Regulates the way data controllers process personal data

Similar documents
St Mark s Church of England Academy Data Protection Policy

Human Resources. Data Protection Policy IMS HRD 012. Version: 1.00

General Optical Council. Data Protection Policy

DATA PROTECTION POLICY 2016

Introduction Why is data protection important? How does it apply to volunteers? What volunteers need to do?...

Data Protection Policy

Tourettes Action Data Protection Policy

LIFE STYLE CARE PLC. Privacy Statement for Employees. August 2018

GDPR P4 Privacy Policy Statement & Guidance for Employees and External Providers

POLICY ON INFORMATION, SECURITY & DATA PROTECTION

Data Protection. Policy

Data Protection Policy

GENERAL DATA PROTECTION REGULATION Guidance Notes

GDPR DATA PROCESSING NOTICE FOR FS1 RECRUITMENT UK LTD FOR APPLICANTS AND WORKERS

CHANNING SCHOOL DATA PROTECTION POLICY

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY

Data protection (GDPR) policy

Data Protection Policy. UK Policy May 2018

DATA PROTECTION POLICY 2018

DATA PROTECTION POLICY

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.

Data Protection Employee Privacy Notice

Data Protection Policy

Data Protection Policy

Data Protection Policy

The current version (July 2018) is derived from, and supersedes, the version published in February 2017 and earlier versions.

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General

The Data Controller for all personal data stored and processed by Horiba MIRA Ltd is:

This privacy notice applies to attendees, organisers and others involved in Merton College s conferences and events

Brasenose College is committed to protecting the privacy and security of personal data.

RAW MARKETING DATA PROTECTION POLICY

EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY

IQ Data Protection Policy

THE PORTSMOUTH GRAMMAR SCHOOL

DATA PROTECTION POLICY

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

Section a What this Policy is for Policy Statement. 2. Why this policy is important... 3

The Society of St Stephen s House Site Security and Monitoring Privacy Notice

Privacy Statement About this privacy policy Who are we and how to contact us

NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY. Adopted: 20 June 2018 To be reviewed: June 2021

Scottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY

Abercorn Care Limited Employment Application Form

Data Protection Policy

Baptist Union of Scotland DATA PROTECTION POLICY

ScottishPower Data Protection Policy

UK Research and Innovation (UKRI) Data Protection Policy

SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ]

DATA PROTECTION POLICY VERSION 1.0

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

PRIVACY NOTICE FOR JOB APPLICANTS

BROOKS PERSONAL TRAINING

Data Protection Policy Approved by: COG Approved: 9 August 2017 Review date: August 2019 Version: Statement of Intent

What personal details do we hold

VMS Software Ltd- Data Protection Privacy Policy

UoW takes measures to enable data to be restored and accessed in a timely manner in the event of a physical or technical incident.

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

Trinity is committed to protecting the privacy and security of personal data.

Hendre Infants School DATA PROTECTION POLICY. Nurture, Believe, Achieve Headteacher: A. J. Brett-Harris

DATED: 25/05/2018 GDPR PRIVACY NOTICE FOR HOPES & DREAMS LTD FOR EMPLOYEES, CHILDREN ATTENDING A GROUP NURSERY AND THEIR PARENTS

Data Protection Policy

POLICY. Data Breach Notification Policy. Version Version 1.0. Equality Impact Assessment Status. Date approved 23 rd May 2018

Alwoodley Golf Club. Privacy Notice for Employees, Workers, Officers and Consultants

Breakthrough Data Protection Policy Approved by Lead Organisation: November 2017 Next Review Date: November 2018

Union Employees Privacy Statement

KEMBLE PRIMARY & SIDDINGTON CE PRIMARY SCHOOLS DATA PROTECTION & THE GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

SHAREHOLDERS PRIVACY NOTICE

Brasenose College Data Protection Policy Statement v1.2

HYDRASUN LTD RECRUITMENT PRIVACY NOTICE

Data Protection Policy for Staff DJJK. Apr of 10

This privacy notice applies to School staff, including employees, workers, secondees and contractors.

DATA PROTECTION POLICY

APPLICATION FORM SCAFFOLDING LTD POSITION APPLIED FOR PERSONAL DETAILS NEXT OF KIN DRIVING LICENCE DETAILS YES YES. T Offence code. Date.

