Our website uses cookies throughout our system and to help us provide a better service. Continue to use the site as normal if you're happy with this, or click here to change your settings

Data protection and security policy

This policy details how Mountaineering Scotland meets the requirements of the Data Protection Act 1998 (the “Act”) and General Data Protection Regulation 2018 (GDPR) with regard to the handling and security of personal data.

The length of time that personal data is held can be found in a separate document, the Data Retention Policy, which covers both statutory and non-statutory records.

Privacy notice

>>> Members and customers should read our privacy notice which explains what data we hold, why we hold it and your data rights


This policy applies to employees’, members’ and third parties’ personal data for whom the Company is required to maintain data records for operational purposes.


The Company is required to maintain certain personal data about living individuals for operational purposes, and in doing so recognises the importance of the correct and lawful treatment of such data.

Subjects about who the Company may hold data include current, past and prospective employees; members and third parties with whom it contracts. All personal data, whether held on paper, computer or other media, is subject to the appropriate legal safeguards specified in the Act.

The Company fully endorses and adheres to the eight principles of the Act. These principles specify the legal conditions that must be satisfied relating to obtaining, handling, processing, transportation, storage and disposal of personal data. Employees and any others who obtain, handle, process, transport and store personal data for the Company must adhere to these principles.

Key principles

The eight data protection principles of good practice require that personal data shall:

  • Be processed fairly and lawfully and shall not be processed unless certain conditions are met;
  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose;
  • Be adequate, relevant and not excessive for those purposes;
  • Be accurate and, where necessary, kept up to date;
  • Not be kept for longer than is necessary for that purpose;
  • Be processed in accordance with the data subject’s rights;
  • Be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures;
  • Not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Key actions

The Company will handle sensitive personal data with particular care. Before collecting or processing sensitive personal data, the Company will ensure that it has an appropriate legal basis in terms of the Act.

In order to comply with the data protection principles contained in the Act, the Company will ensure that:

  • Adequate compliance arrangements, including adequate business processes, are established to implement this policy;
  • All Board members are made aware of this policy;
  • Methods of handling personal data are regularly assessed and evaluated;
  • There is someone with specific responsibility for data protection in the Company;
  • Everyone within the Company who is managing and handling personal data is appropriately trained to do so and understands that the Company is legally responsible for complying with the Act and following good data protection practice;
  • Queries and complaints about handling personal data are promptly and courteously dealt with in accordance with the Company’s Complaints Procedure;
  • Data sharing is carried out under a written agreement, setting out the scope and limits of the sharing.  Any disclosure of personal data will be in compliance with approved procedures;
  • Paper files and other records or documents containing personal / sensitive personal data are kept in a secure environment;
  • Access to personal data is only provided on a “need to know” basis to those staff who require access for the purposes of fulfilling the requirements of their role within the Company;
  • Comply with subject access requests in accordance with the requirements of the Act;
  • Appropriate technical measures, including internet security, anti-virus software and firewalls, are installed against data security risks;
  • Appropriate organisational measures, including locking filing cabinets and drawers, are made available throughout the organisation to ensure that personal data is locked when it is not required and clean desks are maintained;
  • Personal data held on computers and computer systems is protected by the use of secure passwords, which have “forced” changes periodically;
  • Individual passwords should be such that they are not easily compromised; and
  • Ensure that all service providers who have access to personal data of which the Company is the data controller are aware of this policy and are fully trained in and aware of their duties and responsibilities under the Act.

This policy is mandatory and therefore any employees, including others who obtain, handle, process and share personal data on behalf of the Company, must adhere to the rules of this policy.  Any breach of this policy will be taken seriously and may result in disciplinary action (in the case of an employee) and / or personal criminal liability for individuals involved in negligent or deliberate breaches.

Designated data controller

The Company is registered with the Information Commissioner’s Officer as a Data Controller and its registration number is Z9081994.

The CEO is responsible for ensuring compliance with the Act and implementation of this policy on behalf of the Board. Any questions or concerns about the interpretation or operation of this policy should be addressed to the CEO. They may be contacted by calling 01738 493942 or emailing info@mountaineering.scot

Status of the policy

This policy has been approved by the Board and any breach will constitute misconduct which is a disciplinary matter.

Any employee who considers that the policy has not been followed in respect of personal data about themselves or any other data subject should raise the matter immediately with the CEO.

Employee responsibilities

In respect of information about themselves, all employees are responsible for:

  • Checking that any personal data that they provide to the Company is accurate and up to date.
  • Informing the CEO of any changes to information which they have provided, e.g. changes of address.

If, as part of their responsibilities, employees collect information about members or other third parties, they must comply with this Policy, including Data Security arrangements.

Data security

The Company needs to ensure that personal data is kept securely and precautions must be taken against physical loss or damage, and that both access and disclosure of personal data within the Company must be restricted. Staff should ensure that:

  • Any personal data relating to themselves, members or third parties which they hold is kept securely in a locked cabinet or password-protected computer file
  • Personal information relating to themselves, members or third parties is not disclosed either orally or in writing or otherwise to any unauthorised third party.
  • Credit and debit card information provided by members or purchasers of products is destroyed immediately by shredding following a transaction.
  • Bank account information, such as that retained for Direct Debit purposes or shown on invoices is kept in a filing cabinet which is locked at all times.

The CEO is responsible for ensuring that data security arrangements are reviewed on an annual basis to ensure that the Company continues to meet the requirements of this policy and take account of any changes in the legal and operational environment. The date of the review shall be agreed by the Board and stated in the Policies and Procedures Status Report which is updated and reviewed at every Board meeting.

Retention of data

The policy for retention of data is defined by reference to relevant legislation, where applicable, and by requirements established by the Board, and is specified in the Data Retention Policy. The CEO is responsible for ensuring that the Data Retention Policy is implemented.

Policy review

This policy is subject to formal review by the Board every three years.