The General Data Protection Regulation which comes into effect in May 2018 requires organisations to state clearly how they obtain, sore and process information on individuals, how individuals can check it and rectify it, and so on. There is a guide here:https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

It looks like it covers all organisations, and I can't see any obvious exemption for just keeping an address list. It seems to suggest that each organisation should draw up a document saying how they process and store data, who is able to see it, on what legal basis is it collected, and how an individual can withdraw consent and have their information removed from the list.

Does anyone know whether this is something caving clubs should be dealing with. If it is, what have clubs done so far?

Subsection 18 of the regulations states:
(18)  This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.

(personally I think we sit in a personal or household activity, but am aware that we already have data protection laws enshrined in UK law, so we don't need this EU stuff :read: ).

(source for subsection 18 http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN )

UK law can be found here https://www.legislation.gov.uk/ukpga/1998/29/contents

meaning of Domestic in UK law can be found below and includes Recreational, but I'd be careful that you should probably be mindful of Data protection anyway in the Cause of Activities. It's not onerous and you don't need to explain how your obtaining, sourcing and processing information as most is self explanatory. ie direct from the individual, maintained while they are a member, deleted 3 years after they are a member. (or something like that!)
https://www.legislation.gov.uk/ukpga/1998/29/section/36

In May does the GDPR law superseed that uk law from back in 1998?

once you start holding lists of other people, their address, BCA number, DOB, NOK for a club then i don't think it's "personal use"

+ Take reasonable care to protect that information against unauthorised usage. Including things like "does the tackle officer need to have access to the bank account records of members"

+ have a statement of what data you hold and why and is it relevant.  eg you may have a reason to hold NOK data, but have no need to record the bra size of your members

+ have a statement of who you share your data with and why . eg insurance with BCA. and not sharing the information with a caving shop to email your members a discount card without your members permission

+ Have a procedure in place in case someone falls out with your club and wants you to a) delete their data and b) make problems for you by proving you have no such policy and procedure

Ian Ball said:

In May does the GDPR law superseed that uk law from back in 1998?

Click to expand...

Not so much supersede as add to it, ie the law will be the 2018 stuff plus anything from the previous law that hasn't been specifically changed or revoked, or so I understand it. (I'm not an expert)

Is any statutory body gong to be responsible for enforcement?

No, I don't think caving club activity is "personal use" either, especially as they qualify it by saying "personal or household use". Your Christmas card list is your own private list of contacts, but if you are a club secretary holding a list of club members, that isn't personal - when you hand over the secretary-ship, you hand over the list too.

Cave_Troll is right, except that the new guidance says you must also state under what legal basis you have acquired the information, eg to carry out "legitimate interests", or by personal "consent". The basis on which you acquire the data determines what right individuals have over the information, and the ICO take a dim view of your changing legal basis mid-stream, so it's important to get that bit right.

royfellows said:

Is any statutory body gong to be responsible for enforcement?

Click to expand...

At the moment it's the Information Commissioner's Office isn't it?
https://ico.org.uk/

most clubs are charities / companies limited by guarantee etc so this new legislation does apply to them.

Is there not a Daily Mash headline to be had here....

"Concern as reports come through that hackers have managed to gain access to cavers details".

Literally 10s of cavers email addresses and phone numbers have been stolen by hackers.

Trevor 'the beard' Cooper of Ingleton said "I'm just worried now that I'm going to get ever increasing levels of spam from the likes of Inglesport and Starless River.  They might even have my BCA number.  I'm really left with no choice now but to sue my club as its clear their data protection was woefully inadequate.  I'll certainly be taking it to the highest courts in the land, mind you, I am the treasurer so I'm aware they've not got too pennies to rub together and the whole excercise is petty and pointless."

etc etc

Ed said:

most clubs are charities / companies limited by guarantee etc so this new legislation does apply to them.

Click to expand...

This statement is false.

There is an exemption for some not-for-profits to registering with the ICO. However the act still applies whether you are registered or not.

As SamT points out, you need to keep a sense of perspective.

If you use your common sense and think how would I want my personal data treated, then you won't go far wrong.

sorry, yes, i missed a few points.
I emailed them to Cookie, but can't find those emails now to add to the list right now....

Some charities have been prosecuted under current legislation for selling lists of their donors to other organisations or not protecting their membership lists.
Its unlikely that caving clubs will be targeted for an audit by the ICO, but all it takes is there to be an argument in your club and one annoyed (soon to be ex)member reports the club out of revenge on the basis that "they don't have any policies in place to protect my data - in fact they've just buried their heads in the sand"

If you can show that you've spent a bit of time thinking about it and have polices to cover the points i made, you'll probably have at least half a legal leg to stand on



Like most EU legislation its mostly about bringing everyone up to the same standard. UK was mostly there, but there is an increase in the punitive measures that can be taken that are scary and making a lot of people worried on one hand and set up a "expert consultancy" on the other.

Don't forget as well as electronic records (inc. e-mail) GDPR applies to paper records, film, photos, digital images, other identifiers such as IP addresses, or any other info that could be linked to identify a person etc.  This is due to a wider ranging definition of personal data and identifiers.  So don't put unencrypted data on the internet, or posters of member's names & addresses & phone numbers in the clubhouse!
The general principles of the previous DPA have been tightened up a little too.  There is also a new clause about there right to be forgotten.
As mentioned before the ICO is unlikely to be kicking in the doors of caving clubs as soon as GDPR becomes law, but if there was an incident and complacency or irresponsibility could be shown for example then there could be an issue.  The ?17m or 4% turn over of fines is likely to be the preserve of the larger companies who are reckless with information.  Still any action against a club or individual would have some impact.
It also covers non-UK held data. (Who knows where all the stuff Facebook has on you is stored or who it's been sold to....)
Also a breach has to be reported to the ICO within 72hrs (weekends and bank holidays included).  This would mean that the recent case of Uber having it's data hacked and the trying to cover it up by paying off the criminals involved would be investigated far sooner.  As mentioned by others some large charities were also fined recently for selling data to anyone!
As others have mentioned if clubs have been savvy enough to comply with current legislation then a policy review, double check on usage, and update of the policy may well suffice.

Literally pooping as I type, not.

For once I agree with Cap'n Chris, yes.

This would be a useful topic for the BCA to issue guidance to clubs. Maybe even with a set of standard forms. I'm sure* all the larger clubs that are set up as charities etc will have someone aware to consider this, but most of the clubs are small groups of friends and it won't have ever been considered.




*not really

I've been informed that this is something that the UK Government wants to bring into force.

Does anyone know what date it's going to come into effect? The only information I can find is that it's sitting with the House of Lords at the moment.

https://www.gov.uk/government/collections/data-protection-bill-2017

[quote author=GOV UK]
Data Protection Bill 2017



Fromepartment for Digital, Culture, Media & Sport Published:14 September 2017
The Data Protection Bill will update data protection laws for the digital age and was introduced to the House of Lords on 13 September 2017
[/quote]

I've got the date now, 25th May 2018.
https://www.gov.uk/government/publications/cmr-bulletin-33/cmr-bulletin-33

I'll retract my anti EU Punch and Judy. Sorry if they caused offence.

alastairgott said:

so we don't need this EU stuff :read: ).

Click to expand...

For companies it is a pain in the neck but as an individual I'm quite pleased that there is legislation to make them take care with my personal data.

Cookie said:

For companies it is a pain in the neck but as an individual I'm quite pleased that there is legislation to make them take care with my personal data.

Click to expand...

Indeed.

As the owner of a web-based business, I'm in the odd position of agreeing with the rules but wishing I didn't have to implement them (because hassle).