Appendix 2 - Procedures for Implementing the Data Protection Principles
- Appointment of a Person with the Specific Responsibility for Data Protection
- Managing/Handling Personal Data
- Disposal of Data
- Membership Data Held
- Data Sharing
- Checking the Quality and Accuracy of the Information the Society Holds on Individuals
- Retention of Information
- Protection of Information
This policy is intended to ensure that personal information is dealt with correctly and securely in accordance with the Data Protection Act 1998 and General Data Protection Regulations 2018, and other related legislation. It will apply to information regardless of the way it is collected, used, recorded, stored and destroyed, and irrespective of whether it is held in paper files or electronically.
What is Personal Information?
Personal information or data is defined as data which relates to a living individual who can be identified from that data, or other information held.
The Paddle Steamer Preservation Society (PSPS) collects and uses personal information about its members. This information is gathered in order to facilitate:
- Realising the aims of the Charity;
- Compliance with Company & Charity Law;
- Maintaining accounts and records;
- Advertising, marketing and public relations;
- Information and database administration;
In terms of the General Data Protection Regulations 2018 we have a duty to be registered as Data Controllers with the Information Commissioner’s Office (ICO) and to determine the purposes for which, and the manner in which, any personal data are, or are to be, processed.
We will ensure that we adhere to the eight enforceable principles stated in the General Data Protection Regulations 2018.
Data Protection Principles
Personal data shall:
- Be processed fairly and lawfully.
- Be obtained only for one or more specified and lawful purposes.
- Be adequate, relevant and not excessive.
- Be accurate and where necessary kept up to date.
- Not be kept for longer than is necessary for that purpose or those purposes.
- Be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
- Be kept secure. i.e. protected by an appropriate degree of security.
- Not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection.
The Society is committed to maintaining the above principles at all times.
The Society will:
- Appoint a person with specific responsibility for data protection.
- Ensure all persons managing and handling personal information understand that they are responsible for following good data protection practice.
- Ensure that on occasions when information is for disposal, it is done appropriately.
- Inform individuals that it keeps personal data in relation to their membership.
- Inform individuals that it keeps their name and address on a computer list which may be shared (see Appendix 2 here). Individuals will be given the opportunity to refuse the sharing of such data.
- Check the quality and accuracy of the information it holds.
- Ensure that information is not held for longer than is necessary.
- Ensure that clear and robust safeguards are in place to protect personal information from loss, theft and unauthorised disclosure, irrespective of the format in which it is recorded.
- Share information only when it is legally appropriate to do so and in certain cases only if that person has opted to allow it.
- Ensure that individuals can exercise their right to request access to their personal information i.e. a Personal Access Request (see Appendix 1 here).
- Ensure all those handling data are aware of and understand the Society's Data Protection Policy and procedures.
Complaints relating to Data Protection in the first instance should be made in writing to the Data Controller who will gather factual evidence from the relevant people and make contact promptly with the complainant.
If the Data Controller is unable to resolve the matter then the complainant will be advised to contact the Society Chairperson in writing.
Under the General Data Protection Regulations 2018 persons wishing to complain about a possible breach of the legislation have the right to contact the Information Commissioner. Contact details may be found on the ICO website at www.ico.gov.uk.
This policy will be reviewed as it is deemed appropriate, but no less frequently than every three years.
The policy review will be undertaken by the Data Controller and his findings and recommendations reported to the Council of the PSPS for action as may be appropriate.
Rights of Access to Information
Procedures for responding to Personal Access Requests made under the General Data Protection Regulations 2018.
Under the General Data Protection Regulations 2018 any individual has the right to access their personal information held by the Society. This request is referred to as a Personal Access Request
The following procedures relate to a Personal Access Request.
Actioning a Personal Access Request
- Requests for information must be made in writing, which includes email, and be addressed to the Data Controller.
- The identity of the requester must be established before disclosure of information.
- Evidence of identity must be established by requesting production of one of the following:
- Driving licence;
- Utility bills with current address;
- Birth/marriage certificate.
- Anyone whose personal information we process has the right to know:
- What information we hold and process on them;
- How to gain access to this information;
- How we keep it up to date;
- What we are doing to comply with the Act;
- They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.
- We will not make a charge for access when requested.
- Queries about handling personal information will be dealt with swiftly and politely.
- We aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 30 days required by the Data Protection Act from receipt of the written request.
