Our website uses cookies throughout our system and to help us provide a better service. Continue to use the site as normal if you're happy with this, or click here to change your settings

Data Protection and Security Policy

This policy was approved by the Board on 19 May 2016

 

1.       Purpose

This policy details how Mountaineering Scotland (the “Company”) meets the requirements of the Data Protection Act 1998 (the “Act”) with regard to the handling and security of personal data.

The length of time that personal data is held is specified in a separate document, the Data Retention Policy, which covers both statutory and non-statutory records.

2.       Scope

This policy applies to employees’, members’ and third parties’ personal data for whom the Company is required to maintain data records for operational purposes.

3.       Introduction

The Company is required to maintain certain personal data about living individuals for operational purposes, and in doing so recognises the importance of the correct and lawful treatment of such data.

Subjects about who the Company may hold data include current, past and prospective employees; members and third parties with whom it contracts. All personal data, whether held on paper, computer or other media, is subject to the appropriate legal safeguards specified in the Act.

The Company fully endorses and adheres to the eight principles of the Act. These principles specify the legal conditions that must be satisfied relating to obtaining, handling, processing, transportation, storage and disposal of personal data. Employees and any others who obtain, handle, process, transport and store personal data for the Company must adhere to these principles.

4.       Principles

The 8 data protection principles of good practice require that personal data shall:

a)      Be processed fairly and lawfully and shall not be processed unless certain conditions are met;

b)      Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose;

c)       Be adequate, relevant and not excessive for those purposes;

d)      Be accurate and, where necessary, kept up to date;

e)      Not be kept for longer than is necessary for that purpose;

f)       Be processed in accordance with the data subject’s rights;

g)      Be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures;

h)      Not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

5.       Satisfaction of principles

In order to comply with the data protection principles contained in the Act, the Company will ensure that:

a)      adequate compliance arrangements, including adequate business processes, are established to implement this policy;

b)      all Board members are made aware of this policy;

c)       methods of handling personal data are regularly assessed and evaluated;

d)      there is someone with specific responsibility for data protection in the Company;

e)      everyone within the Company who is managing and handling personal data is appropriately trained to do so and understands that the Company is legally responsible for complying with the Act and following good data protection practice;

f)       queries and complaints about handling personal data are promptly and courteously dealt with in accordance with the Company’s Complaints Procedure;

g)      data sharing is carried out under a written agreement, setting out the scope and limits of the sharing.  Any disclosure of personal data will be in compliance with approved procedures;

h)      paper files and other records or documents containing personal / sensitive personal data are kept in a secure environment;

i)        access to personal data is only provided on a “need to know” basis to those staff who require access for the purposes of fulfilling the requirements of their role within the Company;

j)        comply with subject access requests in accordance with the requirements of the Act;

k)      appropriate technical measures, including internet security, anti-virus software and firewalls, are installed against data security risks;

l)        appropriate organisational measures, including locking filing cabinets and drawers, are made available throughout the organisation to ensure that personal data is locked when it is not required and clean desks are maintained;

m)    personal data held on computers and computer systems is protected by the use of secure passwords, which have “forced” changes periodically;

n)      individual passwords should be such that they are not easily compromised; and

o)      ensure that all service providers who have access to personal data of which the Company is the data controller are aware of this policy and are fully trained in and aware of their duties and responsibilities under the Act.

 

The Company will handle sensitive personal data with particular care. Before collecting or processing sensitive personal data, the Company will ensure that it has an appropriate legal basis in terms of the Act.

This policy is mandatory and therefore any employees, including others who obtain, handle, process and share personal data on behalf of the Company, must adhere to the rules of this policy.  Any breach of this policy will be taken seriously and may result in disciplinary action (in the case of an employee) and / or personal criminal liability for individuals involved in negligent or deliberate breaches.

6.       Designated Data Controller

The Company is registered with the Information Commissioner’s Officer as a Data Controller and its registration number is Z9081994.

The CEO is responsible for ensuring compliance with the Act and implementation of this policy on behalf of the Board, and may be contacted at:

CEO

Mountaineering Scotland

The Granary

West Mill Street

Perth

PH1 5QP

01738-493942

david@mountaineering.scot

 

Any questions or concerns about the interpretation or operation of this policy should be addressed to the CEO.

