Aims, Coverage and Designated Responsibilities
Policy is to provide compliance with the Data Protection Acts 1998 and 2018 (including EU General Data Protection Regulations 2016/679). It will also provide details on how personal data should be processed, how it is accessed and used, length of record retentions and the decision making process for transferring records to the Society Archive.
All members of The Spitfire Society are responsible for maintaining compliance with the Policy regardless of role or location. Contractors who process or hold personal data on behalf of the Society will also have to comply with this Policy.
Vice-Chairman - Data Controller & Senior Information Risk Owner: Has overall responsibility for Data Protection & Records Management
Treasurer - Data Protection Officer and Archivist
Membership Secretaries - Data Processor and Records Manager
Legal Justification for Processing and Retaining Personal Data
- Members of the Society actively consent to their personal data being processed on joining or renewal, which is highlighted as a privacy notice included in joining forms, publications and website.
- The Society will process personal data with regard to contracts and other legal agreements as required in pursuant of our charitable objectives.
- As a charity the Society has to comply with the Charities Act 2011 which requires us to account for the sources of income and destination of expenditure, thus the processing of personal data complies with this requirement.
- The Society will process and retain personal data in accordance with its objectives: (a) To advance the education of the public and conduct research into all matters relating to the Vickers Supermarine Spitfire and Seafire and the designer thereof, R J Mitchell, and to publish the useful results of such research. In furtherance of the above objects but not otherwise the Society shall have the following powers: (i) To collect and disseminate information in all matters affecting such objects. (ii) To hold or arrange for the holding of exhibitions, meetings, lectures, classes, seminars or training courses.
Processing of Data
- Data processing consists of members sending their personal data via the Society website, email or through the post to the Membership Secretaries. Personal data via the website will be retained within the content management system and the Society’s PayPal account. All membership forms are kept in hard copy by the Membership Secretaries and details entered into a spreadsheet saved on the Society’s laptop.
- The Secretary or in their absence the Treasurer, will process and retain contracts and other legal agreements between the Society and third parties. Where possible electronic copies will be kept on cloud storage.
- Donations and merchandise payments received are all processed electronically and are kept in the Society PayPal account, cash flows spreadsheet and copies of relevant records are kept in cloud storage. Expenditure is the same as donations apart from where cheques are issued, and these are held by the Treasurer.
Automated Decision Making
- The Society employs no automated decision making with regards to the processing or retention of personal data.
Retention of Records
- Membership forms and associated personal data will be reviewed for retention two years after the person leaves. Decisions for further retention will be based primarily on historical interest, secondary consideration will be governed by legal or governance issues.
Contract, Legal Agreement & Financial Records
- Legally required to retain records for a minimum of six financial years after the financial year they relate to.
- Permanent retention of records selected for the Archive. This is justified by our legitimate interest in processing this data and our charitable objectives. A catalogue of the Archive holdings will be made available on the Society website.
Legal Rights of Data Subjects
Subject Access Requests
- A Data Subject has the right to make a subject access request in writing about themselves to the Society with regard to records held by the Society. The Society will require two proofs of identity, one of which must be photographic, eg passport and the other proof of address such as bank statement. The Society is required to respond within thirty days of the request with either a response to say no records held or to provide electronic copies in a method to be agreed with the requestor. The Society reserves the right to redact information concerning third party information and to reject requests that would be cost excessive. The Society will not charge for subject access requests.
Amendment or Erasure
- Requests for amendment of current membership data will normally be carried out within 30 days of receiving a written request. Requests for erasure will be reviewed on a case by case basis. If it relates to Archive Records we won't erase the Record but will place a note alongside it to reflect any objection received.
Data Protection Act Complaints
- In the first instance please contact the Data Protection Officer and they will review your complaint and respond within 30 days.
- If the Society doesn’t address your complaint satisfactorily you can contact the Information Commission’s Office to investigate by calling 0303 123 1113 or clicking here.
Privacy Impact Assessments
The Society will undertake a privacy impact assessment before making any changes to the processing, use or disclosure of personal data within the Society or to third parties.
