GDPR for Caving Clubs

The General Data Protection Regulation (GDPR) updates and replaces the Data Protection Act 1998. It comes into force on the 25th May 2018. Its primary aim is to give all EU residents control over their personal data, which is a good thing. It applies to all organisations based in the EU so it will create some work for caving clubs, which is not such a good thing.

The best source of information on the GDPR is the Information Commissioner’s Office (ICO) website at ico.org.uk. There are also many, many other articles out there if you Google for them. There is quite a bit to learn and understand.

Rather than summarising the ICO website I’ll attempt to describe the practical steps that a caving club should be taking to comply with the GDPR.

Research and Training

Learn about the GDPR. A good place to start is by reading the ICO’s guide GDPR: 12 Steps to Take Now. It can be found on this page. web page.

The club will be heavily reliant on its officers and members to comply with the GDPR on an ongoing basis. Make sure they are up to speed with the policies, procedures and the dos and don'ts (see below).

Data Audit

This shouldn’t be too onerous for a typical club. Identify all the personal data the club holds and how/where it is stored. Personal data is any information about a living identifiable individual. Examples of personal data that a caving club might hold include contact details, email address, bank details, published articles, images on the website, Minutes, medical conditions, age, sex and caving experience.

For each type of data consider if you need it. If you don’t have good reasons then don’t collect and hold it.

For each type of data consider how long you need to keep it. For example how long after a member leaves do you need to keep their details? Bank details once copied into the banking website should probably be destroyed.

For each type of data consider who needs to see it. If they don’t have a need then don’t send them a copy.

Information about a person’s ethnic origin, politics, religion, health, sexual orientation and a few other categories is regarded as more sensitive and must be treated with greater care. In the above examples, medical conditions would be included; sex, i.e. male or female would not be. Unless you have a very good reason, consider deleting any data of this type.

The GDPR requires a legal basis for processing personal data to be identified. There are several bases. For caving clubs’ the ones that are likely to apply are consent by the person and legitimate interest of the club. Other bases might include legal requirement and contract with the person.

Consent is given by the person to the club to allow the club to hold and process the person’s data. The club needs to be able to show that consent has been given. A good way is to have a statement on the membership application/renewal form to the effect of “By returning this form I consent to the information on it being used as described in the club’s Privacy Notice at [website address]”. Consent requires a clear affirmative action from the person to the club such as returning the form. Publishing the Privacy Notice and bringing it to the attention of the members is not enough. Alternatively consent could be given with an email from the member to the Secretary. There is more about the Privacy Notice below.

The corollary is that the person can withdraw consent. The club must have a procedure in place to deal with this. If they withdraw all consent then the level of service that the club can then provide to the person will most likely be severely limited.

Legitimate interest balances the interests of the club verses the rights of the person. For example the club could claim legitimate interest for any personal information contained within the Minutes and not have to redact it should the person withdraw their consent. Another example is retaining a person’s years of membership for historical reasons. It is important to realise that in some circumstances it is possible to hold and process personal information without consent.

Accountability and Transparency

There is a new requirement to be accountable. That means that not only should the club implement the GDPR but that it has to be able to demonstrate compliance. Chiefly that means the policies and procedures need to be documented. Producing the documentation is probably the most tedious part of implementing the GDPR.

There is a requirement for transparency about what the club does with personal data. This is largely fulfilled by publishing a comprehensive Privacy Notice. The Privacy Notice can then be challenged giving the club the opportunity to defend its position or correct any poor practice. So for example if the club normally circulates the membership list to its members, that is fine so long as it is mentioned in the Privacy Notice and individual members are given the opportunity to opt out.

Privacy Notice

All the above comes together in the Privacy Notice. See the BCA Privacy Notice for an example. The Privacy Notice should set out:

  • The identity and contact details of the data controller. I.e. the club.
  • The purpose of processing the data. E.g. to provide membership services.
  • The legal basis of processing the data. E.g. consent or legitimate interest.
  • The type of data processed. E.g. contact details.
  • The retention period of data. E.g. member contact details are deleted 2 years after leaving.
  • Any third parties who might receive copies of the data. E.g. membership details to BCA.
  • Details of data transfers out of the EU and safeguards. This might occur using an on-line service based abroad.
  • A list of the 8 data subject rights. I.e. right to be informed, right of access, right of rectification, etc.
  • How to withdraw consent. E.g. write to the Secretary.
  • How to lodge a complaint. E.g. write to the Secretary

Dos and Don’ts

An important aspect is to make sure that personal data is kept securely. If kept on a computer:

  • Use strong passwords. Don’t reuse passwords. Consider using a password safe.
  • Use 2 factor authentication where available.
  • Keep your anti-virus program up to date.
  • Keep your software patched and up to date.
  • Learn to avoid email scams and phishing attacks.
  • Switch on your firewall.
  • If kept on a portable device that can be lost, e.g. laptop, usb drive or smart phone, consider encrypting the files.
  • Don’t use public wi-fi to send unencrypted personal data.

Methods of transferring personal information such as a membership list:

  • Encrypt the file before attaching it to an email. Send the password separately.
  • Use a secure transfer site such as DropBox. The key thing is that your browser shows httpS:// and not http://. The S stands for secure.
  • Old fashioned snail mail is regarded a secure but the above methods using encryption are better.

When sending emails to multiple recipients, such as for a Newsletter, send the email to yourself and bcc everyone else. That way you won’t give away everyone’s email address.

Disclaimer

This article is not exhaustive but I hope I have covered most of the questions that caving clubs will need answering.

There are no professional qualifications in GDPR yet so the above is my view based upon a lot of research. It does not necessarily represent the view of BCA.

Feedback is welcome. Send your thoughts and comments to David Cooke

David Cooke
BCA IT Working Party Convenor