As with many other organisations, Ulster Reform Club, hereinafter known as “the Club”, must hold and process some personal data to enable us to run the Club and provide the services required.
We take this responsibility seriously.
Ulster Reform Club is a private Members’ Club operated under the auspices of the Registration of Clubs Regulations (NI) Order 1997. Our Members and their Guests come together for a variety of reasons. It is our basic assumption that you wish to participate in, or be informed about, all of the activities that take place in an organisation such as the Club.
Constitution & Rules – Fundamental Objects and Principles –
“ To promote social intercourse among the Members “
We have used this understanding to guide our policy.
Under the General Data Protection Regulations (GDPR) and the Data Protection Act 2018, we are required to explain how we will hold and process your data.
For simplicity, we will refer to both as the Data Protection Regulations (DPR).
Most of the new laws build on the law as at April 2018 and reflect changes in practice and technology.
3. DATA COLLECTION
What data do we need or collect, and how will we use it?
Under the DPR we must advise you of:
- The types of data that we collect.
- How we process it.
- How long we will keep it for.
- Your rights under the new laws. Under the law you are known as the Data Subject.
7. THE CLUB'S LEGAL BASIS
Our basis for holding and processing your data
The data that we hold about you, belongs to you.
Under the DPR, we must establish a lawful basis for holding and processing your data.
There are a number of bases available to us and we can use any combination of them.
Of the 6 major categories, we will rely on 3:
|Contract||For you to access the services provided by the Club, we must hold and process your details. For example, membership renewals, AGM notifications, booking confirmations etc.|
|Legitimate Interest||The Club might have to process personal data for other reasons. We will assess the need for this against the Data Subjects’ rights before proceeding.|
|Legal||To comply with our legal requirements.|
|Consent||You may withdraw your consent from general purpose electronic marketing only.|
11. DATA SUBJECT RIGHTS
We must demonstrate why we are holding and processing your data.
We should not hold or process your data if it is reasonably possible to achieve our purpose by any other means.
The following summarises your rights.
|Right of||What you can ask for||Our obligation|
|Access||You can ask us to confirm the details that we hold about you and why||We are not always obliged to comply|
|Rectification||You can ask us to rectify a mistake||We are not always obliged to comply|
|Erasure||You can ask us to erase / forget your data||We are not always obliged to comply|
|Object||You can object to our holding your data||We are not always obliged to comply|
|Portability||You can ask us to provide you with an electronic copy of your data||Only the data that you provide to us and we process electronically|
18. DATA CONTROLLER
If you wish to exercise your rights
If you wish to exercise any of these rights, you should contact the Data Controller.
Ulster Reform Club
12. REFUSAL TO COMPLY
Refusal to comply
In general, where we do not comply with your request, we must provide you with an explanation.
Under limited circumstances, we can charge a fee for some requests.
Where we feel some types of request are unfounded or excessive, we can request a payment that covers our administrative costs.
We do not have to respond to your request until that fee has been received.
Under normal circumstances, we must respond promptly, but within one calendar month.
In some circumstances, where your request is complex or large, we can take more time. (Up to two months.)
You have the right to complain
If you are dissatisfied with our decision or response, the length of time we take or the decision to charge a fee, you have the right to complain to the Supervisory Authority and also to a judicial review.
21. OUR EMPLOYEES
Our Employees have the same rights under the DPR, and are also Data Subjects.
As your employer we will collect, source and generate a quantity of personal data about you.
Most of this data is to allow us to comply with our contractual and legal obligations.
We will also have legal and legitimate interests in collecting data for appraisals and performance monitoring, and health and safety obligations.
We have provided more information about your personal data in the full policy document.
1. Key Terminology
Ulster Reform Club, hereinafter known as “the Club”.
Data Subject – The natural person whose data we are collecting and processing.
Data Processing Regulations (DPR) – The General Data Protection Regulations and the Data Protection Act 2018.
Data Controller – The position within the Club who is responsible for DPR matters.
Supervisory Authority – The organisation responsible for enforcing the law. Currently the Information Commissioner’s Office (ICO).
Lawful Basis – The basis on which the Club holds and processes the Data Subject’s data.
