Gwent Angling Society
Privacy Policy



GDPR Policy and Documentation.

'Data Protection Legislation' or 'Legislation'

Gwent Angling Society DATA PROTECTION POLICY means the Data Protection Act 1998, the Privacy and Electronic Communications Regulations (EC Directive) Regulations 2003 (SI 2426/2003 as amended), the General Data Protection Regulation (GDPR), any laws in the UK enacting the GDPR or preserving its effect in whole or part following the departure of the UK from the European Union and all applicable laws and regulations, including any replacement UK or EU data protection legislation relating to the Processing of Personal Data, together with, where applicable, the guidance and codes of practice issued by the Information Commissioner’s Office.

Data Protection Legislation is concerned with the protection of human rights in relation to personal data. The aim of the Legislation is to ensure that personal data is used fairly and lawfully and that where necessary the privacy of individuals is respected. During the course of the activities of Gwent Angling Society ('the Society'), the Society will collect, store and process personal data about our members, people who attend our services and activities, employees, suppliers and other third parties and we recognize that the correct and lawful treatment of this data will help maintain confidence in the society. This policy sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.

The Data Protection Compliance Manager is responsible for ensuring compliance with the Legislation and with this policy. The post is held by Gareth Lewis. 

Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Data Protection Compliance Manager. 

Processing Personal Data
 
All personal data should be processed in accordance with the Legislation and this policy. Any breach of this policy may result in disciplinary action. 

Processing includes obtaining, holding, maintaining, storing, erasing, blocking and destroying data. 

Personal data is data relating to a living individual. It includes employee data. It will not include data relating to a company or organisation, although any data relating to individuals within companies or organizations may be covered. 
Personal data can be factual (for example a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour. 

Examples of personal data are employee details, including employment records, names and addresses and other information relating to individuals, including supplier details, any third-party data and any recorded information including any recorded telephone conversations, emails or CCTV images. 

Employees and others (including volunteers and trustees) who process data on behalf of the society (referred to in this policy as ‘Employees’) should assume that whatever they do with personal data will be considered to constitute processing. 

Employees should only process data: 

- If they have consent to do so; or 
- If it is necessary to fulfill a contractual obligation or as part of the employer/employee relationship; for example, processing the payroll; or the processing is necessary for legitimate interests pursued by Gwent Angling Society, unless these are overridden by the interests, rights and freedoms of the data subject. 
- If none of these conditions are satisfied, individuals should contact the Data Protection Compliance Manager before processing personal data. 

Compliance with the Legislation 

Employees who process data on our behalf have a responsibility for processing personal data in accordance with the Legislation. This includes the data protection principles in the Legislation. These state that personal data must: 
be obtained and used fairly, lawfully and transparently
be obtained for specified, explicit and legitimate purposes and used only for those purposes
be adequate, relevant and limited to the minimum necessary for those purposes
be accurate and kept up to date (every reasonable endeavour should be used to personal data that is not accurate is corrected or erased without delay)
be processed in a manner that ensures its security (see Information Security policy at Appendix 1).
not be kept for any longer than required for those purposes see Retention policy at Appendix 2).

We will only share personal data with other organisations or people when we have a legal basis to do so and if we have informed the data subject about the possibility of the data being shared (in a privacy notice) unless there is a legal exemption from doing so. We will keep records of any information shared with a third party including a record of any exemption which has been applied.

Employees should follow the Data Breach Procedure (at Appendix 3) if they think they have accidentally breached any provision of this Data Protection Policy.

Sensitive Data

We will strive to ensure that sensitive data is accurately identified on collection so that proper safeguards can be put in place. Sensitive data means data consisting of information relating to an individual’s Racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, and genetic information (sexual life, criminal offences, etc.)

Sensitive data may be processed in the course of our legitimate activities, but may not be passed to any third party without the express consent of the data subject. 

Monitoring the use of Personal Data

We are committed to ensuring that this data protection policy is put into practice and that appropriate working practices are being followed. To this end the following steps will be taken: 
- any Employees who deal with personal data are expected to be aware of data protection issues and to work towards continuous improvement of the proper processing of personal data;
Employees who handle personal data on a regular basis or who process sensitive or other confidential personal data will be more closely monitored; 
- All Employees must consider whether the personal data they hold is being processed in accordance with this policy. Particular regard should be had to ensure inaccurate, excessive or out of date data is disposed of in accordance with this policy; 
- Employees must follow the Breaches Procedure (at Appendix 3) should they become aware of any breach of this policy;
- Employees will keep clear records of our processing activities and of the decisions we make concerning personal data (including reasons for the decisions) to show how we comply with the Legislation; 
- Spot checks may be carried out; 
- An annual report on the level of compliance with or variance from good data protection practices will be produced by the Data Protection Manager;
- Data breaches will be recorded and investigated to see what improvements can be made to prevent recurrences; 
- We will only appoint data processors on the basis of a written contract that will require the processor to comply with all relevant legal requirements. We will continue to monitor the data processing, and compliance with the contract, throughout the duration of the contract. 

Handling Personal Data and Data Security

This will be managed in accordance with our Information Security Policy (see Appendix 1). 

The Rights of Individuals

The Legislation gives individuals certain rights to know what data is held about them and what it is used for. If personal data is collected directly from an individual, we will inform them in writing of their rights by providing them with a ‘Privacy Notice’ at the time the personal data is collected or as soon as possible afterwards.

In principle everyone has the right to see copies of all personal data held about them. There is also a right to have any inaccuracies in data corrected or erased. Data subjects may also have a right of portability in respect of their personal data, and a right to be forgotten. Data subjects also have the right to prevent the processing of their data for direct marketing purposes.

Any request for access to data under the Legislation should be made to Lewis Parfitt in writing. In accordance with the Legislation we will ensure that written requests for access to personal data are complied with within 30 days of receipt of a valid request (where permitted under the Legislation, we may take a further 30 days to respond but we will inform the individual of why this is necessary).

When a written data subject access request is received the data subject will be given a description of a) the personal data, b) the purposes for which it is being processed, c) those people and organizations to whom the data may be disclosed, d) be provided with a copy of the information in an intelligible form.

Changes to this Policy

We reserve the right to change this policy at any time, including as needed to comply with changes in law. Where appropriate we will notify data subjects of those changes by mail or email.

To be reviewed in 12 months’ time.

APPENDIX 1 – Information Security Policy

Information security involves preserving confidentiality, preventing unauthorized access and disclosure, maintaining the integrity of information, safeguarding accuracy and ensuring access to information when required by authorized users.

In addition to complying with this policy, all users must comply with the Data Protection Legislation and the Data Protection Policy.

‘Society Data’ means any personal data processed by or on behalf of Gwent Angling Society.

Information security is the responsibility of every member of staff, trustee, office holder, church member and volunteer using Society Data on but not limited to the Society information systems. This policy is the responsibility of Lewis Parfitt who will undertake supervision of the policy.

Our IT systems may only be used for authorized purposes. We will monitor the use of our systems from time to time. Any person using the IT systems for unauthorized purposes may be subject to disciplinary and/or legal proceedings.

We will take appropriate technical and organizational steps to guard against unauthorized or unlawful processing. In particular:

