This policy details how Mountaineering Scotland meets the requirements of the Data Protection Act 1998 (the “Act”) and General Data Protection Regulation 2018 (GDPR) with regard to the handling and security of personal data.
The length of time that personal data is held can be found in a separate document, the Data Retention Policy, which covers both statutory and non-statutory records.
This policy applies to employees’, members’ and third parties’ personal data for whom the Company is required to maintain data records for operational purposes.
The Company is required to maintain certain personal data about living individuals for operational purposes, and in doing so recognises the importance of the correct and lawful treatment of such data.
Subjects about who the Company may hold data include current, past and prospective employees; members and third parties with whom it contracts. All personal data, whether held on paper, computer or other media, is subject to the appropriate legal safeguards specified in the Act.
The Company fully endorses and adheres to the eight principles of the Act. These principles specify the legal conditions that must be satisfied relating to obtaining, handling, processing, transportation, storage and disposal of personal data. Employees and any others who obtain, handle, process, transport and store personal data for the Company must adhere to these principles.
The eight data protection principles of good practice require that personal data shall:
The Company will handle sensitive personal data with particular care. Before collecting or processing sensitive personal data, the Company will ensure that it has an appropriate legal basis in terms of the Act.
In order to comply with the data protection principles contained in the Act, the Company will ensure that:
This policy is mandatory and therefore any employees, including others who obtain, handle, process and share personal data on behalf of the Company, must adhere to the rules of this policy. Any breach of this policy will be taken seriously and may result in disciplinary action (in the case of an employee) and / or personal criminal liability for individuals involved in negligent or deliberate breaches.
The Company is registered with the Information Commissioner’s Officer as a Data Controller and its registration number is Z9081994.
The CEO is responsible for ensuring compliance with the Act and implementation of this policy on behalf of the Board. Any questions or concerns about the interpretation or operation of this policy should be addressed to the CEO. They may be contacted by calling 01738 493942 or emailing firstname.lastname@example.org.
This policy has been approved by the Board and any breach will constitute misconduct which is a disciplinary matter.
Any employee who considers that the policy has not been followed in respect of personal data about themselves or any other data subject should raise the matter immediately with the CEO.
In respect of information about themselves, all employees are responsible for:
If, as part of their responsibilities, employees collect information about members or other third parties, they must comply with this Policy, including Data Security arrangements.
The Company needs to ensure that personal data is kept securely and precautions must be taken against physical loss or damage, and that both access and disclosure of personal data within the Company must be restricted. Staff should ensure that:
The CEO is responsible for ensuring that data security arrangements are reviewed on an annual basis to ensure that the Company continues to meet the requirements of this policy and take account of any changes in the legal and operational environment. The date of the review shall be agreed by the Board and stated in the Policies and Procedures Status Report which is updated and reviewed at every Board meeting.
The policy for retention of data is defined by reference to relevant legislation, where applicable, and by requirements established by the Board, and is specified in the Data Retention Policy. The CEO is responsible for ensuring that the Data Retention Policy is implemented.
This policy is subject to formal review by the Board every three years.