Procedures for Implementing the Data Protection Principles
Appointment of a Person with the Specific Responsibility for Data Protection
Council of Management will appoint a Data Controller who will keep a register of all persons with access to all or part of the database. The appointment will be reviewed every three years or whenever else within any three year period Council considers appropriate.
The membership will be informed of the appointee’s name and contact details via Paddle Wheels, the Society’s website and/or other appropriate means.
Managing/Handling Personal Data
Council of Management will ensure that all persons managing and/or handling or otherwise acquiring personal information are provided with a copy of the Society’s Data Protection Policy, including its appendices, and asked to read and implement it in their management or handling of information and where required sign a declaration. In particular they will be asked to note the eight Data Protection Principles (see also item 10 below here).
Disposal of Data
The Society will endeavour to securely delete information if it goes out of date or when it is no longer needed for historical, statistical or research purposes by:
- shredding paper records;
- deleting computer records.
All deletions will be notified to the Data Controller who will record the following information in the Data Log - date, data type, method, by whom deletion was carried out and the reason.
Membership Data Held
The Society will inform individuals that it keeps personal data on a computer database in relation to their membership when they join the society.
The Society holds the following personal data on individual members on its “full database”:
- Telephone number;
- Email address;
- Membership number including renewal code;
- Date of birth if under 18 years of age;
- Banking details for direct debit/standing orders;
- Gift aid details for tax purposes.
The Society will only share information when it is legally appropriate to do so, as required by the General Data Protection Regulations 2018.
The Society may share the following data - the reduced database.
- Telephone number;
- Email address;
- Membership number including renewal code.
with any UK charitable organisation engaged in the operation or preservation of one or more paddle steamers or of MV Balmoral or a wholly owned subsidiary company of any such charity provided that Council:
- approves the purpose(s) for which the data is being transferred and;
- the recipient agrees to:
- use it only for such purpose(s) as Council has approved;
- hold the data in accordance with the provisions of the General Data Protection Regulations 2018;
- destroy it immediately the purpose(s) is/are secured.
- the member has:
- opted into such data sharing and that is confirmed at a maximum of two year intervals either in writing or verbally and the opt-In recorded in a log.
The Society can share data without an individual’s knowledge if it is under a duty to disclose or share personal data in order to comply with any legal obligation.
Checking the Quality and Accuracy of the Information the Society Holds on Individuals
The Society will take reasonable steps to ensure the accuracy of personal data and that the source of any personal data is clear.
- The Data Controller will be informed of all amendments and errors by holders and users of the database;
- The Data Controller will record in the Data Log the date of any changes.
Retention of Information
The Society will ensure that information is not held for longer than is necessary.
- All data relating to former members will be retained for seven years unless it is required to be kept for legal or tax purposes;
- Where a member has been expelled it will be retained for seven years.
The Society will review the length of time it keeps personal data and as appropriate update, archive or securely delete information no longer required and inform the Data Controller who will make a record in the Data Log.
Protection of Information
The Society will ensure that clear and robust safeguards are in place to protect personal information from loss, theft and unauthorised disclosure, irrespective of the format in which it is recorded.
- All personal data will be held on passworded computers.
- When transfers of data are made the Data Controller will be informed and record the date and to whom the transfers were made in the Data Log.
- All attachments for sending personal data by email will be passworded.
- Other electronic means of transfer cannot be used unless passworded i.e. memory sticks etc. N.B. fax is not considered a secure method of transfer and must not be used.
- Personal Information Recorded on Paper
- When the information to be sent is personal information then the following must always be considered when deciding what means of transfer is appropriate.
- The precise nature of the information, its sensitivity, confidentiality or value.
- What damage or distress could be caused to individuals if the information was lost or accessed by unauthorised persons.
- The effect any loss would have on the Society.
- The urgency of providing the information, taking into account the effect of not sending the data, or any delay in sending the data.
- If the information only contains names and addresses and membership numbers it can be sent by normal post. The envelope in which the information is sent must be clearly addressed to a named recipient.
- All other information must be sent by a traceable method clearly addressed to a named recipient e.g. by Royal Mail Recorded Delivery.
When using a courier to transport any personal information steps must be taken to ensure that they operate within appropriate security standards and clearly addressed.
- All persons holding copies of the full and reduced database and receiving personal information from members will be required to sign a declaration.
- Personnel provided with personal information in the form of postage labels and draw contact details used in order to carry out their work for the Society will receive the following statement annually:
"The General Data Protection Regulations 2018 obliges us to draw to your attention the fact that any personal data you acquire or use in carrying out your work for the Society must be kept confidential and not used for any other purpose."