C3A data protection
The Data Protection Act obliges everyone to process personal data according to the law. Its aim is to balance the rights of individuals concerning how their information is processed with the legitimate needs of organisations to use that information.
As a not-for-profit organisation the C3A is exempted from registering on the conditions that the processing of personal data is limited to:
Establishing or maintaining membership.
Providing or administering activities for the membership.
Information concerning current and prospective members.
The data held must be limited to that necessary to undertake the above. I.e. name, postal address, email address, telephone numbers, membership/renewal dates, identifiers.
Obligations under the Act
Although the C3A does not need to register, it must still comply with the other requirements of the Act and remains subject to penalties if offences occur. Most importantly the processing should be in compliance with the Eight Data Protection Principles.
The eight data protection principles
Personal data shall be processed fairly and lawfully.
There must be legitimate grounds for holding the data. It must not be used in any unlawful ways and only in ways that individuals would reasonably expect and the usage must not create any adverse effects for them. It is also important to make people aware of how the data will be used.
Personal data shall be obtained for one or more specified and lawful purposes and shall not be further processed in any matter incompatible with that purpose or those purposes.
In addition to following the first principle above, you must ensure that any new usage or disclosure of the data for any purpose other than that originally specified is also fair.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
You should hold the minimum amount of data required to fulfil your purpose.
Personal data shall be accurate and where necessary kept up to date.
This involves taking reasonable steps to ensure the accuracy of the data you collect.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
The purpose that the data is going to be used for should be considered in determining how long it should be retained for. The length of time that personal data is kept should be reviewed. Any information that is no longer required should be securely deleted. Information that goes out of date should also be updated, archived or securely deleted.
Personal data shall be processed in accordance with the rights of data subjects under this Act.
This covers an individual’s rights to have a copy of the information held on them, to object to any processing that would cause them damage or distress, to prevent usage for direct marketing, to object to decisions being taken by automated means (without human intervention), to have inaccurate data corrected and destroyed and to claim compensation for damages caused by a breach of the Data Protection Act.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction or damage to personal data.
Consider the nature of the personal data that you hold and the harm that may result from a security breach when putting security arrangements into place. Both the physical and technical security arrangements must be fit for purpose and these should be backed up with robust policies and procedures. It should be clear who is responsible for safeguarding information security.
Personal data shall not be transferred to a county or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Recommendations/advice for C3A members
Do not pass contact details of a member to anyone without the express written consent of that member.
Ensure the operating system on your computers/tablets/mobile phones are maintained with updates and patches provided by their suppliers.
Install and maintain internet security software to minimise the risk of viruses and other forms of malware infecting your computer.
When sending emails to multiple addressees use BCC (blind carbon copy) to protect the privacy of those email addresses and help prevent ‘spamming’.
Do not open email attachments from an unknown, suspicious, or untrustworthy source. If you’re not familiar with the sender, do not open, download, or execute any files or email attachments.
Do not open an email attachment unless you know what it is, even if it appears to come from a friend or someone you know. Some viruses replicate themselves and spread via email. Stay on the safe side and confirm that the attachment was sent from a trusted source before you open it.
Do not open any email attachments if the subject line is questionable. If you feel that the attachment may be important to you, always save the file to your hard drive before opening it.