THE DATA PROTECTION POLICIES
Data Protection Statement of Principle
Personal data on living individuals supporting the operation of the Morris Marina Owners Club is held by The Membership Secretary. The GDPR applies to this data whether it is held electronically or in structured paper form. The Morris Marina Owners Club is registered as the Data Controller for all such data wherever it is held within the Club.
The Club has an obligation to make sure this data is accurate, up to date, relevant and secure, and that the Club conforms with the law in the way this data is collected and handled.
- Value the personal data entrusted to us and make sure we respect that trust;
- Go further than just the letter of the law when it comes to handling personal data, and adopt good practice standards;
- Consider and address the privacy risks first when we are planning to use or hold personal data in new ways, such as when introducing new systems;
- Be open with individuals about how we use their data and who we give it to;
- Make it easy for individuals to access and correct their personal data;
- Keep personal data to the minimum necessary and delete it when we no longer need it;
- Have effective safeguards in place to make sure personal data is kept securely and does not fall into the wrong hands;
- Provide training to those who handle personal data and treat it as a disciplinary matter if they misuse or don’t look after personal data properly;
- Put appropriate financial and human resources into looking after personal data to make sure we can live up to our promises; and
- Regularly check that we are living up to our promises and report on how we are doing.
Separate policies and processes detail who should have access to personal data, what precautions should be in place when acquiring and storing personal data, and what specific measures should be in place to secure that data. Personal data must not be given to any person outside of these parameters without the express permission of the individual concerned.
PERSONAL DATA HANDLING IN THE MORRIS MARINA OWNERS CLUB
The Morris Marina Owners Club processes personal data as follows:
Name: Morris Marina Owners Club.
Contact details: The Data Controller, The Morris Marina Owners Club, 30 Knapp Lane, Cam, Dursley, Gloustershire, GL11 5LT
The Morris Marina Owners Club is a single legal entity acting as Data Controller for all personal data held within and processed by the Morris Marina Owners Club.
- The Morris Marina Owners Club processes personal information to provide defined membership services (including a regular magazine), administer an event, contest, promotion, or survey, to support Club activities, including Registers of cars, and local Natters, process transactions, personalize the member experience, improve our websites, improve customer service and send periodic emails relating to Club activities
- The personal data of employees, contractors, Club members, MARINA car owners and regalia shop customers is processed.
- The personal data processed includes contact details (name, addresses, phone numbers, email addresses), lifestyle and social circumstances, and financial information.
- The Club shares personal data with approved suppliers of services to the Club and to members of the Club where necessary to provide member services. Where necessary or required by law, we share information with family, associates and representatives of the person whose personal data we are processing; current, past or prospective employees.
- No data is transferred to any third countries or international organisations outside the EU without the explicit permission of the data subject.
- There is a Data Retention Policy that ensures all personal data is only retained for as long as necessary, subject to legal or third party constraints.
- All files and databases storing personal data are subject to appropriate security controls, including imposition of controls on access, as specified in the Security Policy.
Note: This statement replaces the Registration From previously submitted to the Information Commissioner’s Office. Such Registration is no longer a legal requirement from 1st April 2018.
POLICY ON ACCESS TO PERSONAL DATA
This Policy applies to all those, whether Morris Marina Owners Club Committee Members, Club Members or otherwise, who potentially have access to files or databases containing personal data.
- Access to files and databases containing personal data on living individuals must be restricted to those so authorised, as set down below.
- Any request for personal data in any such file or database must be channelled through an authorised person for that file or database.
- Permission must be sought from the Data Subject before any such data is disclosed to an unauthorised person.
- The person recorded as responsible for a specific file or database:
- Must ensure the accuracy and relevance of the personal data contained within it
- Must maintain a record of those authorised to access it, ensuring that this access control is enforced.
- Must ensure that it is secured in conformance with the security policy, including occasions when part or all of a file or database may be communicated electronically or transported via mobile devices.
- Must delete the personal data when no longer needed.
- Must inform the Morris Marina Owners Club Chairman when any potential compromise or unauthorised disclosure of personal data occurs, or when a Data Subject request is received.
- Where personal data is held on files or databases managed by third parties (including cloud services), specific contractual terms must be included requiring them to conform to these Policies and to inform the Morris Marina Owners Club should potential compromise or unauthorised access occur.
