Guernsey Pistol Club is committed to complying with data protection law and to respecting the privacy rights of individuals. The policy applies to all of the Club’s officers (directors, committee members, range officers, Secretary and Treasurer) and members.
This Data Protection Policy (“Policy”) sets out the Club’s approach to data protection law and the principles applied to processing of personal data. The aim of this Policy is to ensure that personal data is processed in accordance with the law and with care and respect. The Club is not required to appoint a Data Protection Officer (DPO). However the directors have appointed the Secretary to be responsible for overseeing our compliance with data protection laws.
1. Status of this Policy and the implications of breach.
1.1 Breaches of this Policy will be viewed very seriously and may be dealt with as a disciplinary matter under the Club Rules. Officers and members must read this Policy and make sure they are familiar with it. A breach of Data Protection Laws or this Policy must be reported immediately to the Secretary. Such reports will be treated confidentially; and self-reporting will be taken into account in assessing how to deal with any breach.
1.2 Serious breaches could potentially result in criminal liability for individuals or the Club, or civil fines, claims for compensation and reputational damage to the Club.
2. Data protection laws
2.1 The Data Protection (Bailiwick of Guernsey) Law 2001 applies to any personal data that we process, and from 25th May 2018 this will be replaced by the Data Protection (Bailiwick of Guernsey) Law 2018 (“the 2018 Law”).
2.2 The Data Protection Laws require that the personal data is processed in accordance with the Data Protection Principles and gives individuals rights to access, correct and control how the Club uses their personal data. The Data Protection Laws are enforced by the Guernsey Data Protection Commissioner.
3. Key words in relation to data protection
3.1 Personal data is data that relates to a living individual who can be identified from that data (or from that data and other information in or likely to come into the Club’s possession). That personal data might be written, oral or visual (e.g. CCTV).
3.2 Identifiable means that the individual can be distinguished from a group of individuals (although the name of that individual need not be ascertainable). The data might identify an individual on its own (e.g. if a name or video footage) or might do if taken together with other information available to or obtainable us (e.g. a job title and company name).
3.3 Data subject is the living individual to whom the relevant personal data relates.
3.4 Processing: Virtually anything done with personal data is processing including collection, storage, modification, transfer, viewing, deleting, holding, backing up, archiving, retention, disclosure or destruction. The Club may process personal data using computers or manually by keeping paper records. Examples of processing personal data might include using personal data to correspond with members; holding personal data in databases or documents; and recording personal data in registers and files (electronic or hard copy) kept by the Club’s officers.
3.5 Data controller is the person who decides how personal data is used. The officers of the Club are data controllers in respect of personal data relating to members and others using the Club’s facilities.
3.6 Data processor is a person who processes personal data on behalf of a data controller and only processes that personal data in accordance with instructions from the data controller, for example an accountant instructed by the Club will be a data processor.
4. Personal data
4.1 Data will relate to an individual and therefore be their personal data if:
4.1.1 it identifies the individual: for instance, names, addresses, telephone numbers and email addresses;
4.1.2 its content is about the individual personally: for instance, their medical history, or contact details;
4.1.3 it relates to property of the individual;
4.1.4 it could be processed to learn, record or decide something about the individual (or this is a consequence of processing);
4.1.5 it is biographical in a significant sense, that is it does more than record the individual’s connection with or involvement in a matter or event which has no personal connotations for them;
4.1.6 it has the individual as its focus, that is the information relates to the individual personally rather than to some other person or a transaction or event he was involved in;
4.1.7 it affects the individual’s privacy, whether in their personal, family, organisation or professional capacity, for instance, email address or location and work email addresses can also be personal data;
4.1.8 it is an expression of opinion about the individual; or
4.1.9 is an indication of the Club’s intentions towards the individual (e.g. how a complaint by that individual will be dealt with).
4.2 Information about companies or other legal persons who are not living individuals is not personal data. However, information about directors, shareholders, officers and employees, and about sole traders or partners, is often personal data, so business related information can often be personal data.
4.3 Examples of information likely to constitute personal data:
4.3.1 Unique names;
4.3.2 Names together with email addresses or other contact details;
4.3.3 Job title and employer (if there is only one person in the position);
4.3.4 Video – and photographic images;
4.3.5 Information about individuals obtained as a result of Safeguarding checks;
4.3.6 Medical and disability information;
4.3.7 CCTV images;
4.3.8 Financial information and accounts (e.g. information about expenses and benefits entitlements, income and expenditure).
5. Lawful basis for processing
5.1 For personal data to be processed lawfully, the Club must be processing it on one of the legal grounds set out in the Data Protection Laws.
5.2 For the processing of ordinary personal data these may include, among other things:
5.2.1 the data subject has given their consent to the processing (for instance by their membership application form or in correspondence);
5.2.2 the processing is necessary for the management of the Club (for example, for processing membership subscriptions);
5.2.3 the processing is necessary for compliance with a legal obligation to which the data controller is subject; or
5.2.4 the processing is necessary for the legitimate interest reasons of the data controller or a third party (for example, keeping in touch with members, about access to club facilities, club activities and meetings).
6. Special category data
6.1 Special category data under the Data Protection Laws is personal data relating to an individual’s race, political opinions, health, religious or other beliefs, trade union records, sex life, biometric data and genetic data.
