General Data Protection Regulations (GDPR)

Transcription

1 Wrekinsport CC General Data Protection Regulations (GDPR) The GDPR legislation comes in to force across the EU from the 25 th May From this time, organisations across the EU need to be working towards compliance with the regulations. An element of lee-way has been granted insofar as organisations do not need to be fully compliant with the legislation by that date, however they must have a plan to achieve full compliance within a reasonable time-frame. The Changes GDPR provinces individuals with a significant number of safeguards over and above the previous UK legislation. These include: Additional controls on how information relating to minors or children is obtained and processed; Tightening controls over the collection and processing of personally sensitive data; Records must only be retained by organisations for as long as is absolutely necessary for operational or legislative reasons. Records are no longer required must be securely deleted. Individuals have a right to be forgotten. This basically means that they can instruct an organisation to remove all traces of them form any data that the organisation may holed or control. Organisations cannot now charge for subject access requests (these are when an individual requests and organisation to supply them with a copy of all information held regarding them). Organisations are now required to report any data breach (or suspected breach) to the Information Comissioner s Office within 72 hours. A requirement on organisations to manage their suppliers to ensure that all systems in used within the organisation are GDPR compliant. Controls apply equally to electronic and paper-based records. Personal Information The definition of personal information has been expanded under the new legislation. It is now not just the obvious such as names, addresses, phone numbers but anything that could

2 be used as a key to identify an individual. That means that membership numbers, initials and nicknames are now all within scope of the legislation. In addition, the legislation has provided additional protection around who can collect information determined to be sensitive to the person. This information includes: Racial or ethnic origin; Political opinions; Religious or philosophical beliefs; Trade Union membership; Genetic Data; Biometric Data Data concerning health or a natural person s sex live and/or sexual orientation. It is not envisaged that Wrekinsport CC will enter in to any arrangements which may entail the collection of Personally Sensitive Data. Data Protection Policy Wrekinsport CC will need to implement a Data Protection Policy. This policy will underpin how and why the club collects member s data, how long the data is held for and how individuals apply their rights (such as subject access requests). A draft policy is provided in Appendix 1. Establishing Consent All members will need to consent to our continuing to hold and use (process) their data. This applies whether they have joined on paper or via the Wild Apricot site. If we hold information on them, consent must be obtained to continue holding it. It is suggested that we achieve this consent by ing members and asking them to review the policy and provide consent. Where consent is not forthcoming we need to remove that individual s data. On the basis that we only use the data for operational purposes, an argument could be provided that failure to supply consent would constitute removal from the club as we would be unable to keep nonconsenting individuals informed or track their membership fee payments. All new members should be asked to consent during sign-up. Similarly all renewing membership should be asked for consent as part of the renewal process. Changes will need to be made to the website and paper membership forms to achieve this requirement. Additional consent will need to be applied to Time Trials and other competitive events where the club will retain and/or post the results via any means. This consent could simply be a statement on the signing in form stating that by signing up the individual consents to the data being held by the club and shared via /social media. 2

3 Managing Data Wrekinsport CC must only use Personal Information collected form the membership for the purposes set out in the Data Protection Policy. If the intended purpose is not within the policy then the member(s) concerned must be approached for their specific consent. In addition, good housekeeping principles must apply to how the club manages and shares data. This includes: Not distributing personal information by insecure means. This means that it is no longer possible to directly spreadsheets of members names, s etc. Any such files must be encrypted with a strong password before sending and the password sent separately to the . Having Defined Data Retention Periods. The table below sets out the proposed data retention periods for information that we hold. Data Membership Data Website Guests Race/TT/Event Results Race / Event Reports Kit Orders Committee Meeting Minutes Ride Leaders and Attendees Social Media Posts to member group. Social Media posts to public pages / feeds. Photography Retention Period Expiry Date + 1 year. 1 year Indefinite Indefinite 1 year 3 years. 5 years 3 years (hidden after 1 year). Indefinite. Members may choose to delete if required. Official club photographs to be retained indefinitely. Controlling Access to Information Systems Membership and Administration systems are already controlled by individual level passwords. Any records held on paper must be held securely and an access log maintained of when those records have been accessed and by whom. Given the additional workload this creates it is proposed that we move to electronic records keeping. Protection of Children. It is proposed that in order to avoid the additional safeguarding and consent arrangements relating to children that we restrict ourselves (for now at least) to being an over 18s only organisation. This would be in line with British Cycling guidelines on the basis that we do not (presently) have a suitably validated Welfare Officer within they club management function. 3