Data held by Membership Secretary
- All such files and databases will be accessible to Morris Marina Owners Club Committee members.
- Authority to access specific files or databases can be given to individual Morris Marina Owners Club Members, contractors and other casual staff by the Chairman as needed to carry out assigned tasks.
- The Chairman can authorise the provision of extracts from such files and databases to Area reps for specified purposes.
POLICY ON NOTICES
In order for the Morris Marina Owners Club to conform to the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003 it is essential that all relevant documents and web site pages contain specific Notices and contact details.
Given that personal data is only provided to, and held by, the Club for specific purposes – for example, to become a member, to add information to a car Register, to enter an event – the Club collects such data on the legal basis of “Legitimate Interests”. This does not affect the use of “tick boxes” to indicate personal preferences for the sharing of non-personal data (such as technical information on a car in a Register).
This Policy sets down the Notices and contact details that must be included in the appropriate place in all such documents and web sites to support this legal basis.
Note that where Direct Marketing material is provided, explicit consent must be obtained, as described in the associated Policy.
Contact details for the Data Controller (General Manager) must be included on every web page and on every paper form.
Notices will be structured differently for web-based pages and paper forms. Pro-forma Notices are provided in the Guidance Notes.
All web pages that collect personal information must include a written Notice on the same page,
Notices on web sites should be tailored to the particular use being made of the personal information collected. They should be of the following form:
A generic statement summarising how the personal information provided will be used. Examples are “to provide the listed members services”, “to process your event entry application”, “to send you a newsletter”. There needs to be a simple way for people to find out what the reasons mentioned actually cover in detail where this is not obvious. Detail guidance is provided in Pro-Forma Notices.
Where a subscription service is offered, the Notice must also include a statement on how to request removal from provision of that service, for example, by written request, or by ticking an “Unsubscribe” box.
A statement listing the reason(s) for collecting the information will still be needed. Where the simple statement is not sufficient, contact details must be provided where more information can be obtained.
Where a subscription service is offered, the Notice must also include a statement on how to request removal from provision of that service.
POLICY ON DIRECT MARKETING
Direct Marketing is defined as “the communication of any advertising or marketing material which is directed to particular individuals”. This would include inserts into magazines, or wording in newsletters, for example, sent to a list of named individuals. It does not include items such as event entry forms. See the Guidance notes for further information. It also does not include material on publically available channels, such as web sites.
Any material considered to be Direct Marketing, whether digitally or on paper, will only be sent to those who have explicitly consented to its receipt. Where such material is sent out, the following will apply.
- Before an individual can be added to a distribution list that could include direct marketing material, they must have explicitly consented to being included in such a list.
- As part of any subscription process they must be provided with information explaining what they will be receiving, why they are receiving it, how the material will be distributed – email, leaflet, etc – and how frequently. A Notice associated with this information will seek their explicit consent and will state how they can withdraw that consent.
- Consent can be confirmed by positively ticking a box, by clicking on a button or by signing a form. Pre-set responses (such as pre-ticked boxes) are specifically forbidden.
- A record will be kept associated with their personal data in that distribution list of the date of that consent, how they consented and detail of what they have consented to.
- The validity of such consents will be reviewed regularly –particularly should there be any significant change in the form or frequency of material sent out.
- No set of personal data can be used as the basis for distribution of direct marketing material to any person on that list unless they are recorded as having explicitly consented to receipt of such material.
POLICY ON DOCUMENTATION
Recording Databases /Files
The person responsible for managing each database/file that contains personal data must formally sign as accepting that responsibility, in a form that can be provided to the Chairman for long-term data, or on request for local data.
The following form will be completed for each such file or database for this purpose.
|File or Database purpose||Brief statement of the purpose of the file or database.|
|Source of the data||Types of people who provide the personal data (eg: Members, car owners) and how it is collected – via web pages, forms, public sources|
|What data is collected||Itemised list of the personal data collected|
|Person Responsible||Person identified as responsible for this file or database (the Data Processor)|
|Where physically held||Where it is held – on a home PC, with a web site service provider, on paper forms, etc.|
|Other authorised persons||List of other people (and organisations) authorised to access that file or database|
|Retention period||For how long it is intended to keep the data, and why.|
|Signature||Signature of the Data Processor acknowledging acceptance of the role.|
|Date deleted||Where appropriate, when the file/database was deleted|
All files and databases that contain personal data must be held secure. How these security measures are applied will depend on the type of computer and software being used. Morris Marina Owners Club will provide technical standards and guidance in support of this policy.