Swansea University Recruitment Privacy Policy

Data Protection Policy

Data subject access policy

If you have queries about this privacy notice or wish to exercise any of the rights mentioned in it please contact

Data Protection Policy & Procedures

Job applicant privacy notice (compliant with the General Data Protection Regulations (GDPR)

LPC Law Recruitment Privacy Notice

PRIVACY NOTICE for Welsh St Donat s Community Council, May 2018

MARLDON BOWLING CLUB

DATA PROTECTION POLICY

DATA PROTECTION POLICY

SSI SERVICES (UK) LTD APPLICANT PRIVACY NOTICE

GDPR factsheet Key provisions and steps for compliance

Data Protection Policy

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

EDWARDS COMMERCIAL CLEANING SERVICES LTD and EDWARDS COMMERCIAL CLEANING (NORTH) LTD Data Protection Policy for Employees, Workers and Consultants

Information Asset Register IAR. Guidance for Schools

The (Scheme) Actuary as a Data Controller

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

Privacy Notice: for staff, trustees, governors and all who are engaged to work within The Evolve Trust

The data protection rules require that personal information we hold about you must be:-

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

Data Management and Protection Policy

Privacy Notice for Individuals Not Covered by a Specific Privacy Notice

Brasenose College SCR Member Only Privacy Notice (v1.2)

General Data Protection Regulation (GDPR) Frequently Asked Questions

Data Breach Notification Policy

Transcription:

GUIDANCE NOTE ON THE DATA PROTECTION ACT 1998 This guidance note gives an overview of how the Data Protection Act 1998 (the Act ) applies to clubs (including class associations) and recognised training centres. It suggests a series of steps to be taken by clubs and centres to ensure compliance. Key Elements The Data Protection Act 1998: Regulates the way data controllers process personal data Provides stronger protection for sensitive information Requires certain organisations to notify the Information Commissioner about their processing of personal data Gives individuals to whom the data relates various rights (including: right of access, ability to prevent direct marketing) Establishes an enforcement regime Certain expressions are given special meanings by the Act. Data controllers A data controller is the person who determines the purposes for which, and the manner in which, any personal data is/are, or is/are likely to be processed. Personal data Personal data means data which relates to a living individual who can be identified from that data. Processing The Act applies when personal data is processed by a computer or is recorded in a structured manual filing system. The term processing covers virtually any use which can be made of personal data e.g. collecting, storing, using and destroying it. Page 1 of 10

Sensitive personal data Sensitive personal data consists of information relating to the racial or ethnic origin of a data subject, his political opinions, religious beliefs, trade union membership, sexual life, physical or mental health condition or criminal offences or record. Where clubs and centres collect sensitive personal data (as will often be the case), e.g. special dietary needs, health declarations on booking forms etc. additional criteria need to be fulfilled in order to ensure compliance. The most straightforward means to ensure compliance with these additional criteria is to include a consent statement within the data protection notice on the relevant collection form (see example data protection and consent notice below). The eight data protection principles In order to comply with the Act, a data controller must comply with the eight data protection principles which makes sure that the personal information is: Fairly and lawfully processed Obtained only for specified and lawful purposes Adequate, relevant and not excessive Accurate and kept up to date Not kept longer than necessary Processed in line with the rights of data subjects under the Act Secure Not transferred to other countries without adequate protection Information Commissioner The Information Commissioner s Office ( ICO ) is an independent authority set up to promote access to official information and to protect individual s personal information. The Commissioner has enforcement responsibilities for the Data Protection Act 1998 and related regulations such as the Privacy and Electronic Communications Regulations and the Freedom of Information Act. The ICO website is very helpful and includes detailed guidance notes on many aspects of the Act. Useful links: https://ico.org.uk/for-organisations/ Page 2 of 10

https://ico.org.uk/ https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/ Most clubs and centres will be processing personal information relating to their members, customers, employees, suppliers, race entrants etc. and will therefore need to comply with the Act. 5 Practical Steps towards compliance The RYA recommends that clubs and centres undertake the following steps: ALLOCATE responsibility within your club/centre Decide whether your club/centre needs to NOTIFY the Commissioner AUDIT forms, IT systems and website, processes TRAIN officers, staff and volunteers THINK DPA for all new club/centre initiatives STEP ONE Allocate Responsibility Compliance responsibilities will naturally fall to those officers, staff and volunteers of clubs and centres who come into contact with personal data such as: the club secretary; membership secretary; webmaster; bookings officer and, the events secretary. It is suggested that larger clubs and centres appoint a data protection officer. STEP TWO - Notification The default position is that every organisation that processes personal data must notify the ICO. Failure to notify is a criminal offence. Notification can be made on line via the ICO website: https://ico.org.uk/for-organisations/register/ The cost of notification is 35 on registration and 35 annually thereafter. Page 3 of 10

