In order to comply with the provisions of the Data Protection Act 1998, we have to make the requirements of the act known to all Club officers handling “personal” data, and put in place procedures to ensure compliance.
The Act defines “personal” data as:
Data which relates to a living individual who can be identified
It includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Only information about individuals which is held on computer or is on paper and sorted by reference to individuals are subject to the Act
The Act requires that the following Principles must apply to the data:
The Club gathers information which is deemed “personal” in the meaning of the Act for legitimate reasons. These include:
The Club historically has disseminated Names and non-specific addresses (county of residence, or country if non UK) in the Members Register included in the Club Magazine once per year. Included in this were telephone numbers and email addresses of those who have explicitly agreed to the publication (to members only) of these items. Copies of the magazine with this information in must have the relevant pages removed when sent to non- members of the Club (for example “complimentary” copies sent to journalists working for Land Rover magazines). The distribution of this information in this manner has been suspended pending clarification from the Information Commission.
The Club disseminates names and contact details (including telephone numbers which may not also be included in the membership directory) to authorised agents working on behalf of the Club in order to assist them to provide an efficient service to members on behalf of the Club. For example, names and contact details of members in a particular area may be sent to Area Representatives of that area, in order to facilitate communication with those members by the area representative. Members are free to request information from either the vehicle database or the archive, for their own personal use. Such information may also be used as the basis of articles in the Club magazine, but where personal data is involved in these cases, explicit permission from the person concerned must be obtained before publishing the article.
Data is to be gathered solely for the purpose of enabling the smooth operation of the Club and Club services. No personal data is to be passed on by any means to those who do not have a legitimate need to know this information. One of the stated aims of the Club in the Memoranda of Association is the collection of information relating to the 101 vehicle into a database.
This Club database of vehicles could quite reasonably, and legitimately, contain a cross reference between vehicles and members. There are a number of circumstances where this would be highly desirable – especially in terms of monitoring demographics but especially within the context of prevention and detection of crime. It is impossible to ascertain if a new notification of a vehicle has previously been stolen, for example, if there is no way of directly referencing this in association with a member. However, such personal data should not be passed onto other databases not under control of the Club.
Data collected must be used solely for the purpose for which it was obtained. This purpose should be stated on the form where the data is collected. For example, the membership form (completed by all members upon joining and at each renewal) should state that the address given will be used to send out the Club magazine and notices of meetings, as well as the renewal notice the following year. Where telephone numbers or email addresses are requested, these should be in clearly marked parts of the form that explicitly states where the information being entered will be used. If that means the person entering, for example, telephone numbers in several places, then so be it: it avoids any ambiguity.
None of this personal data is to be passed on to third parties without explicit consent of the subject.
No more personal data should be collected than is necessary to carry out the tasks detailed in the form where the data is collected, or is legally required.
The accuracy of data collected should be verified by the subject annually upon membership renewal, and at any other time upon request to the Data Controller. The Data Controller must be satisfied that the person making the request is the subject of the data requested before releasing that data.
Arguably, all member details should be removed from any record once the person concerned ceases being a member. However, it not infrequently happens that members forget to renew their membership for as long as a year. These members will often request that they retain their old membership number, and not to receive the “new member” package of benefits when they do re-join (or pay the extra fee for this). This means that personal details of expired members often need to be kept by the membership secretary for at least a year. However, membership details contained within the membership database and details held within the accounting spreadsheet are classed as financial information. We have a statutory requirement to keep these for a period of six years.
The Club Shop and Spares operations will need to have access to an up-to-date listing of current members names, addresses and other contact details to ensure that sales of goods are only made to current members and to inform those persons of the progress of any transaction. They should not retain out-of-date listings of personal data.
All records held by other officers of the Club (for example, the magazine editor with the mailing list for the current issue of the magazine) should be deleted as soon as it is no longer required.
We are required, as a condition of the merchant service from Streamline, that credit card counterfoils, and a record of the transaction, be retained for six years. With the new online Protx system, this is not an issue as the Club does not handle the credit card data for these transactions in any way.
Under the Data Protection Act and the Freedom of Information Act, members are entitled to examine the complete records held by the Club about them within a period of 40 days from having initiated the request. They may also demand that any errors be corrected. The Club is entitled to charge a fee for supplying this information, up to the sum of £10, but elects to provide this service free of charge.
All personal information held by any member of the Club must be secure from accidental dissemination to persons not entitled to receive that information. When held on a computer, access to that information must not be available to any casual user of that computer, be that locally at the computer terminal itself, of via some form of network. In other words, the data must be password protected with non-trivial password(s). When held on paper, or on removable storage media, that information must be kept locked away when not in use. All electronic transfer of data should be via an encrypted connection. For example, members updating their membership details via the club web-site, should only be able to do that by using the https://protocol. Email attachments, of for example mailing lists, should be encrypted by nontrivial methods.
No personal information held by the Club is to be transferred to countries outside the European Economic Area, with the single exception of transferring members contact details to the Area Representatives covering the areas of those members.