- Virus scan all data input to a stand-alone system by whatever route (USB stick, CD, external disc drive, etc) before any data is transferred.
- Set up logical and/or physical access controls that ensure only those authorised can access those files and databases containing personal data.
Systems connected to the Internet
- Must be protected by a reliable firewall and anti-virus systems that are maintained up-to-date.
- Must run a reliable anti-spyware detection package at regular intervals to scan for malware.
- Must have access controls in place that ensure only those authorised can access those files and databases containing personal data, whether locally, remotely or over the web.
- Must keep up-to-date the operating system (eg Windows) and other key software (including security software and browsers) with critical patches issued by the supplier.
- Must minimise the opportunity for compromise by, for example, using spam filters on emails, not opening suspect emails and not visiting suspect web sites.
- Files or databases containing personal data stored on a remote system, not directly under the control of the Data Processor (such as a cloud service), will be encrypted, with the keys held by the Data Processor.
- It must be possible to restore such files or databases should the remote system become unavailable.
- Protect files or databases containing personal data when held on a portable device such as USB sticks, external disc drives, CDs or a laptop in a public place or outside the control of an authorised person. This may require use of a common encryption process.
- Such portable devices must be traceable at all times.
- If such information is sent via an external carrier, Recorded Delivery or an equivalent service must be used to ensure any failure to deliver, with potential loss of the associated personal data, is known
- Regular back-ups of relevant files and/or databases must be taken, and checks made that these back-ups are recoverable. A copy of each back-up must be kept in a remote location in case the primary location is lost.
- If use is made of remote data back-up services, the Data Processor must ensure that the remote service has adequate data protection policies in place, and that data is encrypted, with the keys managed by the Data Processor
These should be kept separate from other paperwork, preferably in a lockable container.
DATA RETENTION PERIODS
Personal data must only be retained for as long as necessary to meet the defined processing needs, legal or contractual requirements. Once no longer needed, it must be deleted. Note that this does not require deletion of the complete record, file or database – merely the personal data within them.
Normally, personal data should be deleted as soon it is no longer needed. The following maximum retention periods will be applied, unless otherwise required by law or regulations (such as the MSA). Exceptions may be agreed by the Chairman (Data Controller) for specific files or databases.
Membership records membership records held on the current electronic database will be deleted 3 years from the date at which the membership last expired. Paper records no longer active will be stored securely. They will be destroyed where no longer of any historic significance, although it is likely that the personal details contained therein are no longer valid (for example, the person has died, or changed address).
Car Registration Details/Car History files These can be kept indefinitely as the declared purpose is to maintain a record of car histories. However, provision must be made for individuals to have their personal data removed from a car record if so requested.
Shop purchase details Personal details should be deleted not more than 3 months after the order has been delivered (to allow time to address queries, etc). Where personal details are retained indefinitely to improve the overall service, this should be clearly stated as part of the ordering process.
Activity Entry Forms/mailing lists/etc The retention period for personal details associated with activities will depend on the nature of the activity. Within the Morris Marina Owners Club there is a distinction between the time personal data needs to be retained for operational reasons, and for legal or contractual reasons. This distinction is particularly relevant for CRBs, who need to provide the Chairman with lists of files/databases that are retained for a significant period of time (long-term data) – such as MSA registered events, Natter lists, newsletter lists – but not those that are needed only to support a specific short-term activity (local data) – such as local runs or social events.
Long-term files and databases will be retained for not more than 2 years from completion of the activity (unless over-ridden by legal or regulatory requirements) except where the collected personal details are retained in permanent files or databases, which can be kept indefinitely – but the associated documentation must make clear this happens, and provision must be made for people to have their details removed.
Local activities will be retained within the CRB. All associated records must be deleted within 2 years of an activity finishing (unless over-ridden by legal or regulatory requirements).
All MSA regulated events must retain the associated data for not less than 3 years.
