Data Protection
Code of Practice for handling Personal Data

 

12.1 Introduction

In order to comply with the provisions of the Data Protection Act 1998, we have to make the requirements of the act known to all Club officers handling “personal” data, and put in place procedures to ensure compliance.

The Act defines “personal” data as:

Data which relates to a living individual who can be identified

  • from those data, or
  • from those data and other information which is in the possession of, or likely to come into the possession of the data controller.

It includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Only information about individuals which is held on computer or is on paper and sorted by reference to individuals are subject to the Act

The Act requires that the following Principles must apply to the data:

  • fairly and lawfully processed
  • processed for limited purposes
  • adequate, relevant and not excessive
  • accurate
  • not kept for longer than is necessary
  • processed in line with your rights
  • secure
  • not transferred to countries without adequate protection.

 

12.2 How the Act affects the Club

 

12.2.1 Gathering of “Personal” Data

The Club gathers information which is deemed “personal” in the meaning of the Act for legitimate reasons. These include:

  • Names and Addresses of Members for mailing membership cards, magazine and official club notices
  • Uniquely identifiable information, such as date of birth, in order to validate the identity of a member.
  • Telephone numbers, fax numbers, and email addresses for the convenience of getting hold of members more quickly than by letter.
  • Credit Card information when processing membership renewals or sale of Parts or Club Shop items manually. Our merchant service, Streamline, and latterly Protx, also collate such information on behalf of the Club.
  • Maintain a vehicle database detailing chassis numbers etc, history of the vehicle (where known) and current state of the vehicle (again, if known), and other similar data. This information is gleaned mostly from data supplied to the Club on members application or renewal forms.
  • Maintaining an archive of information relating to the 101 vehicle. This is separate from the vehicle database, and is mostly on paper, and consists of inter alia submissions from members of information they have gathered about their vehicle, some photographs and drawings from the production period of the vehicle, and some photographs and other documentation from the West East expedition. If this archive is not sorted or indexed on members name or membership number, then it does not come under the scope of the Act.

 

12.2.2 Dissemination of “Personal” Data

The Club historically has disseminated Names and non-specific addresses (county of residence, or country if non UK) in the Members Register included in the Club Magazine once per year. Included in this were telephone numbers and email addresses of those who have explicitly agreed to the publication (to members only) of these items. Copies of the magazine with this information in must have the relevant pages removed when sent to non- members of the Club (for example “complimentary” copies sent to journalists working for Land Rover magazines). The distribution of this information in this manner has been suspended pending clarification from the Information Commission.

The Club disseminates names and contact details (including telephone numbers which may not also be included in the membership directory) to authorised agents working on behalf of the Club in order to assist them to provide an efficient service to members on behalf of the Club. For example, names and contact details of members in a particular area may be sent to Area Representatives of that area, in order to facilitate communication with those members by the area representative. Members are free to request information from either the vehicle database or the archive, for their own personal use. Such information may also be used as the basis of articles in the Club magazine, but where personal data is involved in these cases, explicit permission from the person concerned must be obtained before publishing the article.

12.3 Applying the Principles

 

12.3.1 Fair and Lawful Processing

Data is to be gathered solely for the purpose of enabling the smooth operation of the Club and Club services. No personal data is to be passed on by any means to those who do not have a legitimate need to know this information. One of the stated aims of the Club in the Memoranda of Association is the collection of information relating to the 101 vehicle into a database.

This Club database of vehicles could quite reasonably, and legitimately, contain a cross reference between vehicles and members. There are a number of circumstances where this would be highly desirable – especially in terms of monitoring demographics but especially within the context of prevention and detection of crime. It is impossible to ascertain if a new notification of a vehicle has previously been stolen, for example, if there is no way of directly referencing this in association with a member. However, such personal data should not be passed onto other databases not under control of the Club.

12.3.2 Processed for Limited Purposes

Data collected must be used solely for the purpose for which it was obtained. This purpose should be stated on the form where the data is collected. For example, the membership form (completed by all members upon joining and at each renewal) should state that the address given will be used to send out the Club magazine and notices of meetings, as well as the renewal notice the following year. Where telephone numbers or email addresses are requested, these should be in clearly marked parts of the form that explicitly states where the information being entered will be used. If that means the person entering, for example, telephone numbers in several places, then so be it: it avoids any ambiguity.

None of this personal data is to be passed on to third parties without explicit consent of the subject.

12.3.3 Adequate, Relevant and Not Excessive

No more personal data should be collected than is necessary to carry out the tasks detailed in the form where the data is collected, or is legally required.

12.3.4 Accurate

The accuracy of data collected should be verified by the subject annually upon membership renewal, and at any other time upon request to the Data Controller. The Data Controller must be satisfied that the person making the request is the subject of the data requested before releasing that data.

12.3.5 Not Kept for Longer than is Necessary

Arguably, all member details should be removed from any record once the person concerned ceases being a member. However, it not infrequently happens that members forget to renew their membership for as long as a year. These members will often request that they retain their old membership number, and not to receive the “new member” package of benefits when they do re-join (or pay the extra fee for this). This means that personal details of expired members often need to be kept by the membership secretary for at least a year. However, membership details contained within the membership database and details held within the accounting spreadsheet are classed as financial information. We have a statutory requirement to keep these for a period of six years.

The Club Shop and Spares operations will need to have access to an up-to-date listing of current members names, addresses and other contact details to ensure that sales of goods are only made to current members and to inform those persons of the progress of any transaction. They should not retain out-of-date listings of personal data.

All records held by other officers of the Club (for example, the magazine editor with the mailing list for the current issue of the magazine) should be deleted as soon as it is no longer required.

We are required, as a condition of the merchant service from Streamline, that credit card counterfoils, and a record of the transaction, be retained for six years. With the new online Protx system, this is not an issue as the Club does not handle the credit card data for these transactions in any way.

12.3.6 Processed in line with your Rights

Under the Data Protection Act and the Freedom of Information Act, members are entitled to examine the complete records held by the Club about them within a period of 40 days from having initiated the request. They may also demand that any errors be corrected. The Club is entitled to charge a fee for supplying this information, up to the sum of £10, but elects to provide this service free of charge.

12.3.7 Secure

All personal information held by any member of the Club must be secure from accidental dissemination to persons not entitled to receive that information. When held on a computer, access to that information must not be available to any casual user of that computer, be that locally at the computer terminal itself, of via some form of network. In other words, the data must be password protected with non-trivial password(s). When held on paper, or on removable storage media, that information must be kept locked away when not in use. All electronic transfer of data should be via an encrypted connection. For example, members updating their membership details via the club web-site, should only be able to do that by using the https://protocol. Email attachments, of for example mailing lists, should be encrypted by nontrivial methods.

12.3.8 Not Transferred to Countries without adequate Protection.

No personal information held by the Club is to be transferred to countries outside the European Economic Area, with the single exception of transferring members contact details to the Area Representatives covering the areas of those members.

joomla templateinternet security reviews

Club Member Login



Random Image

Whos Online

© The 101FCC&R ltd. | www.101Club.org
The 101 Forward Control Club and Register Limited. Company Registered in England No. 04499629.
Registered Office: C/o EJ Morris & Co, Broad Oak, Hand Lane, Heath Hill, Sheriffhales, Shropshire, TF11 8RP
Please do not use this address for general correspondence
101 Club Template for Joomla 2.5