4 Managing Our Suppliers The main supplier in this respect is Wild Apricot the provider of our website CMS and membership management tools. They are located in Canada although they must still comply with GDPR in order to continue to make their services available within the EU. Wild Apricot have stated their intention to make suitable changes to the service and are currently devising an action plan to allow them to achieve this level of compliance. Providing they deliver that action plan within a reasonable timescale then no further action is required. British Cycling have already taken steps to deliver GDPR compliance within their organisation. It is worth noting that their approach to GDPR compliance for clubs seems to centre around getting all BC registered clubs to use their membership and content management systems. As we have chosen not to use these tools we need to make sure that we have suitable and sufficient arrangements in place ourselves (hence this paper and the wider Data Protection Policy). Photography on Rides Official club photography (photographs taken by an individual appointed by the Committee for the purposes of club publicity, recording of special events etc) will be retained indefinitely. Images taken on club rides by members as a means of recording the occasion or events will not be regarded as Club Photographs. They may be used for publicity purposes where the photographer and subjects provide explicit consent. Photographs uploaded by members to social media sites managed by the club will be subject to the Data Protection Policy of the social media platform used. Images are deemed to remain the property (and responsibility) of the member who uploaded them; although the club will take action to remove photographs from social media platforms where requested to do so by another member. Images taken on club rides by members not acting in an official capacity (for instance as a means of recording the occasion) will not be regarded as Club Photographs and must not be used for publicity purposes unless the photographer and subjects provide their explicit consent. Policy Committee members in the following roles will be provided with a Wrekinsport address: Chairman Membership Secretary Secretary Treasurer 4

5 The holders of the above posts must ensure that formal club communication (including the exchange of information between committee members and third-party suppliers) is only conducted through the Wrekinsport account. Personal accounts must not be used for this purpose. Access to the Membership Databases The following committee roles are authorised to access the Wrekinsport membership database: Chairman Membership Secretary Secretary Any other committee member or representative may be authorised to access the data where their duties have a clearly defined need to do so. Individuals wishing to access the data in this way must be authorised by the Committee during a formal meeting. The individual must be briefed on the Wrekinsport Data Protection Policy before they are given access to the data. Password Policy Where passwords are used to secure access to Personal Information, password holders must ensure that: Passwords are granted to individuals and must never be shared; Passwords must be strong and kept securely. As a minimum, passwords should consist of a combination of at least 8 letters or numbers including a mix of upper and lower case letters. Password holders must avoid setting obvious or easily guessed passwords like Wrekinsp0rt or Password1. 5