Consent – Consent has a specific meaning within DPR and refers to a lawful basis.
EEA – European Economic Area.
2. Scope of this policy
- This policy is based on the Club’s interpretation of the Information Commissioner’s Office guidelines.
- In drafting this policy, we have taken into account the objectives of the Club and what might reasonably be expected of the Club.
- As of April 2018, elements of the DPR are still being finalised, as is the specific advice of the ICO.
- As the requirements of the Club, law, interpretation or guidance changes, we will revise the policy as required to remain within the DPR.
3. Data Collection
- Personal Data - This includes: names; addresses; job titles; email addresses; telephone numbers (mobile phone, home phone and office); dates of birth; gender; marital status; NI number and next of kin (for staff) or any other data that we might require or might be required to collect by law.
- From third parties - If we collect personal data from other sources, we will inform you within 1 calendar month.
- Sensitive Data - The DPR defines sensitive data as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data relating to health or sex life, sexual orientation. The Club does not hold or require any of this data about members. The Club might be required to collect some of this data to meet its obligations under Fair Employment or other employment legislation. Where this is required, the Club will comply with the appropriate requirements for privacy.
- Website or other network usage - Information about Data Subject’s computers, and about their, or other third-party, visits to and use of the Club website (including IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths).
- Communication preferences - Information that Data Subjects provide to the Club for the purpose of subscribing to the Club’s email notifications and/or newsletters and/or events (including Data Subjects’ names and email addresses).
- Other media - Photographs, video, CCTV and audio either provided by the Data Subject or available on open sources to enable identification or for use in the Club’s publications, website or Social Media. Other media will also be used as defined in 10. Photography and 15. Security below.
- Miscellaneous - Any information that the Data Subject provides or can be generated in the course of using any of the Club’s services. This includes, but is not limited to timing, frequency and pattern of use.
4. How the Club will use personal data
- The Club complies with its data protection obligations by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
- The Club uses the information it collects about Data Subjects:
- To process membership applications.
- To make contact about subscription renewals.
- To administer membership.
- To process membership fees.
- To keep Data Subjects informed of Club activities.
- To assist in security.
- To identify Data Subjects.
- To ensure the efficient and effective administration of all staff members, including paying their wages and salaries.
- To support the range of services that the Club offers members or may be asked by members to provide.
- Interact effectively with suppliers.
- We might find that we have to process your data in other ways. Before proceeding, we will establish if we have a legitimate interest in doing so.
- In providing service or support to the Club, our suppliers might have limited access to personal data. We will only work with suppliers that have DPR policies in place.
5. Committee and member access to personal data
- Members will have access to their own data as described in 11. Data Subjects’ Rights.
- Where a member wishes to contact another member, The Club will not share those details until receiving permission from that member.
- The Club is administered by several committees. The members of these committees will have access to Data Subjects’ personal data as required to fulfil their function.
- Committee members will not retain data longer than is necessary and will return or destroy the data when no longer required.
6. Retention of personal data
- Members. The Club will retain basic personal data of members if their membership has ended in case they should re-apply.
- Employees. The Club will hold personal data for as long as is required by law or where we have a contractual or legitimate interest.
- Others. The Club will hold data for as long as is necessary to meet legal, contractual or other necessary requirements.
- Because of the Club’s historical significance, it reserves the right to transfer records, photographs, etc. to the Public Records Office or National Museums Northern Ireland.
7. The Club’s legal basis for processing
Under DPR, we must declare the basis on which we hold and process personal data.
We will keep this under review.
If we change the basis under which we hold and process your data, or if we determine a new legitimate interest, we will inform you about this if we feel it significantly affects your rights.
- Contract - To administer memberships, take payments, event bookings etc.
- Legitimate Interest - There will be occasions when the Club determines that it is within its legitimate interest to process your personal data for other purposes. In deciding this, the Club will consider what you would reasonably expect, and the impact it would have on your personal privacy.
- Legal – To meet its legal obligations, the Club must retain and process personal data.
- Consent – For the purposes of general electronic marketing, you may withdraw your consent.
8. Sharing Information
Personal data will not be shared with any other organisation or with third parties unless there is a legal requirement or legitimate interest do so.
