Club GDPR Protocols and Policies
- SI Heswall & District Club General Data Protection Regulation (GDPR) Protocols
- SI Heswall & District Club Data Protection Policy
- SI Heswall & District Club Data Breach Policy
- SI Heswall & District Club Data Protection Complaints Process
SI Heswall and District Club General Data Protection Regulation (GDPR) Protocols
The General Data Protection Regulation (GDPR) came into force on 25 May 2018, making transparency a right. It increased the obligation of organisations to have clear policies and procedures in place to protect personal data.
- Policies relating to GDPR to be held by the Club President, Secretary and nominated club member responsible for data compliance.
- GDPR policies and personal details of members to be reviewed annually by the Membership Committee prior to the AGM.
- Members to be advised annually of any changes relating to the Club’s GDPR policies, in an accessible way.
- All Club Policies relating to privacy to be placed on the Club’s website.
- Membership data to be held on the computer of the person responsible for data compliance only if appropriate security precautions are in place. Paper copies of members’ details to be held in a secure and responsible way by the Club Membership Officer(s)/person responsible for data compliance. They will not be held responsible if the security of personal information is compromised by circumstances beyond their control. The Club Secretary will also hold information necessary to complete the Annual Return and the Club President will hold information to enable her to fulfil her duties as defined by the Club.Data is collected by the Club in order to
-
- induct new members
- maintain a list of Members so they can be contacted when necessary
- keep Members’ information up to date
- prepare the Club’s Annual Return
- claim Gift Aid on a person’s donations
- create a Club Directory
- organise an event
- fundraise
- promote the Club
- acknowledge length of service / milestone birthdays
- be aware of issues relating to pastoral care
- The consent of Club members to be obtained prior to a Club Membership booklet being produced. Members to be advised by a statement being placed in the front of the booklet that it contains confidential information which must not be shared with non-members without the express permission of the member concerned. When members check and tick to confirm their details are correct, they will be consenting to their details (name, address, email address and telephone number) being included in the Club Membership booklet. The booklet should be stored responsibly.
- After a member has left, personal data will be held for three years and securely destroyed on the third anniversary of her leaving unless she requests they be destroyed earlier. A record of membership, i.e. name and date of membership and year of Presidency if applicable, will be retained.
- A Disclaimer and Copyright statement to be placed on the Club website.
January 2019
SI Heswall & District Club Data Protection Policy
“Data Protection Legislation” Data Protection legislation means the Data Protection Act 1998, the Privacy and Electronic Communications Regulations (EC Directive) Regulations 2013 (SI 2426/2003 as amended), and all applicable laws and regulations, including any replacement UK or EU data protection legislation relating to the Processing of Personal Data, including, where applicable, the guidance and codes of practice issued by the information Commissioner’s Office.
The Data Protection Legislation (“the Legislation”) is concerned with the protection of human rights in relation to personal data. The aim of the Legislation is to ensure that personal data is used fairly and lawfully and that where necessary the privacy of individuals is respected.
During the course of the activities of SIGBI Limited (“we”) will collect, store and process personal data about our members, people who use our services and attend our activities, suppliers and other third parties and we recognise that the correct and lawful treatment of this data will maintain confidence in us. This policy sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
The nominated club member responsible for data compliance is responsible for ensuring compliance with the Legislation and with this policy.
Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Club Secretary.
Processing Personal Data
All personal data should be processed in accordance with the Legislation and this policy.
Processing includes obtaining, holding, maintaining, storing, erasing, blocking and destroying data.
Personal data is data relating to a living individual. It will not include data relating to a company or organisation, although any data relating to individuals within companies or organisations may be covered. Personal data can be factual (for example a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
Examples of personal data are names and addresses and other information relating to individuals, including supplier details, any third party data and any recorded information including any emails or CCTV images.
Compliance with the Legislation
Anyone who has responsibility for processing personal data must ensure that they comply with the data protection principles in the Legislation. These state that personal data must:
- be obtained and used fairly and lawfully;
- be obtained for specified lawful purposes and used only for those purposes;
- be adequate, relevant and not excessive for those purposes;
- be accurate and kept up to date;
- not be kept for any longer than required for those purposes;
- be used in a way which complies with the individual’s rights (this includes rights to prevent the use of personal data which will cause them damage or distress, to prevent use of personal data for direct marketing, and to have inaccurate information deleted or corrected);
- be protected by appropriate technical or organisational measures against unauthorised access, processing or accidental loss or destruction;
- not be transferred outside the European Economic Area unless with the consent of the data subject or where the country is determined to have adequate systems in place to protect personal data.
Handling Personal Data and Data Security
Members should take appropriate technical and organisational steps to guard against unauthorised or unlawful processing. Manual records relating to members or others should be kept secure. Computer files should be password protected.
The club will take particular care of sensitive data and security measures will reflect the importance of keeping sensitive data secure (definition of sensitive data is set out below).
Club procedures will be regularly monitored and reviewed to ensure data is being kept secure.
Where personal data needs to be deleted or destroyed adequate measures will be taken to ensure data is properly and securely disposed of. This will include destruction of files and back up files and physical destruction of manual files. Particular care should be taken over the destruction of manual sensitive data (written records) including shredding.
All data will be stored in a secure location and precautions will be taken to avoid data being accidentally disclosed. Personal data stored on a laptop should be password protected.
The Rights of Individuals
The Legislation gives individuals certain rights to know what data is held about them and what it is used for. In principle everyone has the right to see copies of all personal data held about them. There is also a right to have any inaccuracies in data corrected or erased. Data subjects also have the right to prevent the processing of their data for direct marketing purposes.
