Data held by BASC clubs and syndicates - a brief guide Introduction All clubs and friendly societies should not collect more information than necessary or legally entitled to under the Data Protection Act (DPA) for the administration of their club. The following advice is taken from the Information Commissioners Office (ICO) and covers all information held by clubs and friendly societies. There is an emphasis on firearm security. Retention of firearm/shotgun certificate data (including photocopies and scanned images). BASC has been working with the National Crime Agency on security of firearms with an emphasis on targeted burglaries. We have jointly been raising awareness of current provisions in order to avoid knee jerk proposals to tighten the law. Requesting and/or retaining firearms certificate data is excessive for administration of a clubs membership. A club only need maintain a bare minimum of details in order to provide official communications such as newsletters, club notifications and subscription reminders. Should certificate data be lost or stolen, it could provide criminals a list of guns to choose from, their locations and a photograph of their owner to aid targeting. Computer hacking often goes unnoticed and storage of electronic and scanned images make it easier for criminals to obtain. Clubs seeking prospective members to show or provide copies of firearm or shotgun certificates serves little to help the club protect its interests. Clubs are unable to verify data with the police due to data protection laws. Club members must act within the law and club rules. The police perform an adequate function in enforcing firearms law; a firearm/shotgun certificate can be revoked at any time and the police will remove the person s firearms as a precaution. BASCs view is that the retention of certificate data/copies is, in a large number of cases, held contrary to the Data Protection Act 1988. As such BASC advises clubs to destroy archived certificate data/copies. Certificate holders are under no obligation to supply such data/copies as part of the joining process nor should the supply of such data be a requisite of the clubs application process. Divulging the whereabouts of guns to unauthorised persons is unwise. Should this lead to their theft it might be contrary to the certificate s security conditions which, if proven, would be a criminal offence. Why are clubs and societies covered by the DPA? As a club or society you are likely to hold information on your members, employees or other members of the public. These people are the data subjects. You are the data controller as you hold the information and process it for your use. The data subjects are permitted by law to request that you provide them with the information you hold on them. This is called a subject access request and there are rules regarding how you respond to such a request.
Why comply with the DPA? It is the law, and if you fail to process information in line with the data protection requirements, and an individual suffers damage as a result, then that person is entitled to seek compensation from you through the courts. Sending out a mailing from an out-of-date or inaccurate record will not only frustrate some of your members buy also cost you money and waste your time. Good information handling can enhance your club s reputation by increasing member confidence in you. Good information handling will reduce the risk of a complaint being made against you. Do I need to register with the ICO? The "not-for-profit exemption is intended to be used by small clubs and other voluntary organisations not established or conducted for profit. In stating this; clubs and syndicates, as not-for-profit organisations, are allowed to make a profit for their own purposes but the profit should not be used to enrich others, i.e. any money raised should be used for their own activities. Clubs set up as limited companies or who repay Wildlife Habitat Trust (WHT) loans will likely have to register with the ICO but could be waived the fee, see below. Most clubs do not need to register with the ICO, and can claim an exemption, although clubs are still required to be compliant in all other respects. Clubs must check themselves whether they are required to register with the Information Commissioner s Office (ICO). If the club processes any personal data on computer You will be required to register: If you have members who have been through a vetting procedure such as the DBS checks to supervise vulnerable people alone. If the club utilises a CCTV system. Further advice on the exemption from registration for not-for-profit organisations:- https://ico.org.uk/media/for-organisations/documents/1567/exemption-from-registration-fornot-for-profit-organisations.pdf What happens if I don t comply? Your club s reputation and finances could be affected. Many people contact the ICO with enquiries about the way their information is handled and is compliant with the DPA. This may result in an enforcement action being taken against you to force you to comply with the DPA. Any individuals affected may also seek compensation from you through the courts for any damage caused. Remember too that failure to notify or renew your notification on an annual basis, unless you are exempt from notifying, is one of the criminal offences under the DPA, punishable by a fine.
What does it cost? Most clubs will be exempt from the fee if they are run on a not for profit basis. For those clubs that fall outside of this description, the current fee is 35 per annum on notification. A How to comply checklist Being able to answer yes to all these questions means you are well on the way to being compliant. Some issues may still need further advice, in which case please contact the ICO. Customer Care Do the people whose information is held know that it is held and what it is going to be used for? Is this information really needed? Is it accurate and up to date? Is it deleted or destroyed when it has no further use? Is it held on a strict need to know basis? Who is going to see it, especially if it is going on a website? Do users know if it is OK to pass the information on to someone else and to whom? Is it held securely? Compliance with the DPA Does the club need to notify and if so, is it up to date? Does the club have notices up advising people that it has CCTV? Do other users understand their duties and responsibilities under the DPA? Does the club have a policy for dealing with data protection issues? What is personal data? Personal data means data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. The principles of data protection; 1. Fair and lawful Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. In practice, it means that you must: have legitimate grounds for collecting and using the personal data; not use the data in ways that have unjustified adverse effects on the individuals concerned; be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data handle people s personal data only in ways they would reasonably expect; and make sure you do not do anything unlawful with the data.
2. Purposes Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. In practice, it means that you must: be clear from the outset about why you are collecting personal data and what you intend to do with it; comply with the Act s fair processing requirements including the duty to give privacy notices to individuals when collecting their personal data; comply with what the Act says about notifying the Information Commissioner; and ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair. 3. Adequacy Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. In practice, it means you should ensure that: you hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual; and you do not hold more information than you need for that purpose. 4. Accuracy Personal data shall be accurate and, where necessary, kept up to date. To comply with these provisions you should: take reasonable steps to ensure the accuracy of any personal data you obtain; ensure that the source of any personal data is clear; carefully consider any challenges to the accuracy of information; and consider whether it is necessary to update the information. 5. Retention Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. In practice, it means that you will need to: review the length of time you keep personal data; consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it; securely delete information that is no longer needed for this purpose or these purposes; and update, archive or securely delete information if it goes out of date. 6. Rights Personal data shall be processed in accordance with the rights of data subjects under this Act. The rights of individuals that it refers to are: a right of access to a copy of the information comprised in their personal data; a right to object to processing that is likely to cause or is causing damage or distress; a right to prevent processing for direct marketing; a right to object to decisions being taken by automated means;
a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and a right to claim compensation for damages caused by a breach of the Act. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 7. Security Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to: design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach; be clear about who in your organisation is responsible for ensuring information security; make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and be ready to respond to any breach of security swiftly and effectively. How to get help and advice The Information Commissioners Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Tel: 01625 545 745 Email: registration@ico.org.uk Web: www.dataprotection.gov.uk