Put Simply, SAR Needs To

GDPR

BACKROUND

From 25th May 2018, SAR needs to be fully compliant with EU legislation governing General Data Protection Regulation (GDPR).

Put simply, SAR needs to:-

i)Define the personal data held on members

ii)Explain to members why such data are held

iii)Define the period for which the data are held

iv)Honour the wishes of members who elect to opt out

v)Obtain explicit agreement to the above from all members.

In order to achieve compliance with the GDPR legislation, the SAR committee have completed a review of data held on members and formulated the following policy.

SAR POLICY

Policy Governance

SAR needs to establish and maintain policies and procedures which are compliant with the GDPR EU legislation from 25th May 2018, the date the law comes into force.

SAR needs todetect, report and investigate any personal data breach.

A breach which may result in a risk to the rights and freedoms of individuals (eg it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage) needs to be reported to the UK Information Commissioners Office (ICO) within 72 hours, and members within 3 days.

To maintain focus on GDPR, it will be an agenda item at every committee meeting, at least until the March 2019 AGM.

SAR GDPR Policy will be reviewed annually and,where necessary, ratified at each AGM.

Personal Data on Members willbe held securely whether in paper or electronic form and will not be shared with a third party without the explicit agreement of the member concerned.SAR Newsletters and other documents will continue to be reviewed and personal details removed, before being stored on the SAR Website

SAR will appoint a Data Protection Officer from within the committee.

Personal Data Held on Members

For clarity, this policy distinguishes between:-

i)General Personal Data, which is the data required for carrying out theeveryday business of SAR, and.

ii)Specific Personal Data which is data required occasionally for specific purposes such as processing a refund.

This distinction is made in this document for clarity because it determines how the data are collected and how long the data are retained (see below) but it in no way impacts SAR’s responsibilities under the GDPR legislation which remains the same in both cases.

General Personal Data Held on Members

SAR holds the following data on members in order to carry out the everyday business of SAR, but honours the wishes of members who have elected to opt out:-

i)Name

ii)Address

iii)Home telephone Number

iv)Mobile Number

v)E-mail Address

vi)Next of Kin – Name and Emergency Contact Details

vii)Health Conditions and Health Concerns

Why General Personal Data on Members is held

Data held on members will only be used for the following purposes:-

i)Managing membership status and subscriptions

ii)Providing effective and appropriate membership

iii)Communicating with members with regards to organisational issues

iv)Communicating with members/leaders with regards to walks, trips and events

v)Informing walk leaders of information that may be required in an emergency

HowGeneral Personal Data on Members is collected

Personal Data are collected via the Membership Application Formand the Membership Renewal Form. Each form refers members to the SAR GDPR Policy held on the SAR Website and also has a box for members to tick to give consent to SAR to use their Personal Data, but only for the purposes detailed in the SAR GDPR Policy. Where consent is not given, SAR will not keep the data.

Where General Personal Data on Members is Held

SAR committee members hold personal data in the form of paper and computer records in order to fulfil their committee roles and responsibilities. Emergency contact details of members are also enclosed in the SAR first aid kits which are passed to walk leaders.

Period for which General Personal Data on Members is held

In the instance of members choosing not to renew their membership, SAR will remove their records and confirm that this has been done, at the next AGM.

Specific Data Held on Members, How Collected and Period Kept.

Occasionally SAR will request Specific Data from individual members, over and above the General Personal Data referred to above. The request will be for a specific purpose which will be made clear to the member concerned. SAR will ensure approval is given before the data are held and subsequently used as agreed. Examples of such data will include:-

i)Bank Account details (sort code, account number, account name) requested and held by the SAR Treasurer only, in order to effect a refund.

ii)Passport and personal travel insurance details where required for the booking of an Away Trip with a third party provider

SAR will hold such data securely until immediately after the data has been used for the purpose agreed with the member.

.