7.       Status of the Policy

This policy has been approved by the Board and any breach will constitute misconduct which is a disciplinary matter.

Any employee who considers that the policy has not been followed in respect of personal data about themselves or any other data subject should raise the matter immediately with the CEO.

8.       Subject Access

All individuals who are the subject of personal data held by the Company are entitled to:

 

  • Ask what information the Company holds about them and why.

 

  • Ask how to gain access to it.

 

  • Be informed how to keep it up to date.

 

  • Be informed what the Company is doing to comply with its obligations specified in the Act.

 

Requests must be responded to within 40 calendar days of receipt of the request.

9.       Employee Responsibilities

In respect of information about themselves, all employees are responsible for:

  • Checking that any personal data that they provide to the Company is accurate and up to date.

 

  • Informing the CEO of any changes to information which they have provided, e.g. changes of address.

 

If, as part of their responsibilities, employees collect information about members or other third parties, they must comply with this Policy, including Data Security arrangements.

10.   Data Security

The Company needs to ensure that personal data is kept securely and precautions must be taken against physical loss or damage, and that both access and disclosure of personal data within the Company must be restricted. Staff should ensure that:

  • Any personal data relating to themselves, members or third parties which they hold is kept securely in a locked cabinet or password-protected computer file.

 

  • Personal information relating to themselves, members or third parties is not disclosed either orally or in writing or otherwise to any unauthorised third party.

 

  • Credit and debit card information provided by members or purchasers of products is destroyed immediately by shredding following a transaction.

 

  • Bank account information, such as that retained for Direct Debit purposes or shown on invoices is kept in a filing cabinet which is locked at all times.

 

The CEO is responsible for ensuring that data security arrangements are reviewed on an annual basis to ensure that the Company continues to meet the requirements of this policy and take account of any changes in the legal and operational environment. The date of the review shall be agreed by the Board and stated in the Policies and Procedures Status Report which is updated and reviewed at every Board meeting.

11.   Subject Consent

The need to process personal data for operational purposes is communicated to staff, elected volunteers, members, coaches and route setters at the time of data collection.

If the data is sensitive, defined as concerning health, race, gender, or protected characteristics under the Equality Act 2010, explicit consent to process the data must be obtained by the Company.

12.   Retention of Data

The policy for retention of data is defined by reference to relevant legislation, where applicable, and by requirements established by the Board, and is specified in the Data Retention Policy. The CEO is responsible for ensuring that the Data Retention Policy is implemented.

13.   Disclosure of personal data

 Employees

The Company will disclose employees’ personal data to third parties for the following purposes:

  • To comply with legal requirements
  • In respect of the Company’s auto-enrolment pension scheme
  • In respect of the sportscotland payroll bureau service
  • Where relevant to membership of the Protecting Vulnerable Groups (PVG) Scheme

 

Elected Volunteers

The Company will disclose elected volunteers’ personal data where legally required to do so in respect of the Companies Act 2006.

 

Members

A key principle of the policy is that the Company will not disclose members’ personal data to third parties, except for the following purposes:

  • Membership data and records management: The membership system is operated by Azolve Limited, a Company registered as a Data Controller with the Information Commissioner’s Office. Members’ personal data is protected in a secure environment by Azolve systems and subject to its Data Protection Policy, which is available at /selfservice-conditions.asp

 

  • Processing financial transactions: We act upon members’ instructions concerning authorisation of payments, and share necessary data with our bank and card payment processors for payment transaction purposes

 

  • Delivery of Scottish Mountaineer magazine and Members’ News emails: We share members’ postal and/or email address data, dependent upon the delivery method(s) specified by members, with Herald and Times Group Magazines, which will not share members’ data with any third party, with the exception of postal addresses with their chosen magazine distribution contractor

 

  • Confirmation of membership with the Mountain Training Candidate Management System (CMS): Where members register as a candidate on the Mountain Training CMS we will confirm membership through an automated electronic membership checking and confirmation process

 

14.   Policy Review

This policy is subject to formal review by the Board every 3 years.