For example, a booking with a reciprocal club, an activity with an outside organisation, e.g. golf day, servicing our IT systems.
These organisations will be required to destroy this data when no longer required and/or to have an appropriate DPR policy in place.
9. Transfer of Data
- The Club might transfer some of your personal data outside the EEA. If this happens, the Club will only work with organisations that comply with our legal and contractual requirements.
- In the event of a legal reorganisation or other restructuring, the Club will transfer your personal details to the new entity or entities.
As a social venue, the Club makes extensive use of photography to record and report on events.
It is not practical to ask permission from every attendee to an event if we can use their image.
Where images are used on the Club website or Club publications, we will ask for the permission of those in the photographs etc.
We will not seek permission to use photographs on the Club’s private Facebook page.
The Club will comply with the law in respect of children.
11. Data Subjects’ Rights
Unless an exemption applies, Data Subjects have the following rights.
- You have the right to be informed that the Club is collecting your personal data.
- You have the right to access your data to verify accuracy and the lawfulness of processing.
- The following is a summary of your rights in respect of each of the lawful basis used by the Club.
- Erasure – You have the right to request erasure of data that is no longer required by the Club, is no longer legally required or for which the Club has no legitimate interest. This might not always be technically possible and the Club will take reasonable steps to remove, restrict access to or obfuscate the data that remains.
- Object – You can object to our legitimate interest. In assessing your objection, we must consider our legitimate interest, if there is another reasonable way of achieving our interest and if it is necessary. We must balance this interest with your privacy and interests. We can refuse to comply with the request.
- Rectification - Where you believe the data we hold is incorrect or inaccurate, you can ask us to rectify it. We can refuse to comply with the request. It is important that we maintain accurate records. Where we believe the issue is not detrimental to the Data Subject or is too expensive to rectify, we can refuse to comply with the request.
- Portability – You can request an electronic copy of your records. We only have to supply the data that you have provided personally and that we process electronically. We will do this in the form of a CSV file.
- Consent – you may withdraw your consent for the purposes of general e-mail marketing. All other data processing is covered by other legal bases.
- Data Subjects do not have unrestricted rights to access, erasure, rectification, objection, restriction or portability.
|Legal Basis||To Erasure||To Object||To Rectification||To Portability|
|Consent||You can withdraw||✔|
12. Refusal to comply, Fees and Timing
- Our current policy is based on the ICO guidelines as at April 2018. We will follow the ICO guidance in place at the time of your request.
- There are occasions when we can refuse or reject your request. We will always give you a reason for our decision. You can complain to the ICO if you disagree.
- Refusal – We can refuse to comply with some requests that are unfounded or excessive. We must judge every request individually.
- Fees – We can only charge administration fees for requests that we believe are unfounded, repetitive or excessive. You can complain to the ICO if you disagree.
- Where we decide a fee is appropriate, we must advise you of this within one calendar month.
- We are not required to process your request until we have received your payment.
- Timing – All requests must be responded to as quickly as possible, but within one calendar month.
- Where a request is complex or large, we can take an additional two months to reply. We can also ask you to be more specific. We will advise you of this within one calendar month.
This table gives a summary of what the Club is allowed to do:
|Can refuse to comply**||Yes||Yes||Yes||Yes||Yes||Yes|
|Time to respond||1 CM||1 CM||1 CM||1 CM||1 CM||1 CM|
|Extension allowed***||2 CM||2 CM||2 CM||2 CM||2 CM|
* The right to Object is for Legitimate Interest or Direct Marketing only. At present, we have no guidance on Fees or Timing.
As at April 2018, we will respond to the Objection within 1 calendar month or immediately for Direct Marketing
** When unfounded, repetitive or excessive
*** When large or complex
It might be necessary to ask you for proof of identity before we can release the response to your request.
You can complain to the ICO if you disagree.
14. Cookies and Internet Privacy
Cookies are small files that websites place on your device. They are a common feature of websites and can be used for many different purposes.
- Assist with browsing the site.
- Collect statistics about usage of the site to help us understand how the site is used and how we might improve it.
- By not accepting Cookies, you might affect the functionality of the site and this might affect your overall experience.