Exemptions from the requirement to notify are possible for the following. Data controllers who only process personal information for: - staff administration (including payroll); - advertising, marketing and public relations (in connection with their own business activity); and - accounts and records. Some not-for-profit organisations (see below) Processing personal information for personal, family or household affairs (including recreational purposes). Maintenance of a public register. Processing personal information without an automated system such as a computer. Not-for-profit organisations There is a specific exemption from notification for data controllers that are a body or association not established or conducted for profit, provided that their processing does not fall outside the descriptions below: The processing is only for the purposes of establishing or maintaining membership or support for a body or association not established or conducted for profit, or providing or administering activities for individuals who are either members of the body or association or have regular contact with it. The data subjects are restricted to the processing of those for whom personal information is necessary for this exempt purpose. The data classes are restricted to personal information that is necessary for this exempt purpose. The disclosures other than those made with the consent of the data subject are restricted to those third parties that are necessary for this exempt purpose. The personal information is not kept after the relationship between the not for profit organisation and the data subject ends, unless (and for so long as) it is necessary to do so for the exempt purpose. There is a trap for the unwary! Even if a club can potentially take advantage of one of the exemptions to notification the club WILL need to notify the ICO if personal data is being processed for non-exempt purposes. These include: processing for crime prevention Page 4 of 10

such as operating a CCTV camera, processing data obtained via a credit reference agency and advertising, marketing and public relations for others e.g. a club or centre intends to allow its member or candidate details to be used by another organisation for marketing purposes. The ICO have issued a Self-Assessment Guide which includes a series of simple questions to work through to determine whether an organisation needs to notify the Commissioner. This guide is available online on their website. They also operate a Notification helpline 01625 54574 Note: the requirement to notify the ICO of the processing of personal information is independent of the requirement to comply with other aspects of the Act. Even if a club or centre is exempt from notification they will still need to comply with the Act. STEP THREE Audit & Review forms and website Identify collection processes (e.g. Membership application forms, course booking forms, regatta/open meeting entry forms, staff contracts, website, CCTV) Add a Data Protection Notice to all forms in which personal data is collected and include a Consent statement if the data is sensitive personal data Formulate a Privacy Policy for staff, volunteers and website Review methods used to maintain accuracy of the personal data held and to delete data no longer needed The following are example Data Protection Notices that can be used. The first is for a membership application form and does not include a consent statement. The second and third assume that sensitive personal data will be collected (e.g. health declarations or photographs) and therefore include consent statements. The example notices will need to be customised to the processing that a club or centre intends to undertake in relation to the personal data collected in the form. If the club or centre intends to share the personal data with other organisations or between members (e.g. by way of a membership handbook with members contact details) this MUST be stated in the data protection notice and the data subject given the opportunity to object. Page 5 of 10

...for membership application... The information which you provide in this form and any other information obtained or provided during the course of your application for membership will be used solely for the purpose of processing your application (including payment processing) and if elected to membership, dealing with you as a member of [insert name of club][ including creation of a membership handbook with member s contact details which will be available to all members]. The data will not be shared with any third party for marketing or commercial purposes without firstly obtaining your explicit consent. [If you object to the inclusion of your details in a membership handbook please tick here ] NOTE: a similar consent notice will need to be included on membership renewal forms....for a course booking form... Data Protection Act 1998. The above information including the questions as to your health and ability will be used by us to process your booking for the course (including payment processing) and for attending to your safety whilst you are on one of our courses. Names and addresses of candidates for RYA courses may also be shared with the RYA. If you object please tick here We shall also include your name and address on our mailing list. If you do not want to receive details of future courses and events please tick here....for an open meeting... Data Protection Act 1998. The above information will be used by [insert name of race organiser] to process your race entry (including payment processing) and to deal with you as a competitor. Occasionally we take photos of competitors for publicity purposes, including for use on our own website and/or the websites of the race sponsors [insert names of sponsors]. If you object please tick here. We shall also include your name and address on our mailing list. If you do not want to receive details of future similar events please tick here. Page 6 of 10

