Data Protection Policy

PERKINS LONG SERVICE CLUB Data Protection Policy

Scope of the policy

This policy applies to the work of the Perkins Long Service Club (hereafter ‘PLSC’). The policy sets out the requirements that the PLSC has to gather personal information for membership purposes. The policy details how personal information will be gathered, stored and managed in line with data protection principles and the General Data Protection Regulation. The policy is reviewed on an ongoing basis by the PLSC Committee Members to ensure that the PLSC is compliant. This policy shall be read in tandem with the PLSC's Privacy Policy.

Why this policy exists

This data protection policy ensures that the PLSC:

· Complies with data protection law and follows good practice.

· Protects the rights of members.

· Is open about how it stores and processes members’ data.

· Protects itself from the risks of a data breach.

General guidelines for committee members and group LEADERS

· The only people able to access data covered by this policy shall be those who need to communicate with or provide a service to the members of the PLSC.

· Data shall not be shared informally or outside of the PLSC

· Committee Members shall be required to read the Data Protection Policy, and to sign a consent to abide by this Policy

· Committee Members shall keep all data secure, by taking sensible precautions and following the guidelines below.

· Strong passwords shall be used and they shall never be shared.

· Personal data shall not be shared outside of the PLSC unless with prior consent and/or for specific and agreed reasons.

· Member information shall be reviewed and consent refreshed when policy is changed.

Data protection principles

The General Data Protection Regulation identifies 8 data protection principles:-

Principle 1 - Personal data shall be processed lawfully, fairly and in a transparent manner

Principle 2 - Personal data can only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Principle 3 - The collection of personal data shall be adequate, relevant and limited to what is necessary, compared to the purpose(s) data is collected for.

Principle 4 – Personal data held shall be accurate and, where necessary, kept up to date. Every reasonable step shall be taken to ensure that personal data that are inaccurate are erased or rectified without delay.

Principle 5 – Personal data which is kept in a form which permits identification of individuals shall not be kept for longer than is necessary.

Principle 6 - Personal data shall be processed in accordance with the individuals’ rights.

Principle 7 - Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Principle 8 - Personal data cannot be transferred to a country or territory outside the UK or the European Union unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of personal data.

Lawful, fair and transparent data processing

The PLSC requests personal information from potential members and members for the purpose of managing the PLSC membership records and sending communications about their involvement with the PLSC. The forms used to request personal information shall make reference to where the PLSC Data Protection and Privacy Policies may be found on the PLSC website or that they shall be provided by the Membership Secretary on request.

If a PLSC member requests not to receive certain communications this shall be acted upon promptly and the member shall be informed as to when the action has been taken. A member may request in writing that the PLSC ceases to hold elements of their personal data and this shall be acted on within 30 days of receiving the request. A member who requests that their name or address or method of subscription payment is deleted must resign their membership for this to take effect.

Processed for Specified, Explicit and Legitimate Purposes

Members shall be informed as to how their information will be used and the Committee of the PLSC shall seek to ensure that member information is not used inappropriately. Appropriate use of information provided by members will include:

· Administration and Management of membership records and subscription payments

· Communicating with members about the PLSC’s events and activities

· Communicating with members about their membership and/or renewal of their membership.

· Communicating with members about specific issues that may have arisen during the course of their membership.

The PLSC shall ensure that Committee Members are made aware of what would be considered appropriate and inappropriate communication. Inappropriate communication would include directly sending PLSC members marketing and/or promotional materials from external service providers.

The PLSC shall ensure that members' information is managed in such a way as to not infringe an individual member’s rights which include:

· The right to be informed.

· The right of access.

· The right to rectification.

· The right to erasure.

· The right to restrict processing.

· The right to data portability.

· The right to object.

Adequate, Relevant and Limited Data Processing

Members of the PLSC shall only be asked to provide information that is relevant for membership purposes. This includes:

  • Name

  • Email

  • Home Address

  • Date of Birth

  • Payroll Number (where applicable)

· Works Dept & Location (where applicable)

· Home telephone number

· Mobile Telephone number

· Emergency contact details

  • Any Life Membership subscription payment

Where additional information may be required, such as health-related information, this shall be obtained with the specific consent of the member who shall be informed as to why this information is required and the purpose that it will be used for.

Where the PLSC organises a trip that requires next of kin information to be provided, the PLSC shall require the member to gain consent from the identified next of kin. The consent shall provide permission for the information to be held for the purpose of supporting and safeguarding the member in question. Were this information to be needed as a one off for a particular trip or event then the information shall be deleted once that event or trip has taken place unless it was to be required – with agreement – for a longer purpose. The same would apply to carers who may attend either a one-off event or on an ongoing basis to support a PLSC member with the agreement of the PLSC.

There may be occasional instances where a members' data needs to be shared with a third party due to an accident or incident involving statutory authorities. Where it is in the best interests of the member or the PLSC in these instances where the PLSC has a substantiated concern then consent does not have to be sought from the member.

Accuracy of Data and Keeping Data up to Date

The PLSC has a responsibility to ensure members' information is kept up to date. Members shall be informed to let the Membership Secretary know if any of their personal information changes.

Accountability and Governance

The PLSC Committee are responsible for ensuring that the PLSC remains compliant with data protection requirements and can evidence that it has. The PLSC Committee shall ensure that new members joining the Committee are required to read the Data Protection and Privacy policies of the PLSC and to sign confirmation that they have read and understood the policies and shall abide by them. Committee Members shall also stay up to date with guidance and practice within the PLSC and shall review data protection and who has access to information on a regular basis, as well as reviewing what data is held.

Secure Processing

The Committee Members of the PLSC have a responsibility to ensure that data is both securely held and processed. This shall be achieved by:-

· Storing the data on a secure Company shared drive.

· Restricting access to this shared drive to those on the Committee who need to communicate with members on a regular basis.

· Communicating data to other Committee Members, when required, using password protected files.

· Ensuring that Committee Members’ laptops or other devices are adequately protected by suitable firewall security.

Subject Access Request

PLSC members are entitled to request access to the information that is held by the PLSC. The request needs to be received in the form of a written request to the Membership Secretary of the PLSC. On receipt of the request, the request shall be formally acknowledged and dealt with within 14 days unless there are exceptional circumstances as to why the request cannot be granted. The PLSC shall provide a written response detailing all information held on the member. A record shall be kept of the date of the request and the date of the response.

Data Breach Notification

The President of the PLSC shall be responsible for ensuring that proper investigation and all necessary actions are taken in the event of a data breach becoming known to the PLSC.

Were a data breach to occur action shall be taken to minimise the harm by ensuring all Committee Members are aware within 24 hours of the event that a breach had taken place, and how the breach had occurred. The Committee shall then seek to rectify the cause of the breach as soon as possible to prevent any further breaches. Where necessary the President of the PLSC shall notify the Information Commissioner's Office. The Committee shall also contact the relevant PLSC member(s) to inform them of the data breach and actions taken to resolve the breach.

If a PLSC member contacts the PLSC to say that they feel that there has been a breach by the PLSC, a Committee Member shall ask the member to provide an outline of their concerns. If the initial contact is by telephone, the Committee Member shall ask the PLSC member to follow this up with an email or a letter detailing their concern. The concern shall then be investigated by members of the Committee who are not in any way implicated in the breach. Breach matters shall be subject to a full investigation, records shall be kept and all those involved notified of the outcome.

PLSC members may report their concerns to the Information Commissioner’s Office if they are dissatisfied with the response from the PLSC. The Information Commissioner may be contacted on 0303 123 1113 or via email on https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.

May 2020. Policy review date: Annually following the AGM. Next Review due November 2021.