Forums Associated registration personal details can be kept indefinitely as the declared purpose is to control access to the Forum, and to allow private messaging between registered users. However, provision must be made for individuals to have their personal data removed if so requested
POLICY ON HANDLING PERSONAL DATA ACCESS ISSUES
This Policy applies to all persons and third parties responsible for a file or database that contains personal data. It also applies to any other responsible person within the Morris Marina Owners Club or contracted third party who becomes aware of a compromise of personal data held by the Morris Marina Owners Club or is the recipient of a Data Subject formal complaint or Request.
Note that the Chairman is the Data Controller for the Morris Marina Owners Club unless otherwise specified by the Committee.
- The Data Controller must be informed of any compromise of personal data as soon as it is known, together with all relevant details on the nature of the compromise. An initial report must be made within 72 hours, even if full details of the potential compromise have yet to be established.
- The Data Controller must be informed if any device containing a file or database containing personal data is lost or stolen within 72 hours of that incident.
- Anyone receiving a formal complaint or request in any form from a Data Subject must acknowledge receipt and immediately pass that complaint or request on to the Data Controller for action. The Data Controller will work with the relevant Data Processor(s) to satisfy the request.
- Anyone receiving a communication from the Information Commissioner’s office must immediately pass that communication on to the Chairman (as Data Controller for the MMOC&IR), informing the ICO of this action.
Any public statement relating to any issue involving personal data or Data Subject communications must first be cleared with the General Manager.
|Information Collected||What information we collect about you|
|Use of Personal Information||How we use your personal information|
|Disclosures||Control of information we disclose to Partners|
|Links||How links to 3rd party sites are managed|
|International Transfers||Transfers of data outside the EU|
|Security||How we secure your personal information|
|Selecting Information||How you can unsubscribe from some services|
|Subject Access Requests||How you can submit a Subject Access Request|
- INFORMATION COLLECTED
We collect the following kinds of personal information.
|Type of personal information||Description|
|Contact||Where you live and how to contact you.
This includes name, address, email address, phone numbers.
|Financial||Your bank and credit card details to support financial transactions with the Club.|
|Transactional||Details of payments you have made.|
|Date of Birth||When we need to verify your age.|
|For Race Entries only|
|Documentary Data||Your MSA Licence number|
|Personal Relationships||Next of Kin details in case of accident.|
This information will be used only for the purpose for which it is provided (Legitimate Interests), as described in Paragraph 3 below. Paragraph 9 below explains how you may inform the Morris Marina Owners Club at any time if you wish it to cease using your personal information for such purposes. This may prevent you receiving any of the defined benefits of membership of the Morris Marina Owners Club.
We may collect personal information:
- When you complete a membership application form
- When you purchase goods from the Club.
- When you provide car details for inclusion in car Registers
- When you complete an event application form.
- When you are associated with a Register, Centre or Branch.
- When you subscribe to a newsletter or other optional communication.
- When you talk to us on the phone
- When you use our websites
- In emails and letters
- In member surveys
The Morris Marina Owners Club will from time to time also collect information about you that does not reveal your identity. It will use this information for research or editorial purposes and occasionally for other internal purposes. At all times it will be used in aggregate form and will not be connected to any name, address or other personal identifying information.
- USE OF PERSONAL INFORMATION
The Morris Marina Owners Club processes personal information to:
– provide membership services. These include access to activities, information, advice and support for your MGs, access to a list of trusted suppliers for parts and services, details of and discounts on regalia, parts, consumables and services, discounted admission to Club events and many other shows and events during the year.
– send you the monthly Club magazine, Safety Fast! and the Trade Directory as a core part of membership.
– administer an event, contest, promotion, survey or other Club activity
– support Club activities, including Registers of cars, and local Natters.
– process transactions
It may also be used to:
– improve our websites (we continually strive to improve our website offerings based on the information and feedback we receive from you)
– improve customer service (your information helps us to more effectively respond to your customer service requests and support needs)
– send periodic communications relating to Club activities
The email address you provide for order processing may be used to send you information and updates pertaining to your order, in addition to receiving occasional company news, updates, related product or service information, etc. After a transaction is completed, your financial information (credit cards, bank details, etc.) will not be retained on our servers.
For competitions, we will publish some of your information in the programme and the results, which will be in the public domain.
Your information, whether public or private, will not be sold, exchanged, transferred, or given to any other company for any reason whatsoever, without your consent, other than for the express purpose of delivering the purchased product or defined service.