6 Appendix 1 Wrekinsport CC Data Protection Policy Version 1 May 2018 In order to run Wrekinsport Cycling Club (WSCC) effectively we will need to hold a certain amount of personal information about our members. This information will be held on a secure membership database system. The information we will store includes: Your name, address and other contact details such as telephone number; Contact details of somebody you would like us to contact in case of emergency; Whether you are a member of British Cycling and if so whether you hold a racing licence. Details of the cycling activities you undertake with the club, including the results of any competitive or timed events. Details of any club kit orders you make. Data will be stored on an electronic database system maintained by a third party. We will ensure that the supplier treats your data carefully, keeps it surely and in a way which is compliant with current data protection legislation. You must be aware that by sharing your data with us we have to pass it on to the third party for the purposes of operating the club. Our supplier is not permitted to use your personal information in any way without you given them direct and specific consent. In return for sharing your data with us, we promise you that: We will only use your data for: establishing and maintaining membership records; and Keeping you informed about developments in the club (events, results, social gatherings, meetings); From time to time we may need to share some of our data with partner organisations who administer the sport of cycling or cycling-related activities which you have or intend to undertake. This data could include: Your Wrekinsport membership status; Your attendance status at an event; and Any timing or result you achieved at the event. We will not share your personal information with any other third party and we will not retain your personal information for any longer is necessary for the running of the club or for the purposes of keeping accurate records of events and competitive results. Taking Part in Competitive Events If you take part in a competitive event, we will share the result of that event with all participants. This will include names, timings and club membership status. We may also report the results back to the event governing body or central organising committee. We may share results via , social media, newsletter or website. By participating in a competitive event you are giving us your consent to share your information in this way. If you do not consent, do not compete. Social Media Club Members take full responsibility for posts made on social media, both in public forum and on closed members only groups. We cannot Control who posts or the content of their posts. We will however 6

7 support you by working with social media platform providers to remove inappropriate content if we spot it or when you report it to us. We do not mandate that you contact or interact with the club via Social Media. If you choose to do so, please note that any material posted in open or private forum will be governed by the Data Protection Policy of the social media platform upon which it is posted. Finding out what information we hold about you. You can ask us at any time to supply you with a copy of the data we hold about you. You can do this by sending an titled Subject Access Request to secretary@wrekinsport.org.uk. We will respond to you with the data you requested within 14 days. Deleting your information from our systems. If you wish, you may request that we delete any information we hold about you from our systems at any time. Requests of this nature can be submitted to secretary@wrekinsport.org.uk. We will carry out your request within 14 days. Please do bear in mind that it is not operationally possible to manage your membership if we do not retain information about you on our systems. As such, if you ask for us to delete your data in this way, your membership will cease immediately and you will not be entitled to any refund (either in full or prorata) for any fees paid for that year. 7

8 Appendix 2 Subject Access Request Process 1. Individual s membership@wrekinsport.org.uk with subject access request. 2. Club Secretary s the individual back to acknowledge receipt and advise that we will respond with the data within 14 days. 3. Club Secretary arranges to secure the following information: a) All data from the Membership CMS applicable to that individual, either as screen grabs or as a RAW CSV file. b) Any race or trial results not recorded on the membership CMS; c) Any official club photographs held by the club of the individual; d) Any race, trial or event reports held by the club which feature the individual. 4. Once compiled the pack must be compressed electronically and encrypted with a secure password. 5. The file is then to be ed to the subject. The decryption password must follow via separate means (e.g. a phone call or text message. 6. There must be no charge made for provision of data in this manner. 7. The request must be completed within 14 days of notification. Appendix 3 Right to be Forgotten 1. Individual s membership@wrekinsport.org.uk requesting deletion of their personal data. 2. Club Secretary s the individual back confirming receipt of request and setting out: a. Deletion will constitute immediate cessation of their membership. b. We will respond within 14 days to confirm that all relevant data has been removed. 3. Club Secretary informs Membership Secretary 4. Membership Secretary arranges to remove the individual s data from the membership management system. 5. Club Secretary checks race report results etc and arranges for club records to be amended to either remove reference to the individual or have their details removed from the records held. 6. Club Secretary checks event/race reports for reference to the individual and arranges for documents to be updated as required. 7. Club Secretary arranges for the individual to be removed from any private social media groups managed by the club on the basis that their membership is regarded as cancelled. Social media posts made by that member are also removed where permitted by the platform. 8. Membership secretary to delete details of any kit orders assigned to the individual. 9. Once these arrangements have been completed, an is sent back to the individual to confirm that the process has been completed. The individual should be signposted to other information processors if there may be further data that needs deleting (e.g. public social media posts or removal from the British Cycling Website). There must be no charge made for provision of data in this manner. 8

9 The request must be completed within 14 days of notification 9