Any request for access to data under the Legislation should be made to [insert details] in writing. In accordance with the Legislation the club will ensure that written requests for access to personal data are complied with within 30 days of receipt of a valid request.
When a written data subject access request is received the data subject will be given a description of a) the personal data, b) the purposes for which it is being processed, c) those people and organisations to whom the data may be disclosed, d) be provided with a copy of the information in an intelligible form.
Sensitive Data
The club will not normally request sensitive data, but in the event that such data is obtained, we will strive to ensure that sensitive data is accurately identified on collection so that proper safeguards can be put in place. Sensitive data means data consisting of information relating to an individual’s
- Racial or ethnic origin
- Political opinions
- Religious beliefs
- Trade union membership
- Physical or mental health
- Sexual life
- Criminal offences
Changes to this Policy
We reserve the right to change this policy at any time. Where appropriate we will notify data subjects of those changes by mail or email.
January 2019
SI Heswall & District Club Data Breach Policy
Introduction
SI Heswall & District (“we”, “us”) hold and process personal data which needs to be protected. Every care is taken to protect the data we hold. Compromise of information, confidentiality, integrity or availability may result in harm to individuals, reputational damage, detrimental effect on service provision, legislative non-compliance and financial penalties.
Purpose
This policy sets out the procedure to be followed to ensure a consistent and effective approach throughout the organisation.
Scope
The policy relates to all personal data held by us, regardless of format. It applies to anyone who handles this personal data, including those working on our behalf. The objective of the policy is to contain any breaches, to minimise the risks associated with the breach and to consider what action is necessary to secure personal data and prevent any further breach.
Types of breach
An incident is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to data subjects.
An incident includes but is not restricted to:
- Loss or theft of personal data or the equipment on which the data is stored e.g. laptop, memory stick, smartphone, or paper record.
- Theft or failure of equipment on which personal data is stored
- Unauthorised use of or access to personal data
- Attempts to gain unauthorised access to personal data
- Unauthorised disclosure of personal data
- Website defacement
- Hacking attack
Reporting an incident
Any person using personal data on behalf of the club is responsible for reporting data breach incidents immediately to the Club Secretary
The report should contain the following details:
- Date and time of discovery of breach.
- Details of person who discovered the breach.
- The nature of the personal data involved.
- How many data subjects’ data is affected.
Containment and recovery
The executive committee will first ascertain if the breach is still occurring. If so, appropriate steps will be taken immediately to minimise the effects of the breach. An assessment will be carried out to establish the severity of the breach and the nature of further investigation required. Consideration will be given as to whether the police should be informed. Advice from appropriate experts will be sought if necessary. A suitable course of action will be taken to ensure a resolution to the breach.
Investigation and risk assessment
An investigation will be carried out without delay and where possible within 24 hours of the breach being discovered. The Executive Committee will assess the risks associated with the breach, the potential consequences for the data subjects, how serious and substantial those are and how likely they are to occur.
The investigation will take into account the following:
- The type of data involved and its sensitivity.
- The protections in place (e.g. encryption).
- What has happened to the data.
- Whether the data could be put to illegal or inappropriate use.
- Who the data subjects are, how many are involved, and the potential effects on them.
- Any wider consequences.
Notification
The Executive Committee will decide with appropriate advice who needs to be notified of the breach. Every incident will be assessed on a case by case basis. Consideration will be given to notifying the Information Commissioner if a large number of people are affected or the consequences for the data subjects are very serious. Guidance on when and how to notify the ICO is available on their website:
www.ico.org.uk/media/1536/breach_reporting.pdf
Notification to the data subjects whose personal data has been affected by the incident will include a description of how and when the breach occurred, and the nature of the data involved. Specific and clear advice will be given on what they can do to protect themselves and what has already been done to mitigate the risks. The Executive Committee will keep a record of all actions taken in respect of the breach.
Evaluation and response
Once the incident is contained, the Executive Committee will carry out a review of the causes of the breach, the effectiveness of the response, and whether any changes to systems, policies or procedures should be undertaken. Consideration will be given to whether any corrective action is necessary to minimise the risk of similar incidents occurring.
A Data Breach Report form can be obtained from the nominated member responsible for Data Compliance or the Club Secretary.
Data Breach Report
Date and Time of Discovery of Breach | |
Name of Person Discovering Breach | |
Nature of Personal Data Involved
|
|
How Many Individuals’ Data is affected | |
Assessment Carried Out By | |
What actions were taken?
|
|
Further Investigation/Advice required?
|
|
Resolution
|
Signed by: Date:
January 2019
SI Heswall & District Club Data Protection Complaints Process
SI Heswall & District (“we”) take your privacy concerns seriously. If you have any concerns about the way your information is being handled, please contact the Club Secretary in the first instance without delay.
We will carefully investigate and review all complaints and take appropriate action in accordance with Data Protection Legislation. We will keep you informed of the progress of our investigation and the outcome. If you are not satisfied with the outcome, you may wish to contact the Information Commissioner’s office at https://ico.org.uk/concerns/
Any complaint received by us must be referred to the Club Secretary in the first instance who will arrange for an investigation as follows:
- A record will be made of the details of the complaint.
- Consideration will be given as to whether the circumstances amount to a breach of Data Protection Legislation and action taken in accordance with the Data Breach Procedure.
- The complainant will be kept informed of the progress of the complaint and of the outcome of the investigation.
- At the conclusion of the investigation the member nominated to be responsible for data compliance will reflect on the circumstances and recommend any improvements to systems or procedures.
January 2019