DATA PROTECTION POLICY
SCOPE OF THE POLICY
WHY THIS POLICY EXISTS
This data protection policy ensures that The NCCC:
- Complies with data protection law and follows good practice.
- Protects the rights of members, committee members and external agencies eg. printers and distributors.
- Is open about how it stores, processes and shares members data.
- Protects itself from the risks of a data breach.
GENERAL GUIDELINES FOR COMMITTEE MEMBERS
- The only people able to access data covered by this policy should be members of The NCCC and those who need to communicate with or provide a service to the members of The NCCC.
- Data should not be shared informally or outside The NCCC.
- Committee Members should keep all data secure, by taking sensible precautions and following the guidelines below.
- Strong passwords must be used and they should never be shared.
- Personal data should not be shared outside The NCCC without prior consent and/or for specific and agreed reasons.
- Member information should be reviewed and consent renewed if the law changes or the needs of The NCCC change.
DATA PROTECTION PRINCIPLES
The General Data Protection Regulation identifies 8 data protection principles.
- Principle 1 – Personal data shall be processed lawfully, fairly and in a transparent manner
- Principle 2 – Personal data can only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Principle 3 – The collection of personal data must be adequate, relevant and limited to what is necessary compared to the purpose(s) data is collected for.
- Principle 4 – Personal data held should be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate is erased or rectified without delay.
- Principle 5 – Personal data which is kept in a form which permits identification of individuals shall not be kept for longer than is necessary.
- Principle 6 – Personal data must be processed in accordance with the individuals’ rights.
- Principle 7 – Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Principle 8 – Personal data cannot be transferred to a country or territory outside the European Union unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of personal data.
Lawful, fair and transparent data processing
The NCCC requests personal information from potential members and members for the purpose of sending communications about their involvement with The NCCC. The forms used to request personal information will contain a privacy statement informing potential members and members as to why the information is being requested and what the information will be used for. Members will be asked to provide consent for their data to be held and a record of this consent along with member information will be securely held. NCCC members will be informed that they can, at any time, remove their consent and will be informed as to who to contact should they wish to do so. Once a NCCC member requests not to receive certain communications this will be acted upon promptly and the member will be informed as to when the action has been taken.
Processed for Specified, Explicit and Legitimate Purposes
Members will be informed as to how their information will be used and the Committee of The NCCC will seek to ensure that member information is not used inappropriately. Appropriate use of information provided by members will include:
- Communicating with members about The NCCC’s events and activities.
- Meet organisers communicating with members about specific meets.
- Adding members details to the direct mailing information for The Chronicle magazines including passing necessary information to an external agency eg. printer and distributor.
- Sending members information about The NCCC’s events and activities.
- Communicating with members about their membership and/or renewal of their membership.
- Communicating with members about specific issues that may have arisen during the course of their membership.
- Publication of a Membership Directory so that members can communicate with each other.
The NCCC will ensure that meet organisers are made aware of what would be considered appropriate and inappropriate communication. Inappropriate communication would include sending NCCC members marketing and/or promotional materials from external service providers unless of direct benefit for the subject interests of the group. The NCCC will ensure that members’ information is managed in such a way as to not infringe an individual members rights which include:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
Adequate, Relevant and Limited Data Processing
Members of The NCCC will only be asked to provide information that is relevant for membership purposes. This will include:
- Postal address.
- Email address.
- Telephone number(s).
- Chronicle preferences (paper or email).
- Membership renewal and original membership date.
- Payment method but not banking details.
Where additional information may be required, such as health-related information, this will be obtained with the specific consent of the member who will be informed as to why this information is required and the purpose that it will be used for. Where The NCCC organises a trip that requires next of kin information to be provided, The NCCC will require the member to gain consent from the identified next of kin. The consent will provide permission for the information to be held for the purpose of supporting and safeguarding the member in question. Were this information to be needed as a one off for a particular trip or event then the information will be deleted once that event or trip has taken place unless it was to be required – with agreement – for a longer purpose. The same would apply to carers who may attend either a one-off event or on an ongoing basis to support a NCCC member with the agreement of The NCCC.
Data may be shared with external agencies that are providing services for and on behalf of The NCCC. Such agencies must satisfy The NCCC that they have in place adequate data protection and security policies and confirm that they are fully compliant with the General Data Protection Regulations.
There may also be instances where a members’ data needs to be shared with a third party due to an accident or incident and where it is considered to be in the best interests of the member or The NCCC. In these instances where The NCCC has a substantiated concern then consent does not have to be sought from the member.
ACCURACY OF DATA AND KEEPING DATA UP TO DATE
The NCCC has a responsibility to ensure members’ information is kept up to date. Members will be informed that they must let the membership secretary know if any of their personal information changes.
SECURE STORAGE OF DATA
Where members hold personal information provided by The NCCC (Membership lists, copies of the Chronicle) in electronic form (PC, Laptop, Tablet, Smartphone), the information must be protected by a secure password. Where it is held in a printed format it must not be passed to any non-member or left where non-members could access or observe it.