The Club will take reasonable technical and organisational precautions to prevent the loss, misuse and alteration of personal data. Additionally:
- The CCTV system on site has been installed for the purposes of detecting crime, vandalism and to control access to the premises. The system operates from a series of cameras located throughout the premises connected via hard wiring back to a digital video recorder. The digital video recorder stores the recorded information on internal hard drives which are overwritten automatically once the HDD capacity has been reached. The maximum period that recorded images are stored on the digital video recorder is 30 days. The system is owned and operated by the Club and maintained by a NACOSS Gold approved company.
- The Club will take reasonable steps to ensure the security of all electronic personal data. Paper records containing personal data will be retained securely and will be disposed of in a secure way when no longer required. Documentation detailing personal data and staff records are kept in locked filing cabinets. IT equipment containing personal data is kept in a locked room or cupboard when not in use, all within the Clubhouse.
16. Personal Data Breach
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
In the event of a Personal Data Breach, the Data Controller will advise the Information Commissioner within 72 hours of the occurrence of a personal data breach, examples would include being hacked or files containing personal information left on public transport which present a risk to the rights and freedom of the Data Subject. Anyone becoming aware of such a breach must immediately refer to the Data Controller bearing in mind the 72-hour deadline.
17. Changes to this Privacy Notice
This privacy notice is regularly reviewed and may be updated from time to time. When it is updated, the updated version will be placed on the website and, if the changes are significant, the Data Controller will bring it to your attention by e-mail or in the next post mailing.
18. Data Controller
The Club has appointed the Accounts Manager as the Data Controller
If you have any questions you can contact the Data Controller at:
The Accounts Manager
Ulster Reform Club
4 Royal Avenue
Telephone : 028 9032 3411
E-Mail : firstname.lastname@example.org
19. Data Protection Registration
The Club is registered with the Information Commissioner’s Office, registration number ZA337767.
20. Information Commissioner’s Office
The Club will try to resolve any complaint about how your personal data is used, but if you are not satisfied with our response you have the right to lodge a complaint with the Information Commissioner’s Office whose contact details are as follows:
Information Commissioner’s Office
Telephone – 0303 123 1113 (Local Rate) or 01625 545 745
Website – https://ico.org.uk/concerns
21. Our Employees
- As your employer, the Club will collect the personal data that we need to manage your employment with us.
- We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, whilst you are working for us, at the time when your employment ends and after you have left.
- This includes using information to enable us to comply with the employment contract, to comply with any legal requirements, pursue the legitimate interests of the Club and protect our legal position in the event of legal proceedings.
- If you do not provide this data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision.
- Most of the data that we hold about you will have been provided by you. Some might come from other sources such as your line manager or a referee.
- We would hold detail such as your application form and references, contract of employment and any amendments; correspondence with or about you, for example, about a pay rise or, at your request, a letter to your mortgage company confirming your salary; information needed for payroll, benefits and expenses purposes; contact and emergency contact details; records of holiday, sickness and other absence; information needed for equal opportunities monitoring policy; and records relating to your career history, such as training records, appraisals, other performance measures and, where appropriate, disciplinary and grievance records
This list is not exhaustive.
- In the course of our day to day activities, some of your details will be referred to in documents etc. created by you, or other members of staff.
- Where necessary, we may keep information relating to your health, which could include reasons for absence and GP reports and notes. This information will be used in order to comply with our health and safety and occupational health obligations – to consider how your health affects your ability to do your job and whether any adjustments to your job might be appropriate. We will also need this data to administer and manage statutory and company sick pay.
- We will only process special categories of information if we are required to do so by law or to meet some contractual obligation to you. These include, your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, biometric data or sexual orientation.
- As per your employee handbook, we monitor computer, e-mail, internet and phone usage.
- We will only disclose your details to a third party to meet our contractual obligations to you, where we are legally required to do so or where we have a legitimate interest. This does not restrict your right to ask the Club to release personal details on your behalf, for example to support a mortgage application.
- In the event of a legal reorganisation or other restructuring, the Club will transfer your personal details to the new entity or entities.
This policy was approved by Management Committee on Wednesday 2nd May 2018 and is subject to amendment and alteration at any time.
Signed on behalf of Management Committee
John L Leckey