Data held by BASC clubs and syndicates - a brief guide

Similar documents
KCSP Data Protection Policy

Document Title. Date coming into force: Review Date: Edition No:

Fitzwilliam College Data Protection Policy

Southern Golden Retriever Rescue Data Protection Policy

Privacy Statement for Intermediaries

1.1. This policy lays out how Glebe Primary School will comply with its responsibilities under the Data Protection Act 1998.

GUIDANCE NOTE ON THE DATA PROTECTION ACT Information for clubs & county associations

Data Protection Privacy Notice for people not directly involved in the accident

ERGO Versicherung AG UK Branch Data Privacy Notice

Data Protection Policy. Newbury Academy Trust

DATA PROTECTION POLICY

DATA PROTECTION POLICY. Little Baddow Parochial Church Council

Welcome To Your Data Protection Journey. Paula Tighe Information Governance Executive

ERGO Versicherung AG UK Branch Data Privacy Notice

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

Sun Life Assurance Company of Canada (U.K.) Limited. Customer Data Protection Notice

Data Protection: Fair processing of student personal information Contents

A distinctive local company with national standards. Practical Credit Control & New [GDPR] Data Protection Regulations

Mobius Life Limited Data Privacy Notice

ITCHENOR SAILING CLUB DATA PROTECTION POLICY

Appropriate Policy Document

Firm Registration Form - Equity Release and Mortgage products

This information, or "personal data" as it is often referred to, must be processed according to the principles contained within the Regulation.

Quotation/Inception. Renewal. Policy administration. Claims processing PRIVACY POLICY

Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members

Legal Compliance Education and Awareness. Privacy Act (Commonwealth)

Privacy Notice Student Loans Company Ltd

Power of Attorney Application to Appoint an Attorney to Operate an Account(s)

henriksen limited This document sets out how Henriksen processes data and your rights as the data subject.

Customer Privacy Notice Edition

1.5 This policy meets the guidance provided by the ICO on data security breach management.

London Borough of Redbridge

LAMP Services Limited Privacy Notice v1.2 4 th March Controller

The New EU General Data Protection Regulation (GDPR)

Claims Handling We process Your Personal Data in order to record and handle your insurance claim. This may include sharing your Personal Data with:

Long-term Care Insurance Privacy Notice

Personal effects, baggage, money and legal protection claim form

Man and Machine - Data Protection Policy

SCCCI Personal Data Protection Policy

YOUR PERSONAL INFORMATION AND WHAT WE DO WITH IT

INTERNATIONAL SOS. Data Protection Policy. Version 1.8

Firefighters Pension Scheme

WHO IS RESPONSIBLE FOR LOOKING AFTER YOUR PERSONAL DATA?

Privacy Statement. Key Definitions. Data Controller. Processing

Hydro Building Systems UK Limited ( the Company )

How we deal with complaints

Privacy Notice A2 Solicitors LLP

PRIVACY POLICY OF BPO INSOLVENCY LIMITED (COMPANY REGISTRATION NO ) REGISTERED OFFICE 37 WALTER ROAD SWANSEA SA1 5NW

Delay, missed departure and catastrophe claim form

GUIDE TO MAKING A MOTOR INSURERS BUREAU CLAIM. Guide to making an MIB claim - Issue 7 (05.18)

BUPA GLOBAL CLAIM FORM

Application form. Bupa By You. Thank you for choosing Bupa. Before you begin. For office use only. Ex Group Scheme Transfer D D M M Y Y Y Y

General Data Protection Regulations Briefing (the presentation you ve all been waiting for)

LOCAL GOVERNMENT PENSION SCHEME (LGPS) GENERAL DATA PROTECTION REGULATION - THE IMPLICATIONS FOR THE LGPS

REGISTER OF MEMBERS FINANCIAL AND OTHER INTERESTS

BINDING CORPORATE RULES

Privacy Policy. For the purposes of Data Protection Legislation the data controller is the Company.

Data Protection Act Policy

For further reference, readers are also advised to be in touch with:

Munich Re UK General Branch Information Notice

CUSTOMER DATA PROCESSING ADDENDUM

PRIVACY NOTICE Use of Information Data Controller and Data Processor

Firm Registration Form

Data Protection Policy

Application for a life assurance plan on the life of another person

The Pension and Life Assurance Plan of NG Bailey (Scheme) Privacy notice

Who are we? Why do we collect and use your personal information?

