Cheam Camera Club
Data Protection Policy
Cheam Camera Club (“CCC”) is a voluntary organisation which needs to gather and use data about its members in order to function. This information is kept and managed in line with the principles of Data Protection set out in the Data Protection Act 1998. New enhanced legislation under the General Data Protection Regulations (GDPR) comes into force on 25thMay 2018. Throughout, Data Protection has been based on a set of principles with which all data controllers must comply.
GDPR Article 5 (1) gives the principles in detail but they can be summarised as follows:
- The controller may only collect personal data relevant for lawful purposes, and where the data is sufficient and adequate, is not excessive, and is kept accurate and up to date. Personal data must be destroyed when it is no longer relevant or required
- The controller must keep personal data secure, but also available for the relevant purposes.
- The controller must respect the rights of data subjects, including right of access.
GDPR Article 5 (2) introduces a new and important requirement to demonstrate compliance with these principles.
This applies to information whether held electronically, on paper and to any other material held by CCC in respect of present and past members of the Club.
2 Key points for members
When you join CCC we ask you to complete a Membership Form giving us the minimum personal information to enable us to run the club, usually your name, address, telephone number, email, any photographic distinctions and whether you belong to another club. Occasionally a member may wish us to know about a medical or similar issue in connection with their safety. You can include this information on your Membership Form.
We ask you to complete and sign a separate Consent Form in relation to use of your images and name in connection with entering external club competitions, club publicity, the website and Newsletter
The data from these two forms is held electronically (password-protected), with the hard copy forms stored securely by the Data Controller as back up in case of electronic failure.
We will take all reasonable steps to protect the confidentiality of paper and electronic records.
We will not share your data with anyone outside the club without your permission except when required by Law, in the event of an insurance claim involving you, or in a safety related emergency.
Members are entitled to request a printout of data held about them electronically or a copy of their hard data.
On request the Data Controller will provide you with this within one month and will correct any inaccuracies at your request. Likewise, on request any data you no longer wish us to hold will be deleted
If you leave the club your personal data, including images held on the computer, will be deleted or destroyed within three months of us becoming aware that you have left apart from historical information in relation to competition entries, trophies and published articles such as the Newsletter.
If there is a data breach or your data is compromised, we will contact you and let you know what has happened.
By joining the Club and completing the Membership Form you provide consent for us to use your details to contact you about your membership and club activities.
If you wish to complain about the way your data is being managed then please contact the Chairman. If you are unhappy with the Chairman’s response you have a right to contact the Office of the Information Commissioner, ICO, www.ico.gov.uk Tel: 0303 123 1113
This policy will be kept under review to take into account changes in the law and any issues arising from the policy in practice and so that CCC is compliant with the law.
We will also audit the working of the policy at least annually but sooner or more frequently if indicated by events so as to be able to demonstrate that we are compliant with the law
Practical Procedures to enable the Policy to work:
The name and contact details of the Data Controller is listed on the back of the programme and on the website
If you have any difficulty in contacting the Data Controller, please contact the Club Chairman or Secretary.
1 Personal information held on members:
- a) Name, title, postal address, email address, landline number, mobile number (as appropriate) photographic distinctions, membership of other photographic clubs.
This data is collected annually on the Membership Form and is used to communicate with members about the Club programme, social events, meetings and other legitimate matters connected to the functioning of the Club.
Data is not used for any non-CCC related activities, and will not be sold or passed on to any other organisation.
- b) We also record members’ permissions in relation to use of their images in external competitions, on the website, in the newsletter and publicity. This data is obtained from the Consent Form for the use of members’ images.
The data from both these forms is added to master lists by the Data Controller. They are kept electronically on a password protected account which can only be accessed by the Officers and Committee Members. The New Members’ Officer and Competition Secretary may also need access to carry out their roles.
The Data Controller changes the account password every 6 months and informs the officers and committee.
- c) Lists of competition entries with titles and authors.
This data is compiled from information voluntarily submitted by members on entering competitions.
- d) Lists of competition results and scores with names.
These lists are complied after the competitions in order to manage the competition rounds and to enable adjustment of the competition groups at the end of a season.
- e) Projected digital images (PDIs) submitted for club competitions and PDIs of print competition entries with authors names are kept on the club laptop which is password secured and backed up on an external hard drive held securely. These images are submitted by members to password- protected accounts the passwords for which are available to relevant committee members who need access in order to carry out their role within the club.
- f) List of membership fees paid and payments for other events are held by the Treasurer to account for the money and to enable him to carry out his role. Any hard copy documents are kept secure and electronic data kept on a password secured computer.
2 Access to Data
Members are entitled to request a printout of data held about them electronically or a copy of their hard data. The request should be made in writing to the Data Controller who will supply the information within a maximum of one month. He/she will also withdraw or correct any information on your written request. The Controller will keep a record of these actions and the dates they were carried out.
3 Leaving the Club.
The data of any member leaving the club will deleted and/or shredded within 3 months of the Club being made aware that they have left, including their images on the club computer. Images included in past editions of the newsletter will remain in such documents and the member’s name will remain in any list of competition or trophy winners.
If a member does not announce their intention to leave but does not join again at the beginning of the next season, it will be assumed that they have left, and the same process will apply after 3 months of the new season.
The Data Controller will inform the Club’s IT lead of a member leaving. The IT lead will confirm to the Data Controller when appropriate images have been deleted. A record of this being done will be kept by the Data Controller
4 Club Emails
Any Officer or Committee Member wishing to email the membership must send the email to themselves and blind copy (BCC) all the other recipients. Such emails will be kept to a minimum.
Any other member wishing to contact the whole membership must send their email to the Chairman or Secretary for onward distribution.
All Officers and Committee Members are obliged to keep the personal data of members confidential. It should not be printed off or kept separately. Contact details of one member will not be given to other club member without the consent of the first member.
The IT lead shall set up generic email accounts for each officer and committee member so that there is a separation between personal and club email accounts on personal computers. This also enables a job to be picked up if the regular jobholder cannot do it for whatever reason.
5 Audit of the working of the Policy
This shall be done by the Chairman at the end of each season or at any intermediate time if a problem arises.
A record of the audit shall be kept securely by the Data Controller