C3A data protection

The Data Protection Act obliges everyone to process personal data according to the law. Its aim is to balance the rights of individuals concerning how their information is processed with the legitimate needs of organisations to use that information.

As a not-for-profit organisation the C3A is exempted from registering on the conditions that the processing of personal data is limited to:

Establishing or maintaining membership.

Providing or administering activities for the membership.

Information concerning current and prospective members.

The data held must be limited to that necessary to undertake the above. I.e. name, postal address, email address, telephone numbers, membership/renewal dates, identifiers.

Obligations under the Act

Although the C3A does not need to register, it must still comply with the other requirements of the Act and remains subject to penalties if offences occur.  Most importantly the processing should be in compliance with the Eight Data Protection Principles.

The eight data protection principles

Personal data shall be processed fairly and lawfully.
There must be legitimate grounds for holding the data. It must not be used in any unlawful ways and only in ways  that  individuals  would  reasonably  expect  and  the  usage  must  not  create  any  adverse  effects  for them. It is also important to make people aware of how the data will be used.

Personal data shall be obtained for one or more specified and lawful purposes and shall not be further processed in any matter incompatible with that purpose or those purposes.
In addition to following the first principle above, you must ensure that any new usage or disclosure of the data for any purpose other than that originally specified is also fair.

Personal data  shall  be  adequate,  relevant  and  not  excessive  in  relation  to  the  purpose  or  purposes  for which they are processed.
You should hold the minimum amount of data required to fulfil your purpose.

Personal data shall be accurate and where necessary kept up to date.
This involves taking reasonable steps to ensure the accuracy of the data you collect.

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
The purpose that the data is going to be used for should be considered in determining how long it should be retained for. The length of time that personal data is kept should be reviewed. Any information that is no longer required should be securely deleted. Information that goes out of date should also be updated, archived or securely deleted.

Personal data shall be processed in accordance with the rights of data subjects under this Act.
This covers an individual’s rights to have a copy of the information held on them, to object to any processing that would  cause  them  damage  or  distress,  to  prevent  usage  for  direct  marketing,  to  object  to  decisions being  taken  by  automated  means  (without  human  intervention),  to  have  inaccurate  data  corrected  and destroyed and to claim compensation for damages caused by a breach of the Data Protection Act.

Appropriate technical  and  organisational  measures  shall  be  taken  against  unauthorised  or  unlawful processing of personal data and against accidental loss or destruction or damage to personal data.
Consider the nature of the personal data that you hold and the harm that may result from a security breach when putting security arrangements into place. Both the physical and technical security arrangements must be fit for purpose and these should be backed up with robust policies and procedures. It should be clear who is responsible for safeguarding information security.

Personal data shall not be transferred to a county or territory outside the European Economic Area, unless that country  or  territory  ensures  an  adequate  level  of  protection  for  the  rights  and  freedoms  of  data subjects in relation to the processing of personal data.

Recommendations/advice for C3A members

Do not pass contact details of a member to anyone without the express written consent of that member.

Ensure the operating system on your computers/tablets/mobile phones are maintained with updates and patches provided by their suppliers.

Install and maintain internet security software to minimise the risk of viruses and other forms of malware infecting your computer.

When sending emails to multiple addressees use BCC (blind carbon copy) to protect the privacy of those email addresses and help prevent ‘spamming’.

Do not open email attachments from an unknown, suspicious, or untrustworthy source. If you’re not familiar with the sender, do not open, download, or execute any files or email attachments.

Do not open an email attachment unless you know what it is, even if it appears to come from a friend or someone you know. Some viruses replicate themselves and spread via email. Stay on the safe side and confirm that the attachment was sent from a trusted source before you open it.

Do not open any email attachments if the subject line is questionable. If you feel that the attachment may be important to you, always save the file to your hard drive before opening it.