Prairie Centre Credit Union

GLOBAL DATA PROTECTION POLICY URUP

Freedom of Information Act 2000 (FOIA) Decision notice

The Controller and Processor Data Protection Binding Corporate Rules of BMC Software

Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018

Privacy Policy. NESS Super is committed to respecting your right to privacy and protecting your personal information.

DATA PROTECTION ACT 1998

Freedom of Information Act 2000 (FOIA) Decision notice

DATA PROCESSING AGREEMENT

Business Banking Terms and Conditions

Twilio Data Protection Addendum ( DPA ) (GDPR, Binding Corporate Rules, Privacy Shield, and Standard Contractual Clauses) (Revision June 2018)

Medical expenses and cutting short your trip claim form

Avantcard DAC Terms and Conditions

University of Wollongong

Guide to compliance with the Australian Privacy Principles. APP 1 Open and transparent management of personal information

Ark Syndicate Management Limited. Privacy and Transparency Notice. Version 1

DATA HANDLING AGREEMENT

CODE OF PRACTICE FOR CHILDCARE VOUCHER PROVIDERS ASSOCIATION

DATA PROCESSING ADENDUM

The General Data Protection Regulation (GDPR): action plan for pension scheme trustees

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

Avantcard DAC Terms and Conditions

DATA PROTECTION NOTICE

Bupa Select. Your application form. Before you begin. Applying to join from another insurance company

Account Opening Application CHILD BOND SAVINGS

Fixed Deposit Account Terms & Conditions

Trip cancellation or amendment claim form

Highland Distillers Pension Scheme (the "Scheme") Privacy Notice

Data Sharing Agreement Between University of Chichester and University of Chichester Students Union

Revising policies and procedures under the new EU GDPR

SHOPRITE MONEY (POWERED BY STANDARD BANK) TERMS OF USE (Version effective from 1 February 2017) IMPORTANT NOTICE

PLATFORM SERVICE TERMS AND CONDITIONS. November 2017

Mortgages and Loans Privacy policy

Transcription:

Data held by BASC clubs and syndicates - a brief guide Introduction All clubs and friendly societies should not collect more information than necessary or legally entitled to under the Data Protection Act (DPA) for the administration of their club. The following advice is taken from the Information Commissioners Office (ICO) and covers all information held by clubs and friendly societies. There is an emphasis on firearm security. Retention of firearm/shotgun certificate data (including photocopies and scanned images). BASC has been working with the National Crime Agency on security of firearms with an emphasis on targeted burglaries. We have jointly been raising awareness of current provisions in order to avoid knee jerk proposals to tighten the law. Requesting and/or retaining firearms certificate data is excessive for administration of a clubs membership. A club only need maintain a bare minimum of details in order to provide official communications such as newsletters, club notifications and subscription reminders. Should certificate data be lost or stolen, it could provide criminals a list of guns to choose from, their locations and a photograph of their owner to aid targeting. Computer hacking often goes unnoticed and storage of electronic and scanned images make it easier for criminals to obtain. Clubs seeking prospective members to show or provide copies of firearm or shotgun certificates serves little to help the club protect its interests. Clubs are unable to verify data with the police due to data protection laws. Club members must act within the law and club rules. The police perform an adequate function in enforcing firearms law; a firearm/shotgun certificate can be revoked at any time and the police will remove the person s firearms as a precaution. BASCs view is that the retention of certificate data/copies is, in a large number of cases, held contrary to the Data Protection Act 1988. As such BASC advises clubs to destroy archived certificate data/copies. Certificate holders are under no obligation to supply such data/copies as part of the joining process nor should the supply of such data be a requisite of the clubs application process. Divulging the whereabouts of guns to unauthorised persons is unwise. Should this lead to their theft it might be contrary to the certificate s security conditions which, if proven, would be a criminal offence. Why are clubs and societies covered by the DPA? As a club or society you are likely to hold information on your members, employees or other members of the public. These people are the data subjects. You are the data controller as you hold the information and process it for your use. The data subjects are permitted by law to request that you provide them with the information you hold on them. This is called a subject access request and there are rules regarding how you respond to such a request.