Accountability and Governance
The NCCC Committee are responsible for ensuring that The NCCC remains compliant with data protection requirements and retain evidence to that effect. For this purpose, those from whom data is required will be asked to provide written consent. The evidence of this consent will then be securely held as evidence of compliance. Committee Members shall also stay up to date with guidance and practice within The NCCC. The Committee will review data protection and who has access to information on a regular basis as well as reviewing what data is held.
The committee members of The NCCC have a responsibility to ensure that data is both securely held and processed. This will include:
- Committee members using strong passwords.
- Committee members not sharing passwords, with the exception of the two editors who share the task of producing the Chronicle.
- Restricting access or sharing member information to those on the Committee who need to communicate with members on a regular basis.
- Using password protection on laptops and PCs that contain or access personal information.
- Using password protection or secure cloud systems when sharing data between committee members and/or hosts.
Subject Access Request
NCCC members are entitled to request access to the information that is held by The NCCC. The request needs to be received in the form of a written request to the Membership Secretary of The NCCC. On receipt of the request, the request will be formally acknowledged and dealt with within 1 month unless there are exceptional circumstances as to why the request cannot be granted. The NCCC will provide a written response detailing all information held on the member. A record shall be kept of the date of the request and the date of the response.
Data Breach Notification
Were a data breach to occur action shall be taken to minimise the harm by ensuring all committee members are aware that a breach had taken place and how the breach had occurred. The committee shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches. The committee shall also contact the relevant members to inform them of the data breach and actions taken to resolve the breach. If a member contacts The NCCC to say that they feel that there has been a breach by The NCCC, a committee member will ask the member to provide an outline of their concerns. If the initial contact is by telephone, the committee member will ask The NCCC member to follow this up with an email or a letter detailing their concern. The concern will then be investigated by members of the committee who are not in any way implicated in the breach. Breach matters will be subject to a full investigation, records will be kept and all those involved notified of the outcome.
WHAT PERSONAL INFORMATION DO WE COLLECT?
When you express an interest in becoming a member of The NCCC you will be asked to provide certain information. This includes:
- Home address
- Email address
- Telephone number(s)
- Chronicle preferences (paper or email)
- Membership renewal and original membership date
- Payment method but not banking details
HOW DO WE COLLECT THIS PERSONAL INFORMATION?
All the information collected is obtained directly from you. This is usually at the point of your initial application. The information will be collected via membership application forms and renewal forms. At the point that you provide your personal information for the below membership purposes, we will also request that you provide consent for us to store and use your data. Your consent is required in order to ensure our compliance with data protection legislation (General Data Protection Regulation 25 May 2018) and without it we will not be able to send you NCCC information.
HOW DO WE USE YOUR PERSONAL INFORMATION?
We use your personal information:
- To provide the Chronicle magazine.
- For administration, planning and management of The NCCC.
- To communicate with you about meets.
- To monitor, develop and improve the provision of our NCCC meets. We may send you messages by email, other digital methods, telephone and post to advise you of NCCC meets.
- To produce a membership directory which is published to all members.
WHO DO WE SHARE YOUR PERSONAL INFORMATION WITH?
We may disclose information about you, including your personal information:
- Internally – to committee members and meet organisers – as required to facilitate your participation in our NCCC activities.
- Internally – we put Members contact information on our website
- Internally – to other members to facilitate communications between members.
- Externally – we may arrange for NCCC products or services such as the printing and direct mailing of publications to be carried out by external providers.
- Externally – if we have a statutory duty to disclose it for other legal and regulatory reasons.
HOW LONG DO WE KEEP YOUR PERSONAL INFORMATION?
We need to keep your information so that we can provide our services to you. Your information will be retained for the duration of your membership and for 12 months thereafter. The exceptions to this are instances where there may be legal or insurance circumstances that require information to be held for longer whilst this is investigated or resolved. Where this is the case then the member/s will be informed of how long the information will be held and when it will be deleted.
HOW YOUR INFORMATION CAN BE UPDATED OR CORRECTED
To ensure the information we hold is accurate and up to date, members need to inform The NCCC of any changes to their personal information. You can do this by contacting the membership secretary at any time. On an annual basis you will have the opportunity to update your information via the optional membership renewal form. Should you wish to view the information that The NCCC holds on you, you can make this request by contacting the membership secretary. There may be certain circumstances where we are not able to comply with this request. This would include where the information may contain references to other individuals or for legal, investigative or security reasons. Otherwise we will respond within 1 month of the request being made.
HOW DO WE STORE YOUR PERSONAL INFORMATION?
Your membership information is held by the Membership Secretary and passed to committee members and meet organisers – as appropriate. Your application and renewal forms, together with any further documentation as detailed in our Data Protection Policy are held in paper files for the same periods as with our electronic system. The electronic files are password protected.
Photographs may be taken as a matter of record at NCCC events and may be published in newsletters or on the website. These photographs may include images of members. Members can request the removal from the website of photographs that include their image.
AVAILABILITY AND CHANGES TO THIS POLICY
This policy is available on our website and is provided to members in hard copy upon request. This policy may change from time to time. If we make any material changes we will make members aware of this via the chronicle or website and where appropriate seek revised consent from you.
If you have any queries about this policy, need it in an alternative format, or have any complaints about our privacy practices, please contact the membership secretary.