Personal data is only kept as long as is necessary to provide the defined services.
The Morris Marina Owners Club may from time to time use your contact information to tell you about news or events run by the Morris Marina Owners Club or one of its Centres, Registers or Branches.
The Morris Marina Owners Club might disclose your information under strict terms of confidentiality and restriction of use to partners of the Morris Marina Owners Club who supply services on behalf of the Morris Marina Owners Club and who require to process personal data in order to provide such services. The Morris Marina Owners Club will not disclose any of your personal information to any other third parties without your express consent.
We may share your information with the Motor Sports Association as required by its General Regulations for governing motor sport, with other MSA registered Clubs, and with medical personnel.
We will not otherwise pass on your information to third parties except as far as is necessary for their requirement to check you are a member of the club to give you preferential treatment at your request.
We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety.
5.2. If you do not wish to have cookies placed on your computer you can disable cookies on your Internet browser. Turning them off, however, might mean that you will not be able to enjoy the Morris Marina Owners Club websites to their fullest.
Occasionally, at our discretion, we may include or offer third party products or services on our website. These third party sites have separate and independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.
There are links to the Morris Marina Owners Club website on third party websites over which the Morris Marina Owners Club has no control. The Morris Marina Owners Club accept no responsibility or liability for any third party practices on third party websites. The Morris Marina Owners Club advises you to carefully read third party privacy statements prior to use of their sites.
- INTERNATIONAL TRANSFERS
The Morris Marina Owners Club will not normally hold or transfer data outside the European Union for any purpose. Data that includes the personal data of a single data subject may be so transferred only where the data subject has explicitly agreed to such transfer.
The Morris Marina Owners Club has security measures in place to protect against loss, misuse and alteration of your personal information under Morris Marina Owners Club control.
All supplied sensitive/credit card information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our Payment gateway provider’s database only accessible by those authorized to access such systems. However, no data transmission of the Internet can be guaranteed to be 100% secure and, whilst the Morris Marina Owners Club strives to protect your personal information, it cannot guarantee the security of any information you transmit, and you do so at your own risk. Once the Morris Marina Owners Club receives the transmission, it will use its best efforts to ensure its security.
- SUBJECT RIGHTS and ACCESS REQUESTS
You have a right to know about the personal information the Morris Marina Owners Club holds about you. You also have a right to have your data corrected or deleted. Please address all of your requests and/or queries about data held on you by the Morris Marina Owners Club to:
The Morris Marina Owners Club, 30 Knapp Lane, Cam, Dursley, Gloustershire, GL11 5LT
A person who determines the purposes for which, and the manner in which, personal data is to be processed. This may be an individual or an organisation and the processing may be carried out jointly or in common with other persons.
A person who is responsible for processing personal data on behalf of a controller. The GDPR places specific legal obligations on the data processor; for example, they are required to maintain records of personal data and processing activities. They will have legal liability if they are responsible for a breach.
This is the living individual who is the subject of the personal data (information).
The means by which a data subject is informed of what data is collected and for what purposes.
Under the GDPR every data controller who is processing personal information no longer needs to notify the ICO. However, the Data Controller must produce a Statement covering the same areas – including what personal data is collected, how it is processed, how it is secured, etc. It only shows the types of data being processed. It does not name the people about whom information is held. This statement must be available to the ICO on request.
The GDPR applies to ‘personal data’ meaning any information relating to a living person who can be directly or indirectly identified, including by reference to an identifier which is in, or likely to come into, the data controller’s possession.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier. It applies to both automated personal data and to structured manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Processing means obtaining, recording or holding personal data or carrying out any operation or set of operations on personal data.
The GDPR enshrines a number of user rights over information about themselves that is held electronically and in structured paper records. These rights include the right to be informed, the right of access, the right to rectification, the right to erasure, and the right to restrict processing.
If an individual wants to exercise their rights, they should write to the person or organisation that they believe is processing the data. A request must include enough information to enable the person or organisation to whom the user is writing to satisfy itself as to their identity and to find the information.
A reply must be received within 40 days. A data controller should act promptly in requesting any further information necessary to fulfil the request. If a data controller is not processing personal information of which this individual is the data subject, the data controller must reply saying so.