Why comply with the DPA? It is the law, and if you fail to process information in line with the data protection requirements, and an individual suffers damage as a result, then that person is entitled to seek compensation from you through the courts. Sending out a mailing from an out-of-date or inaccurate record will not only frustrate some of your members buy also cost you money and waste your time. Good information handling can enhance your club s reputation by increasing member confidence in you. Good information handling will reduce the risk of a complaint being made against you. Do I need to register with the ICO? The "not-for-profit exemption is intended to be used by small clubs and other voluntary organisations not established or conducted for profit. In stating this; clubs and syndicates, as not-for-profit organisations, are allowed to make a profit for their own purposes but the profit should not be used to enrich others, i.e. any money raised should be used for their own activities. Clubs set up as limited companies or who repay Wildlife Habitat Trust (WHT) loans will likely have to register with the ICO but could be waived the fee, see below. Most clubs do not need to register with the ICO, and can claim an exemption, although clubs are still required to be compliant in all other respects. Clubs must check themselves whether they are required to register with the Information Commissioner s Office (ICO). If the club processes any personal data on computer You will be required to register: If you have members who have been through a vetting procedure such as the DBS checks to supervise vulnerable people alone. If the club utilises a CCTV system. Further advice on the exemption from registration for not-for-profit organisations:- https://ico.org.uk/media/for-organisations/documents/1567/exemption-from-registration-fornot-for-profit-organisations.pdf What happens if I don t comply? Your club s reputation and finances could be affected. Many people contact the ICO with enquiries about the way their information is handled and is compliant with the DPA. This may result in an enforcement action being taken against you to force you to comply with the DPA. Any individuals affected may also seek compensation from you through the courts for any damage caused. Remember too that failure to notify or renew your notification on an annual basis, unless you are exempt from notifying, is one of the criminal offences under the DPA, punishable by a fine.

What does it cost? Most clubs will be exempt from the fee if they are run on a not for profit basis. For those clubs that fall outside of this description, the current fee is 35 per annum on notification. A How to comply checklist Being able to answer yes to all these questions means you are well on the way to being compliant. Some issues may still need further advice, in which case please contact the ICO. Customer Care Do the people whose information is held know that it is held and what it is going to be used for? Is this information really needed? Is it accurate and up to date? Is it deleted or destroyed when it has no further use? Is it held on a strict need to know basis? Who is going to see it, especially if it is going on a website? Do users know if it is OK to pass the information on to someone else and to whom? Is it held securely? Compliance with the DPA Does the club need to notify and if so, is it up to date? Does the club have notices up advising people that it has CCTV? Do other users understand their duties and responsibilities under the DPA? Does the club have a policy for dealing with data protection issues? What is personal data? Personal data means data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. The principles of data protection; 1. Fair and lawful Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. In practice, it means that you must: have legitimate grounds for collecting and using the personal data; not use the data in ways that have unjustified adverse effects on the individuals concerned; be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data handle people s personal data only in ways they would reasonably expect; and make sure you do not do anything unlawful with the data.

2. Purposes Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. In practice, it means that you must: be clear from the outset about why you are collecting personal data and what you intend to do with it; comply with the Act s fair processing requirements including the duty to give privacy notices to individuals when collecting their personal data; comply with what the Act says about notifying the Information Commissioner; and ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair. 3. Adequacy Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. In practice, it means you should ensure that: you hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual; and you do not hold more information than you need for that purpose. 4. Accuracy Personal data shall be accurate and, where necessary, kept up to date. To comply with these provisions you should: take reasonable steps to ensure the accuracy of any personal data you obtain; ensure that the source of any personal data is clear; carefully consider any challenges to the accuracy of information; and consider whether it is necessary to update the information. 5. Retention Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. In practice, it means that you will need to: review the length of time you keep personal data; consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it; securely delete information that is no longer needed for this purpose or these purposes; and update, archive or securely delete information if it goes out of date. 6. Rights Personal data shall be processed in accordance with the rights of data subjects under this Act. The rights of individuals that it refers to are: a right of access to a copy of the information comprised in their personal data; a right to object to processing that is likely to cause or is causing damage or distress; a right to prevent processing for direct marketing; a right to object to decisions being taken by automated means;

a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and a right to claim compensation for damages caused by a breach of the Act. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 7. Security Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to: design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach; be clear about who in your organisation is responsible for ensuring information security; make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and be ready to respond to any breach of security swiftly and effectively. How to get help and advice The Information Commissioners Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Tel: 01625 545 745 Email: registration@ico.org.uk Web: www.dataprotection.gov.uk

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback