Our Director with Senior Information Rights Owner is Elaine Wein, and the Data Controller/ Information Security Manager is David Brown.
This policy was approved at the Directors Meeting dated 24/04/2018 and will be reviewed annually.
The purpose and objective of this policy is to protect CTGA’s information assets (note 1) from all threats, whether internal or external, deliberate or accidental, to ensure business continuity, minimise damage and maximise the success of our association following legal requirements for Information Security, including the General Data Protection Regulation (GDPR).
What data do we use and why?
To enable us to provide services to our members (the lawful purpose is contractual)
The data we hold for members is:
- names of members, mailing addresses, email addresses, telephone numbers, last used ip addresses
- photographs of members
- details of the year that they qualified
- additional information about the services (tours, specialist information) that they provide which appears on our website
- and in some cases the bank account details so we can pay members when they do walks provided through CTGA.
This data is held in Mailchimp, and in WordPress, and also used for creating processing membership badges and membership cards. Members data provided for tours can also appear on our social networks (Facebook, Twitter and Instagram) and used on promotional sites (like Timeout, Londonist, local press). Bank account details are held in the banking systems used by the association. Retention period is one year when a member resigns or fails to renew membership.
To provide walks to our clients (the lawful purpose is contractual)
The data we hold for clients is:
- names of clients, email addresses and optional mobile address
- information on the walk that they have undertaken
- if they have given consent to be placed on our mailing list.
This data is held in Eventbrite. Retention period is seven years as we keep data on past events on Eventbrite until clients can no longer make legal claims against us (see below). But walk client information is not used for any purpose not to do with walks they have booked for.
To manage a mailing list to clients interested in our services or applying for the training courses that we undertake (the lawful purpose is consent)
The data we hold for mailing list clients is:
- names of clients, email addresses, and IP addresses
- details of consent obtained from clients
This data is held in Mailchimp. Retention period is five years at which point we would check to ensure that people are still interested in belonging to our mailing list.
To meet any legal obligations that we have as the standards and insuring body for our members (the lawful purpose is compliance with a legal obligation – in this case claims for )
The data we hold to meet legal obligations is
- contact details (address, email and telephone number) for past members
- contract details (name, email, walk booked) for past clients
This data is held in Mailchimp (for members), and Eventbrite (for past clients). Retention period is seven years until clients and past members can no longer make legal claims against us.
It is the Policy of CTGA to ensure that the eight rights of individuals under the Group Data Privacy Regulations (GDPR) are maintained. These are
- The right to be informed (we notify members and clients on the mailing list of the details of this information policy)
- The right of access (most data is held in mail chimp or eventbrite, both of which provide members and clients with secure access to their data, and any member or client can apply to firstname.lastname@example.org to receive details of all the information we hold on them within a month)
- The right of rectification (any requests for information to be corrected should be made to email@example.com and this will be completed within one month, unless it means we are unable to meet our legal obligations)
- The right of erasure (any requests for information to be erased should be made to firstname.lastname@example.org and this will be completed within one month, unless it means we are unable to meet our legal obligations)
- The right to restrict processing (any requests for information to be restricted for processing should be made to email@example.com and this will be completed within one month)
- The right to data portability (any requests for information to be transferred out of our systems should be made to firstname.lastname@example.org data will be provided in comma separated values format, and this will be completed within one month).
- The right to object (any objections to processing of the data should be made to email@example.com and this will be completed within one month, unless it means we are unable to meet our legal obligations)
- The rights related to automated decision making including profiling ( we don’t use automated decision making).
CTGA is a data controller for all the data we hold. Nearly all the data is held on external third party run providers (Eventbrite, Mailchimp, WordPress) who act as data processors. CTGA has a limited role as a data processor – and occasionally the membership secretary, treasurer or webmaster handle bulk data mainly during the membership renewal process, when badges or membership cards are created or commissioned. All our third party run systems are global, so your data could be exported outside the EU, but all the services we use are compliant with GDPR regulations, and all are part of the USA:EU safe harbour agreement.
It is also the policy of CTGA that:
- other than our data processor providers we do not pass on data on members or clients to any other party.
- we do not allow any third party use of the data for members or clients for third party marketing purposes
- we do not collect data on children under 16 or special category data
It is also the policy of CTGA that (based on earlier data protection legislation):
- Information will be protected from a loss of: confidentiality (note 2), integrity (note 3), and availability (note 4).
- All regulatory and legislative requirements will be met (note 5)
- Business continuity plans will be produced, maintained and tested (note 6).
- Information security training will be available to all people with access to our systems.
- All breaches of information security, actual or suspected will be reported to, and investigated by the Information Security Manager..
- The role and responsibility of the designated Information Security Manager (note 7) is to manage information security and to provide advice and guidance on implementation of the Information Security Policy.
- All CTGA people with access to Information Systems are directly responsible for implementing the Information Security Policy.
- It is the responsibility of each CTGA person with access to Information Systems to adhere to the Information Security Policy.
Notes to policies
1. Information takes many forms and includes data printed or written on paper, stored electronically, transmitted by post or using electronic means, stored on tape or video, spoken in conversation
2. Confidentiality: ensuring that information is accessible only to authorised individuals.
3. Integrity: safeguarding the accuracy and completeness of information and processing methods.
4. Availability: ensuring that authorised users have access to relevant information when required.
5. This includes the requirements of legislation such as the Companies Act, the Data Protection Act, the Computer Misuse Act and the Copyright, Design and Patents Act,
6. This will ensure that information and vital services are available to users whenever they need them.
7. For our association this is a part-time role for the nominated person.
Guidance and Procedures
Control of Physical Security :
As CTGA has no sites, buildings, computer rooms or equipment and the information assets of the association are principally held online in suppliers databases during normal working, physical security for records is normally irrelevant. There will be copies of data required for business continuity, which will be kept in encrypted format elsewhere (usually on a different online service), and under lock and key if held on physical media owned by CTGA. Similarly any membership records held by officers or members at home will be maintained under lock and key.
Controls on Access to Information :
Selected members of the association will be provided with usernames that provide password controlled access to information that is relevant to the member. Directors, members and technical support team will have password controlled access to the platform services, but will be required to follow the principles of the Information Security Policy. Access to all our data provider services (except for records used by officers for finance and membership purposes maintained on spreadsheets and other software on home computers) is monitored by the suppliers, and audit trails of who accessed what are maintained by them. Access to records kept by officers on spreadsheets and other software is password protected and a register of people with passwords is maintained.
Our members will be provided with a list of members (including their names, email addresses and telephone numbers) which is provided on the agreement of members, in order for colleagues to contact other members at short notice in case they need to replace a guide on a walk with a colleague. This information is to be kept secure, and must not be provided to anyone outside the membership.
Business Continuity Plan
Our information assets are stored with suppliers who are well protected against disasters. Most of our association activities are also not time critical. Most transactions are of a short term nature, and duplicated (for example every transaction is echoed in emails to guides). The worst case disaster would be the death or removal of the main operations person.
As a back up a regular dump of information from each of the key resources will be made, encrypted and available to selected officers and the technical support team, so that the association could continue.
There are no directly employed staff. All officers and Directors have agreed to the Information Security Policy and these Guidelines and Procedures. Individual members of the association are briefed (through association meetings, emails from our secretary and also through guidance on the membership pages of our web site) on the responsibility they have as guides to maintain the principles of the Data Protection Act.
Detecting and investigating breaches of security when they occur:
The officer appointed as Information Security Manager is responsible for investigating any breach of security and reporting to the Directors of the association on the results of the investigation, and then implementing any resulting changes to policy and security procedures.