6.2 Under Data Protection Laws this type of information is known as special category data and criminal records history becomes its own special category which is treated for some parts the same as special category data. Previously these types of personal data were referred to as sensitive personal data and some people may continue to use this term.
6.3 To lawfully process special categories of personal data the Club must also ensure that either the individual has given their explicit consent to the processing or that another of the following conditions has been met:
6.3.1 the processing is necessary to protect the vital interests of the data subject, for instance in a situation where the data subject is at risk of serious harm or death;
6.3.2 the processing relates to information manifestly made public by the data subject;
6.3.3 the processing is necessary for the purpose of establishing, exercising or defending legal claims; or
6.3.4 the processing is necessary in the interests of the safety of Club members or the public.
6.4 To lawfully process personal data relating to criminal records and history there are even more limited reasons, and the Club must either:
6.4.1 ensure that either the individual has given their explicit consent to the processing; or
6.4.2 ensure that processing of those criminal records and history is necessary under a legal requirement imposed upon the Club.
6.4.3 We would normally only expect to process special category personal data or criminal records history data in the context of health and safety requirements, concern about risk to the safety of Club members or the public, or safeguarding checks.
7.1 The main themes of the Data Protection Laws are:
7.1.1 good practices for handling personal data;
7.1.2 rights for individuals in respect of personal data that data controllers hold on them; and
7.1.3 being able to demonstrate compliance with these laws.
7.2 In summary, data protection law requires each data controller to:
7.2.1 only process personal data for certain purposes;
7.2.2 process personal data in accordance with the 6 principles of ‘good information handling’ (including keeping personal data secure and processing it fairly and in a transparent manner);
7.2.3 provide certain information to data subjects – usually in the form of a privacy notice;
7.2.4 respect the rights of data subjects (including providing them with access to the personal data held); and
7.2.5 keep adequate records of how data is processed and, where necessary, notify the Data Protection Commissioner and possibly data subjects where there has been a data breach.
8. Data protection principles
8.1 The Data Protection Laws set out 6 principles for maintaining and protecting personal data, which form the basis of the legislation. All personal data must be:
8.1.1 processed lawfully, fairly and in a transparent manner and only if certain specified conditions are met;
8.1.2 collected for specific, explicit and legitimate purposes, and not processed in any way incompatible with those purposes (“purpose limitation”);
8.1.3 adequate and relevant, and limited to what is necessary to the purposes for which it is processed (“data minimisation”);
8.1.4 accurate and where necessary kept up to date;
8.1.5 kept for no longer than is necessary for the purpose (“storage limitation”);
8.1.6 processed in a manner that ensures appropriate security of the personal data using appropriate technical and organisational measures (“integrity and security”).
9. Obligations of Club officers
9.1 Treat all personal data with respect and as you would want your own personal data to be treated.
9.2 Take care with all personal data and items containing personal data you handle or come across so that it stays secure and is only available to or accessed by authorised individuals.
9.3 Immediately notify the Secretary if you become aware of or suspect the loss of any personal data or any item containing personal data.
10. Data subject rights
10.1 Under Data Protection Laws individuals have certain rights (Rights) in relation to their own personal data. In summary these are:
10.1.1 The rights to access their personal data, usually referred to as a subject access request
10.1.2 The right to have their personal data rectified;
10.1.3 The right to have their personal data erased, usually referred to as the right to be forgotten;
10.1.4 The right to restrict processing of their personal data;
10.1.5 The right to object to receiving direct marketing materials;
10.1.6 The right to portability of their personal data;
10.1.7 The right to object to processing of their personal data; and
10.1.8 The right to not be subject to a decision made solely by automated data processing.
10.2 The exercise of these Rights may be made in writing, including email, and also verbally and should be responded to in writing without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The individual must be informed of any such extension within one month of receipt of the request, together with the reasons for the delay.
10.3 Where the data subject makes the request by electronic means, any information is to be provided by electronic means where possible, unless otherwise requested by the individual.
10.4 If the Club receives the request from a third party (e.g. a legal advisor), steps must be taken to verify that the request was, in fact, instigated by the individual and that the third party is properly authorised to make the request. This will usually mean
contacting the relevant individual directly to verify that the third party is properly authorised to make the request.
10.5 There exemptions or partial exemptions from some of these Rights and not all of them are absolute rights.
10.6 Where an individual considers that the Club has not complied with their request, they can apply to the court for an order compelling compliance. The Court can also award compensation. They can also complain to the Guernsey Data Protection Commissioner (“DPC”).
10.7 In addition to the rights discussed in this document, any person may ask the DPC to assess whether it is likely that any processing of personal data has or is being carried out in compliance with the privacy legislation. The DPC must investigate and may serve an “Information Notice” on the relevant data controller. The result of the investigation may lead to an “Enforcement Notice” being issued by the DPC. Any such assessments, information notices or enforcement notices should be sent directly to the Club Secretary from the DPC.
11. Notification and response procedure
11.1 If a Club officer or member receives a notice from someone seeking to exercise data subject rights, they must immediately pass the communication to the Club Secretary, by email to firstname.lastname@example.org.
11.2 The Secretary will respond in writing to the individual, explaining the legal situation and whether we will comply with the request, as is appropriate to the nature of the request.