STEP FOUR - Train Officers, Staff and Volunteers All officers, staff and volunteers who come into contact with personal data need to know how to handle it. The key points are as follows: Keep it accurate and up to date Delete/destroy when no longer needed Protect from unauthorised disclosure or access Don t collect more than needed! Officers, staff and volunteers need to be able to recognise and deal with a subject access request A subject access request is any request from an individual using their right under the Data Protection Act. A club or centre must decide, taking any exemptions into consideration what information needs to be given. The club has 40 calendar days to respond to the request and may charge the subject a fee up to 10. The ICO have published guidance notes on how to deal with subject access requests and the type of data which would not have to be revealed. STEP FIVE Think DPA for all new for all new club or centre initiatives If the type of activities undertaken by a members club changes e.g. a significant portion of the club revenue is generated from branded merchandise which is sold for profit, or the club regularly acts as a venue for sailing events for non-club members this may change the balance of whether or not the club needs to notify the ICO. If the manner in which personal data collected is to be used changes e.g. a club or centre intends to obtain commercial sponsorship for an event in exchange for giving access to membership names and addresses to the sponsor this may not be permitted under the terms of the data protection notice used on the event entry form. Page 7 of 10

RECAP! The DPA does apply to clubs and centres Notify your processing to the ICO unless confident that you are exempt from notification Audit paperwork, IT systems and website, don t ask for any data you don t need and add data protection and consent notices (where necessary) to your forms, possibly a create a privacy policy for your website and review processes for updating and deleting data Train staff and volunteers how to handle the data to prevent inadvertent disclosure and how to deal with subject access requests! THINK DPA for all new initiatives. And finally, a word on penalties... Penalties The ICO have the power to impose significant civil financial penalties for breaches of the eight data protection principles which are: serious; of a kind likely to cause substantial damage or substantial distress; and deliberate, or the fault of a data controller who knew or ought to have known about the risk of a breach, but failed to take reasonable steps to prevent it. The ICO must first issue a "notice of intent" giving the data controller an opportunity to make representations within a time limit. Data controllers can appeal against the award of a monetary penalty to the Tribunals Service (formerly the Information Tribunal). Guidance is available from the ICO website on monetary penalties, setting out in detail its interpretation of the law and the procedure it will follow. Page 8 of 10

Further related subjects... CRIMINALS RECORDS DATA In terms of processing data relating to criminal records, the best guide is provided by the Home Office Code of Practice for Registered Bodies working with the Criminal Records Bureau (CRB). Under the Code, criminal records data can be held by organisations receiving the information from that umbrella body, providing they comply with the code. Under the Code, all data relating to criminal records must be stored in a locked cabinet, and can be held for a period of six months. After that time the information must be destroyed. Organisations will thereafter only be allowed to keep a record of an individual s name, the position applied for, the application reference number with the CRB, and the recruitment decision taken. DISCIPLINARY CASES Data relating to disciplinary procedures would be classed as sensitive under the Act, and hence there are strict conditions under which such data may be held. While clubs should consider each individual case, the Act does permit the retention of sensitive data which relates to legal proceedings, and in cases where the public is being protected against instances of dishonesty and malpractice. PLEASE NOTE: Forthcoming changes to data protection legislation Data protection legislation is due to undergo a substantial change when the EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Following the referendum, the UK government has stated its intention to give notice to leave the EU under Article 50 of the Treaty on European Union by the end of March 2017. Once the UK gives notice to leave the EU, it would then leave on the sooner of withdrawal terms being agreed and the expiry of two years from giving notice, so by end March 2019. It is likely that the UK will still be a member of the EU when the GDPR comes into force. For more information kindly contact the RYA Legal Team on 023 8060 4223 or legal@rya.org.uk Page 9 of 10

RYA Responsibility Statement: The RYA Legal Team provides generic legal advice for RYA members, affiliated clubs and Recognised Training Centres. The information contained in this Guidance represents the RYA s interpretation of the law as at the date of this edition. The RYA takes all reasonable care to ensure that the information contained in this Guidance is accurate and that any opinions, interpretations and guidance expressed have been carefully considered in the context in which they are expressed. However, before taking any action based on the contents of this Guidance, readers are advised to confirm the up to date position and to take appropriate professional advice specific to their individual circumstances. Page 10 of 10

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback