Privacy Policy
Data Protection and Data Security Policy
MEMBERS
Statement and purpose of policy
- Worksop College Pines Limited(the Company) is committed to ensuring that all personal data handled by us will be processed according to legally compliant standards of data protection and data security.
- We confirm for the purposes of the data protection laws, that the Company is a data controller of the personal data in connection with your employment. This means that we determine the purposes for which, and the manner in which, your personal data is processed.
- The purpose of this policy is to help us achieve our data protection and data security aims by:
- notifying our members of the types of personal information that we may hold about them and what we do with that information;
- setting out the rules on data protection and the legal conditions that must be satisfied when we collect, receive, handle, process, transfer and store personal data and ensuring staff understand our rules and the legal standards; and
- clarifying the responsibilities and duties of staff in respect of data protection and data security.
- This is a statement of policy only. We may amend this policy at any time, in our absolute discretion.
- For the purposes of this policy:
- Data protection lawsmeans all applicable laws relating to the processing of personal data, including, for the period during which it is in force, the UK General Data Protection Regulation.
- Data subjectmeans the individual to whom the personal data relates.
- Personal datameans any information that relates to an individual who can be identified from that information.
- Processingmeans any use that is made of data, including collecting, storing, amending, disclosing, or destroying it.
Data protection principles
- All those whose work involves using personal data relating to Members must comply with this policy and with the following data protection principles which require that personal information is:
- processed lawfully, fairly and in a transparent manner.We must always have a lawful basis to process personal data, as set out in the data protection laws. Personal data may be processed as necessary to perform a contract with the data subject, to comply with a legal obligation which the data controller is the subject of, or for the legitimate interest of the data controller or the party to whom the data is disclosed. The data subject must be told who controls the information (us), the purpose(s) for which we are processing the information and to whom it may be disclosed.
- collected only for specified, explicit and legitimate purposes.Personal data must not be collected for one purpose and then used for another. If we want to change the way we use personal data, we must first tell the data subject.
- processed only where it is adequate, relevant and limited to what is necessary for the purposes of processing.We will only collect personal data to the extent required for the specific purpose notified to the data subject.
- accurate and the Company takes all reasonable steps to ensure that information that is inaccurate is rectified or deleted without delay.Checks to personal data will be made when collected and regular checks must be made afterwards. We will make reasonable efforts to rectify or erase inaccurate information.
- kept only for the period necessary for processing.Information will not be kept longer than it is needed and we will take all reasonable steps to delete information when we no longer need it. For guidance on how long particular information should be kept, contact a director of the company.
- secure, and appropriate measures are adopted by the Company to ensure as such.
Who is responsible for data protection and data security?
- Maintaining appropriate standards of data protection and data security is a collective task shared between us and the members.
- Questions about this policy, or requests for further information, should be directed to a director of the company.
- All our staff have personal responsibility to ensure compliance with this policy, to handle all personal data consistently with the principles set out here and to ensure that measures are taken to protect the data security. A director of the company must be notified if this policy has not been followed, or if it is suspected this policy has not been followed, as soon as reasonably practicable.
What personal data and activities are covered by this policy?
- This policy covers personal data:
- which relates to a natural living individual who can be identified either from that information in isolation or by reading it together with other information we possess;
- is stored electronically or on paper in a filing system;
- in the form of statements of opinion as well as facts;
- which relates to any member (present, past or future).
- which we obtain, is provided to us, which we hold or store, organise, disclose or transfer, amend, retrieve, use, handle, process, transport or destroy.
- This personal data is subject to the legal safeguards set out in the data protection laws.
What personal data do we process about Members?
- We collect personal data about you which:
- you provide or we gather before or during your membership with us;
- The types of personal data that we may collect, store and use about you include records relating to your:
- home address, contact details and contact details.
- Membership category
- telephone, email, internet, fax or instant messenger use;
Accuracy and relevance
- We will:
- ensure that any personal data processed is up to date, accurate, adequate, relevant and not excessive, given the purpose for which it was collected.
