the membership records of the co‑op will be a key issue.

These issues are not unique to registered societies. Companies will keep records of shareholders; some co‑ops use the limited company form, and though the governing law is different, many of the same issues could arise.

Recently a question was raised with the advice team on some of these issues, asking about member access to the membership records. S103 of the Co‑operative and Community Benefit Societies Act 2014 provides that members can view the duplicate register that societies have to have, that displays member names and addresses (but not their shareholdings). S103 says nothing about taking copies, however. 

For companies, section 116 is more comprehensive. It says that someone who wants to access the register of members has to make a formal request, giving not only their own details but also:

• The purpose for which the information is to be used.
• Whether that information will be disclosed to anyone else, and if so, who, and how they will use the information.

If the company thinks that the purpose is “improper” then the company can ask the court to intervene. There is case law which, in the view of solicitors Anthony Collins, probably gives some of the same protection to societies as well.

Other options might be to offer for the co‑op to circulate information to members itself, but what if a member insists? There have been arguments about the possible application of Schedule 2 of the Data Protection Act 2018 (rather than the 2014 Act or the Companies Act) on this issue.

Paragraph 5 of that Schedule provides that some of the GDPR protections on disclosure of data don’t apply if the disclosure of the data is “necessary for the purpose of, or in connection with, legal proceedings”, or for obtaining legal advice, or for defending legal rights, where the provisions would otherwise prevent the data controller (here, the society) from making the disclosure.

However, the GDPR itself provides that the “lawfulness requirements” still apply to the exceptions under the Schedule. So, disclosure is not barred, but the co‑op would still have to have a legal basis for sharing the data – which of course is data on all the members, not just the person concerned. The question will centre on whether or not the disclosure was “necessary” at all.

There is always a balance to be struck between the rights of an individual member to access Society records, and the rights of other members to have their data disclosed only where there is a legal reason for so doing. The relationship between different laws can be complex. Perhaps the key issue here is purpose – you need to be really clear as to why someone wants the information and what they will use it for, and if you think there are real grounds for concern, you can always say no. 

Giving out members’ data is a serious business, and co‑ops should think carefully before they do so.