This policy was approved by the Board on 19 May 2016
This policy details how Mountaineering Scotland (the “Company”) meets the requirements of the Data Protection Act 1998 (the “Act”) with regard to the handling and security of personal data.
The length of time that personal data is held is specified in a separate document, the Data Retention Policy, which covers both statutory and non-statutory records.
This policy applies to employees’, members’ and third parties’ personal data for whom the Company is required to maintain data records for operational purposes.
The Company is required to maintain certain personal data about living individuals for operational purposes, and in doing so recognises the importance of the correct and lawful treatment of such data.
Subjects about who the Company may hold data include current, past and prospective employees; members and third parties with whom it contracts. All personal data, whether held on paper, computer or other media, is subject to the appropriate legal safeguards specified in the Act.
The Company fully endorses and adheres to the eight principles of the Act. These principles specify the legal conditions that must be satisfied relating to obtaining, handling, processing, transportation, storage and disposal of personal data. Employees and any others who obtain, handle, process, transport and store personal data for the Company must adhere to these principles.
The 8 data protection principles of good practice require that personal data shall:
a) Be processed fairly and lawfully and shall not be processed unless certain conditions are met;
b) Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose;
c) Be adequate, relevant and not excessive for those purposes;
d) Be accurate and, where necessary, kept up to date;
e) Not be kept for longer than is necessary for that purpose;
f) Be processed in accordance with the data subject’s rights;
g) Be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures;
h) Not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
5. Satisfaction of principles
In order to comply with the data protection principles contained in the Act, the Company will ensure that:
a) adequate compliance arrangements, including adequate business processes, are established to implement this policy;
b) all Board members are made aware of this policy;
c) methods of handling personal data are regularly assessed and evaluated;
d) there is someone with specific responsibility for data protection in the Company;
e) everyone within the Company who is managing and handling personal data is appropriately trained to do so and understands that the Company is legally responsible for complying with the Act and following good data protection practice;
f) queries and complaints about handling personal data are promptly and courteously dealt with in accordance with the Company’s Complaints Procedure;
g) data sharing is carried out under a written agreement, setting out the scope and limits of the sharing. Any disclosure of personal data will be in compliance with approved procedures;
h) paper files and other records or documents containing personal / sensitive personal data are kept in a secure environment;
i) access to personal data is only provided on a “need to know” basis to those staff who require access for the purposes of fulfilling the requirements of their role within the Company;
j) comply with subject access requests in accordance with the requirements of the Act;
k) appropriate technical measures, including internet security, anti-virus software and firewalls, are installed against data security risks;
l) appropriate organisational measures, including locking filing cabinets and drawers, are made available throughout the organisation to ensure that personal data is locked when it is not required and clean desks are maintained;
m) personal data held on computers and computer systems is protected by the use of secure passwords, which have “forced” changes periodically;
n) individual passwords should be such that they are not easily compromised; and
o) ensure that all service providers who have access to personal data of which the Company is the data controller are aware of this policy and are fully trained in and aware of their duties and responsibilities under the Act.
The Company will handle sensitive personal data with particular care. Before collecting or processing sensitive personal data, the Company will ensure that it has an appropriate legal basis in terms of the Act.
This policy is mandatory and therefore any employees, including others who obtain, handle, process and share personal data on behalf of the Company, must adhere to the rules of this policy. Any breach of this policy will be taken seriously and may result in disciplinary action (in the case of an employee) and / or personal criminal liability for individuals involved in negligent or deliberate breaches.
6. Designated Data Controller
The Company is registered with the Information Commissioner’s Officer as a Data Controller and its registration number is Z9081994.
The CEO is responsible for ensuring compliance with the Act and implementation of this policy on behalf of the Board, and may be contacted at:
West Mill Street
Any questions or concerns about the interpretation or operation of this policy should be addressed to the CEO.
7. Status of the Policy
This policy has been approved by the Board and any breach will constitute misconduct which is a disciplinary matter.
Any employee who considers that the policy has not been followed in respect of personal data about themselves or any other data subject should raise the matter immediately with the CEO.
8. Subject Access
All individuals who are the subject of personal data held by the Company are entitled to:
Requests must be responded to within 40 calendar days of receipt of the request.
9. Employee Responsibilities
In respect of information about themselves, all employees are responsible for:
If, as part of their responsibilities, employees collect information about members or other third parties, they must comply with this Policy, including Data Security arrangements.
10. Data Security
The Company needs to ensure that personal data is kept securely and precautions must be taken against physical loss or damage, and that both access and disclosure of personal data within the Company must be restricted. Staff should ensure that:
The CEO is responsible for ensuring that data security arrangements are reviewed on an annual basis to ensure that the Company continues to meet the requirements of this policy and take account of any changes in the legal and operational environment. The date of the review shall be agreed by the Board and stated in the Policies and Procedures Status Report which is updated and reviewed at every Board meeting.
11. Subject Consent
The need to process personal data for operational purposes is communicated to staff, elected volunteers, members, coaches and route setters at the time of data collection.
If the data is sensitive, defined as concerning health, race, gender, or protected characteristics under the Equality Act 2010, explicit consent to process the data must be obtained by the Company.
12. Retention of Data
The policy for retention of data is defined by reference to relevant legislation, where applicable, and by requirements established by the Board, and is specified in the Data Retention Policy. The CEO is responsible for ensuring that the Data Retention Policy is implemented.
13. Disclosure of personal data
The Company will disclose employees’ personal data to third parties for the following purposes:
The Company will disclose elected volunteers’ personal data where legally required to do so in respect of the Companies Act 2006.
A key principle of the policy is that the Company will not disclose members’ personal data to third parties, except for the following purposes:
14. Policy Review
This policy is subject to formal review by the Board every 3 years.