Disclosure of Personal Data
Subject Access Requests by Authorised Bodies
- The Society may receive requests for the disclosure of personal data from the Police or other authorised bodies. The requests will be reviewed on a case by case.
Contact details to Society roundel coordinators & international representatives
- Contact details for members will be made available to roundel coordinators and international representatives for the purposes of Society administration. This will be done using the minimum of personal data and only using Society email addresses for sending and receiving. No personal data will leave the UK or the European Union Area but can be accessed by the respective international representatives.
Sale or transfer of personal data to third parties for commercial purposes
- The Society will not disclose personal data to third parties unconnected with the administration of the Society.
Breaches of the Data Protection Act
- A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
Actions to be Taken
- On becoming aware of a personal data breach please inform the Data Protection Officer or a member of the Executive Committee as soon as possible.
- The Data Protection Officer will conduct an investigation and determine if the Information Commissioner’s Office needs to be informed within 72 hours of being made aware of a breach
- The requirements to notify the ICO will depend if the breach involves any of the following circumstances.
- “A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
- The Data Protection Officer and the Executive Committee will need to undertake actions to mitigate as far as possible the effects on the individuals concerned. We’re also required to inform the individuals concerned of the incident and the actions taken to remedy the matter.
- Even if the breach doesn’t require ICO notification, the Data Protection Officer will need to document the incident and provide justification for not reporting the breach.
Communications by Society representatives
- Please use the Society email account to communicate with members and externally. The emails form part of the records created by the Society and belong to it in order to provide legal and historical evidence of actions taken and decisions made. Emails sent and received are included within the scope of subject access requests. Therefore it will be easier to process these requests and not infringe on your personal business if you have to disclose emails from your private email account. By using the Society account you present a professional approach to members and external contacts. When sending emails to a large number of recipients please use the blind carbon copy (bcc) for the email addresses so they are not to disclosed to other members.
- If your Roundel has a bank account, please inform the Society Treasurer so they are aware and will need to be placed on the account mandate. The Society is required to submit bank statements, invoices/receipts and a spreadsheet detailing how income was obtained and how money was expended during the financial year (Jan-Dec) to the Society accountants so they can produce an annual report and accounts for approval at the AGM and submission to the Charity Commission. We’re legally required to retain records for a minimum of six financial years after the financial year they relate to.
- Important to retain these records as both legal evidence of governance and for potential future retention within the Society’s Archive. For a full list of records and their retention periods, please see retention schedule in Appendix A.
Disposal of Records
- Records containing personal information which are selected for disposal should be disposed of in a confidential manner. These may include shredding for paper/compact discs, destruction of digital drives or through a confidential waste company. Please contact the Data Protection Officer if you require advice on the subject. A record should be kept of those records disposed of along with a date of destruction and justification.
Appendix A: Retention Schedule
Types of Records
Agendas & Minutes of Executive, Regional & Roundel Meetings. Retention Period:10 years. Retention Action: Transfer to the Society Archive.
Contracts & Legal Agreements & Records. Retention Period: 10 years. Retention Action: Transfer to the Society Archive.
Financial Records including bank statements, invoices & receipts. Retention Period: Minimum of six financial years after the financial year they relate to. Retention Action: Destroy confidentially.
Complaints. Retention Period: 10 years. Retention Action: Review & retain if litigation may occur or relates to child safeguarding issues.
Membership Records. Retention Period: 2 years after the member leaves the Society. Retention Action: Review & retain if of continuing legal or historical interest. Otherwise the records should be destroyed in a confidential manner.
Disposal Register. Retention Period: Permanent. Retention Action: Transfer to the Society Archive.
Publications & Newsletters. Retention Period: Permanent. Retention Action: Transfer to the Society Archive.
Photographs & Film footage. Retention Period: Permanent. Retention Action: Transfer to the Society Archive.
Websites & Social Media content. Retention Period: Annually. Retention Action: Copies of content should be transferred to the Society Archive.