General Data Protection Regulations and Procedure
Policy Statement
- Cray Valley Radio Society uses and stores personal information about its members. It is important that this information is handled lawfully and appropriately in line with the requirements of the Data Protection Act 2018 and the General Data Protection Regulation (collectively referred to as the ‘Data Protection Requirements’).
- The Society takes its data protection duties seriously, because we respect the trust placed in us to use personal information appropriately and responsibly.
About This Policy
- This policy and any other documents referred to in it set out the basis on which we will process any personal data we collect or process. This policy may be amended at any time, and members will be notified through QUA.
- The Chairman of the Society is responsible for ensuring compliance with the Data Protection Requirements and with this policy. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Chairman.
What is Personal Data?
- Personal data means data (whether stored electronically or paper based) relating to a living individual who can be identified directly or indirectly from that data (or from that data and other information in the Society’s possession)
- Processing is any activity that involves the use of personal data. It includes obtaining, recording or holding the data, organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
Data Protection Principles
- Anyone processing personal data must ensure that data is:
- Processed fairly, lawfully and in a transparent manner
- Collected for specified, explicit and legitimate purposes and any further processing is completed for a compatible purpose.
- Adequate, relevant and limited to what is necessary for the intended purposes.
- Accurate, and where necessary, kept up-to-date.
- Processed in line with the individual’s rights and in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Fair and Lawful Processing
- The Data Protection Requirements are not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the individual.
- The Society will only collect and process and individual’s personal data for the purposes of maintaining a membership register and for amateur radio licence training. The information stored in the membership register is as specified in Schedule 1. It will be processed solely in order to communicate with the member about Society business or other relevant amateur radio matters. Data collected for amateur radio licence training is specified in Schedule 2 and will be processed solely as part of the management of training courses and examinations.
Processing for Limited Purposes
- The Society will collect and process personal data for the specific purposes set out in Schedule 1 to this Policy. The data will be received directly from the data subject, for example, by completing forms or by mail, e-mail, telephone, or otherwise. All information stored in the membership register is used for internal purposes only.
- Personal data will be stored on a dedicated database for as long as the individual remains a member of the Society.
- The personal data will be stored on a dedicated database which will only be available to Committee members. Selected data points may be conveyed to other members, as necessary, in order to carry out a duty on behalf of the Committee. An example is the list of email addresses for the purpose of administering the Society’s email reflector.
Accurate and timely Data
- We will take all reasonable steps to ensure that any data held by the Society is accurate and is kept up to date.
- We will take all reasonable steps to destroy and amend inaccurate or out-of-date data, and to destroy any data which is no longer required.
- We will erase any personal data should a member decide not to renew his/her subscription to the Society.
Processing in line with Data Subjects’ Rights
- We will process all personal data in line with data subjects’ rights, in particular their right to:
- Confirmation as to whether or not personal data concerning the individual is being processed
- Request access to any data held about them
- Request rectification, erasure or restriction on processing of their personal data
- Lodge a complaint with a supervisory authority.
Data Security
- The Society will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental or unlawful destruction, damage, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
- The Society will put in place procedures and technologies to maintain the security of all personal data from collection to destruction.
- The Society will maintain data security by protecting the confidentiality, integrity and availability of the personal data, when:
- Confidentiality means that only elected committee members or any member acting on the committee’s behalf can access it
- Integrity means that personal data should be accurate and suitable for the purpose for which it is processed
- Availability means that authorised users should be able to access the data if they need it for authorised purposes. The data will be kept securely on the Society’s committee reflector.
Subject Access Requests
- Society members have the right to make a formal request to see all the information we hold about them. Such requests must be directed to the Chairman and the information will be provided as soon as possible, at the latest within one month.
Schedule 1
Data processing activities
Membership Register
Members’ data
The Society collects and stores the following data points to maintain a register of its members:
– First and last name (nickname if applicable)
– Amateur radio callsign (if licensed)
– E-mail address
– Phone number(s)
– Home address
– Date of birth
– Current occupation
– Membership of any other local or national societies
– RSGB Registered Assessor number (if relevant)
– Optional details of any particular professional links, skills or talents or other hobbies/interests
Use of members’ data
First and Last Name
We use this information to identify members and maintain a record of the individuals who are members of the Society.
Amateur radio callsign
We use the Amateur radio callsign to know the licence situation of the relevant member.
We may also use this to record the times which members operate on air during Society events. Callsigns recorded in logs of Society events may be forwarded to the organisers of competitions and government bodies as required. The Society sponsors awards which include working its members on the air. We publish lists of callsigns as part of the award rules.
E-mail address
We use the e-mail address to communicate Society matters to members. This includes the distribution of the monthly newsletter. We also use the e-mail address stored on the membership register to inform members of matters of importance, such as notification of the Annual General Meeting (AGM), the distribution of the relevant AGM material and renewal of Society membership.
We also use the e-mail address to maintain the Society’s reflector ([email protected]). The reflector is a member only facility, and we need to invite members to join by e-mail, and remove them if their membership lapses.
Phone numbers
We store phone numbers to be able to contact members as required.
The list of phone numbers allows the Society to compare the members of the WhatsApp group with the membership register.
Address
We use the postal address of a member as a backup in case other means of communication fail.
Furthermore, we use it to determine whether a member can receive a discounted subscription discount if living abroad.
If equipment owned by the Society is located at a member’s property, we use the relevant address for tracking and insurance purposes.
Date of birth
This information is kept for members under 18 years of age to determine whether they need a guardian at certain Society events.
Transmission of information to third parties
All information stored in the membership register is used for internal purposes only. The membership register is only accessible to members of the Society’s committee. It (or parts of it) are shared with individual members on a need to know basis to carry out tasks delegated to them by the committee. An example of this is the maintenance of the club reflector.
However, some of the Society’s procedures require the transmission of such information to third parties as outlined below, but no personal data will be used or shared for third party marketing.
Callsign
We may transfer the callsigns of members to third parties, such as the Radio Society of Great Britain, as part of submitting logs after events. Callsigns may also be published for the purposes of the Society’s “Cray Valley Award”.
Postal address
The insurance company which insures our equipment requires us to provide them with the location of each insured item.
Schedule 2
Data processing activities
Licence training and examinations
The Society collects and stores the following data points in order to manage training courses and examinations:
– Title and full name
– Home address
– Date of birth
– Sex
– Special requirements re disabilities or special needs
– Parent/guardian name if candidate is under 16
– Preferred name
– E-mail address
– Phone number(s)
– UK callsign and date achieved
– Whether application is for re-sit
Transmission of information to third parties
All information collected on the training form is for the purpose of administering training courses and examinations by the Society. The information is also transmitted to the Radio Society of Great Britain for their administration of examinations, but no personal data will be used or shared for third party marketing. For licence training and examinations, the effect of GDPR will, in future, be included on the examination application forms.