Data Protection Policy
Hickling Windsurfing Club
Data Protection Policy – 1 January 2018 Final ver 1.1
- Why we need this, and it’s purpose.
The windsurfing club wants to be responsible with the data you have provided to us. Just like all organisations in Europe, we are accountable for this data, and have an obligation to demonstrate compliance with data protection principles. From 25 March 2018 this requirement becomes further strengthened in law and there are very heavy fines for not complying.
The Data Protection Act 1998 and General Data Protection Regulation 2018, applies to the processing of personal data. Hickling Windsurfing Club (HWC, or “the Club”) is committed to complying with its legal obligations. HWC collects and processes personal data relating to its members in the course of running the club, administering membership, communicating with members about Club events, news, and safety updates.
This policy covers any individual about whom HWC processes data. This may include current and former members. Processing of data includes: gaining consent, collecting; recording; presenting; storing; altering; and destroying.
- Key points for members:
- We will only collect the information that we need from you in order to keep you updated about your membership, events, safety updates, renewals, and to otherwise enable us to administer your membership and the operations of the Club.
- We will not share your data with anyone outside the Club Committee, except when required by Law, or except with our Insurance Company in the event of an insurance claim.
- We will not attach your full name to any photos, without your permission. However, we may use your first name.
- Ask us if you want a summary of the information we hold about you, or you wish your details to be deleted.
- HWC will take reasonable steps to ensure that appropriate security measures are in place to protect the confidentiality of both electronic and paper records.
- As a general rule we don’t ask for or keep sensitive data about you (e.g. health/medical information, date of birth, bank account details, political or religious beliefs, etc). However, we will ask for your general health status if you attend one of our training courses so that we can consider your suitability for the course or to consider any special care we may need to provide. This will be kept in paper format only.
- Should there be a data breach or your data is compromised, we will contact you and let you know what has happened.
- By joining the Club you provide consent for us to use your details so that we can contact you about the membership you have purchased: Club events, Club news, safety updates, any changes to terms and conditions, and membership renewals. If we want to use your details for any other purpose then we will ask for your consent first.
- Membership data and how we manage it.
The following file lists what data we have, why we have it, where it came from, who looks after it, how we process it, how we keep it safe, and how long we keep it for.
- General security standards to be adopted by those on the committee who have access to personal data:
- Data must not be copied outside the Club, or Club committee without the permission of the Membership Secretary.
- Data must be restricted to those that need it. Email distribution lists to be separated from address, phone, payment data etc.
- Group emails to the membership must be sent “BCC” to avoid sharing email addresses.
- Computer equipment must be protected from general access via a password or PIN.
- Computer software must be protected by an up to date operating system and security software.
- Membership database and any other files containing personal data must be password protected.
- Paper records must be locked inside the home and clearly identified, with the retention date marked.
- Backup copies of the Excel file are kept both on and off site to guard against data loss due to computer failure.
- Data to be deleted/destroyed after the retention date has been reached.
- We need to keep member data accurate, if we detect an error we must strive to correct it.
- Destruction of any copies of Club data when committee members leave office.
- Breaches of Information
Any breaches of information security must be reported immediately to the Membership Secretary. Members need to be advised as soon as any breach is discovered and what information has been compromised. The Membership Secretary will authorise and coordinate any required notification to the membership.
In the case of photographs taken at organised club events, some of those images may be used to help promote and illustrate the club’s activities, both in the Newsletter and/or on the website, and Club controlled social media. Members declare as part of the application or renewal process that they consent to this use, subject to being able to opt out when signing in to the event itself. Any such photography will never ascribe further identification to a member/s, for example by including surnames in any narrative.
Any photography will exclude individual images of members under 18 years, in compliance with the club’s Child Protection Policy, unless specific written parent or guardian consent is expressly given before such photography takes place. For practical reasons, members under the age of 18 attending organised club events MAY have images included in group photographs.
- Data Controller and queries
The Membership Secretary is the Data Controller for HWC. He/she bears overall responsibility for ensuring compliance with the Data Protection Act and regulations. He /she will answer queries or deal with members’ concerns about data protection.
If you wish to complain about the way your data is being managed then please write to the Chairman (Refer to Contact details on the club web-site.). If you are unhappy with the Chairman’s response then you have a right to contact the Information Commissioners Office, ICO (IOCico.org.uk, Tel 0303 123 1113)
- Access requests
Members are entitled to request data held about them on computer, or to request a photocopy of their original paper membership application or renewal. The Data Controller will provide this information within 1 month of asking, ensuring security of the data to be supplied
This policy will be reviewed from time to time to take into account changes in the law and the experience of the policy in practice.
Policy approved by the Club Committee 12 January 2018.