- All data will be stored in a secure location and precautions will be taken to avoid data being accidentally disclosed.
- Manual records relating to church members or staff will be kept secure in locked cabinets. Access to such records will be restricted.
- Access to systems on which information is stored must be password protected with strong passwords and these should be changed at once if there is a risk they have been compromised. Passwords must not be disclosed to others. We will ensure that staff and members who handle personal data are adequately trained and monitored to ensure data is being kept secure.
- We will ensure that only those who need access will have access to data.
- We will take particular care of sensitive data and security measures will reflect the importance of keeping sensitive data secure (definition of sensitive data is set out above in the Data Protection Policy), e.g. password protection for documents and encryption.
- Where personal data needs to be deleted or destroyed adequate measures will be taken to ensure data is properly and securely disposed of. This will include destruction of files and back up files and physical destruction of manual files. Particular care should be taken over the destruction of manual sensitive data (written records) including shredding or disposing via specialist contractors (who will be treated as data processors -see below).
- We will ensure that any data processor engaged to process data on our behalf (e.g. for payroll) will act under a written contract and will give appropriate undertakings as to the security of data.
- Appropriate software security measures will be implemented and kept up to date. safely using encrypted devices or services. 
- We will ensure that if information has to be transported or transferred, this is done 
- Where personal devices are used to store or process personal data, they must be subject to appropriate security. 

All breaches of this policy must be reported to Gareth Lewis.

APPENDIX 2 – Records Retention Policy 
 
Storage of Data and Records Statement 

- All data and records will be stored in accordance with the security requirements of the Data Protection Legislation and in the most convenient and appropriate location having regard to the period of retention required and the frequency with which access will be made to the record.
- Data and records which are active should be stored in the most appropriate place for their purpose commensurate with security requirements.
- Data and records which are no longer active, due to their age or subject, should be stored in the most appropriate place for their purpose or destroyed.
- The degree of security required for file storage will reflect the sensitivity and confidential nature of any material recorded.
- Any data file or record which contains personal data of any form can be considered as confidential in nature.
- Data and records should not be kept for longer than is necessary. This principle finds statutory form in the Data Protection Legislation, which requires that personal data processed for any purpose "shall not be kept for longer than is necessary for that purpose". All staff, trustees, volunteers and members of the Society are required to have regard to the Guidelines for Retention of Personal Data attached hereto.
- Any data that is to be disposed must be safely disposed of for example by shredding. Any group which does not have access to a shredder should pass material to Lewis Parfitt who will undertake secure shredding.
- Special care must be given to disposing of data stored in electronic media. Guidance will be given by the Society Leadership team to any group which has stored personal data relating to its members on for example personal computers which are to be disposed of.

Guidelines for Retention of Personal Data 

(This is not an exhaustive list) 

If you have any queries regarding retaining or disposing of data please contact Gareth Lewis.

Types of Data Suggested Retention Period 
 
Personnel files including training records and notes of disciplinary and grievance hearings.
- 6 years from the end of employment 

Application forms / interview notes
- Maximum of one year from the date of the interviews for those not subsequently employed. If employed, retain in personnel file. 

Information relating to children
- Check for accuracy once a year
- Record that child was a member of the group – permanent
- Secure destruction of personal data other than name and fact of membership – three years after cease to be a member

Society member information
- Check for accuracy once a year
- Record that adult was a member – permanent
- Secure destruction of personal data other than name and fact of membership – three years after cease to be a member

Society group member information
- Check for accuracy once a year
- Record that adult was a member of group – permanent
- Secure destruction of personal data other than name and fact of membership – three years after cease to be a member

Income Tax and NI returns, including correspondence with tax office
- At least 6 years after the end of the financial year to which the records relate 

Statutory Maternity Pay records and calculations
- As Above
(Statutory Maternity Pay (General) Regulations 1986) 

Statutory Sick Pay records and calculations
- As Above
- Statutory Sick Pay (General) Regulations 1982

Wages and salary records
- 6 years from the tax year in which generated 

Accident books, and records and reports of accidents
- (for Adults) 3 years after the date of the last entry
- (for children) three years after the child attains 18 years (RIDDOR 1985)

Health records
- 6 months from date of leaving employment
- (Management of Health and Safety at Work Regulations)

Health records where reason for termination of employment is connected with health, including stress related illness
- 3 years from date of leaving employment
- (Limitation period for personal injury) claims)

Student records, including academic achievements, and conduct
- At least 6 years from the date the student leaves in case of litigation for negligence