- not process personal data obtained for one purpose for any other purpose, unless you agree to this or reasonably expect this.
- If you consider that any information held about you is inaccurate or out of date, then please tell us.
Storage and retention
- Personal data will be kept securely.
Individual rights
- You have the following rights in relation to your personal data.
- Subject access requests:
- You have the right to make a subject access request. If you make a subject access request, we will tell you:
- whether or not your personal data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from you;
- to whom your personal data is or may be disclosed.
- You have the right to make a subject access request. If you make a subject access request, we will tell you:
- for how long your personal data is stored (or how that period is decided);
- your rights of rectification or erasure of data, or to restrict or object to processing;
- your right to right to complain to the Information Commissioner if you think we have failed to comply with your data protection rights; and
- whether or not we carry out automated decision-making and the logic involved in any such decision making.
- We will provide you with a copy of the personal data undergoing processing. This will normally be in electronic form if you have made a request electronically, unless you agree otherwise.
- To make a subject access request, contact us at mike@beahan.co.uk.
- We may need to ask for proof of identification before your request can be processed. We will let you know if we need to verify your identity and the documents we require.
- We will normally respond to your request within 28 days from the date your request is received. In some cases, eg where there is a large amount of personal data being processed, we may respond within 3 months of the date your request is received. We will write to you within 28 days of receiving your original request if this is the case.
- If your request is manifestly unfounded or excessive, we are not obliged to comply with it.
- Other rights:
- You have a number of other rights in relation to your personal data. You can require us to:
- rectify inaccurate data;
- stop processing or erase data that is no longer necessary for the purposes of processing;
- You have a number of other rights in relation to your personal data. You can require us to:
- stop processing or erase data if your interests override our legitimate grounds for processing the data (where we rely on our legitimate interests as a reason for processing data);
- stop processing data for a period if data is inaccurate or if there is a dispute about whether or not your interests override the Employer's legitimate grounds for processing the data.
- To request that we take any of these steps, please send the request to mike@beahan.co.uk.
Data security
- We will use appropriate technical and organisational measures to keep personal data secure, and in particular to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.
- Maintaining data security means making sure that:
- only people who are authorised to use the information can access it;
- where possible, personal data is pseudonymised or encrypted;
- information is accurate and suitable for the purpose for which it is processed; and
- authorised persons can access information if they need it for authorised purposes.
- By law, we must use procedures and technology to secure personal information throughout the period that we hold or control it, from obtaining to destroying the information.
- Personal information must not be transferred to any person to process (eg while performing services for us on or our behalf), unless that person has either agreed to comply with our data security procedures or we are satisfied that other adequate measures exist.
- Security procedures include:
- Any desk or cupboard containing confidential information must be kept locked.
- Computers should be locked with a strong password that is changed regularly or shut down when they are left unattended and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others.
- Data stored on CDs or memory sticks must be encrypted or password protected and locked away securely when they are not being used.
- A director of the company must approve of any cloud used to store data.
- Data should never be saved directly to mobile devices such as laptops, tablets or smartphones.
- All servers containing sensitive personal data must be approved and protected by security software.
- Servers containing personal data must be kept in a secure location, away from general office space.
- Data should be regularly backed up in line with the Employer's back-up procedure.
Data breaches
- If we discover that there has been a breach of Staff personal data that poses a risk to the rights and freedoms of individuals, we will report it to the Information Commissioner within 72 hours of discovery.
- We will record all data breaches regardless of their effect.
- If the breach is likely to result in a high risk to your rights and freedoms, we will tell affected individuals that there has been a breach and provide them with more information about its likely consequences and the mitigation measures it has taken.
Third parties
- We will not make your data available to any third party under any circumstances.
Training
37.We will provide training to all individuals about their data protection responsibilities as part of the induction process and at regular intervals thereafter.
- Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy will receive additional training to help them understand their duties and how to comply with them.
Data Sharing
Members data will be shared with the committees of College Pines Golf Club, who agree to abide by the above policy.