Chipstead Sailing Club IT Policy
Purpose & Related Policies and Legislation
· UK GDPR
· CSC Data Protection Policy
· CSC Safeguarding Policy
· CCTV Policy
Access to IT Equipment
IT Asset Management
IT Contract Management
Management of Computer Accounts · e.g. teams accounts, cloud and local admin accounts
· Shared access
· Transfer of responsibility
Password Policy
· MFA
· Password complexity
· Updating passwords
Data Breaches
· Prevention
· Response
Spam/ Phishing
· Reporting
· Response
· Prevention
Email Account Management
· Linking to personal accounts
· Archving
Introduction In order to run effectively as a club, Chipstead Sailing Club (CSC) needs to obtain and store relevant personal data regarding members, contractors and learners as part of its operation.
This policy describes how this personal data must be collected, handled and stored to meet CSC’s data protection standards and to comply with the law.
This policy describes how the clubs IT assets should be stored, maintained and serviced.
Why this policy exists
This IT policy ensures CSC:
• Complies with data protection law and follows good practice
• Protects the rights of members and customers
• Is open about how it stores and processes individual’s data
• Protects itself from risk of data breaches
Data protection law The General Data Protection Regulation (GDPR) to be fully introduced in May 2018 describes how organisations such as CSC must collect, handle and store personal information. These rules apply regardless of whether data are stored electronically or on paper. To comply with the GDPR, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The GDPR is underpinned by eight important principles. These say that personal data must:
• Be processed fairly and lawfully
• Be obtained only for specific, lawful purposes
• Be adequate, relevant and not excessive
• Be accurate and up to date
• Not kept for longer than necessary
• Be processed in accordance with the rights of data subjects
• Be kept and held securely
• Not be transferred to third parties or other countries without consent
In addition, CSC must maintain data contracts with third parties in accordance with the GDPR 1 Data protection Policy
Scope This policy relates to:
• The Sailing Committee
• The IT committee
• The Social Committee
• The House Committee
• The Finance Committee
• The Junior section including Chipmates
Personal Data Personal data covers both facts and opinions about an individual where that data identifies an individual. These data include amongst other items;
• Names of individuals
• Postal addresses
• Email addresses
• Telephone numbers
• Age
• RYA Qualifications
• Duty roster abilities Data protection risks
This policy helps to protect CSC from some very real data security risks including:
• Breaches of confidentiality.
• Failure to offer choice in how data are used/stored
• Reputational damage in the event of a data loss or leak Responsibilities All members of CSC particularly those with positions of responsibility have a responsibility to ensure data are collected, stored and handled appropriately.
These people have particular responsibility.
• The flag officers
• The membership secretary
• The training secretary
• Publicity secretary CSC has no formal Data Protection Officer (DPO) but the function of ensuring that we maintain data protection standards in accordance with the requirements of the General Data Protection Regulation (GDPR) is vested in the office of the Commodore and supported by the Executive Committee.
General guidance
• The only people able to access data are those authorised by the executive committee who need such access for their function in the club
• Data should not be shared informally
• Passwords for electronic information databases should be strong and not shared
• Data should be regularly reviewed and updated and if no longer required should be deleted and appropriately disposed of
• Members should request guidance if they are unsure about any aspect of data protection from the executive via the club secretary Data storage When data are stored on paper:
• This should be in a secure place where unauthorised personas cannot see or access it.
• When not required the paper or files should be kept in a locked drawer or filing cabinet.
• Data printouts should be shredded when no longer required When data are stored electronically it must be protected from unauthorised access, accidental deletion and malicious hacking attempts
• It should be protected by strong passwords that are not shared between members
• Removable media should be kept locked away when not in use
• Data should be backed up frequently
• All computers containing data should be protected by approved security software, passwords and firewalls Data Use
• Personal data should not be shared informally
• Personal data should be encrypted before being transferred electronically
• Personal data should never be transferred outside of the European Economic Area
• Members should not save copies of personal data to their own computers unless these are password and firewall protected and approved.
CSC will not forward personal data for direct marketing and fund-raising purposes. Sensitive Personal Data CSC will not collect or store sensitive personal data. This includes data relating to information regarding religion, race, sexual orientation, and criminal records and proceedings.
The training section will obtain relevant medical data for the duration of a training course and only whilst it is relevant to the safe running of the course.
Other club activities may obtain medical data regarding participants as well as emergency contact details only for the period required for the safe running of the course/activity
CSC has a separate DATA PROTECTION policy which is available to all members and is published on the Clubs official website.
Data Protection Policy – What information we collect and why.
Data Protection Policy – How we protect your personal data
Data Protection Policy -Who else has access to the information you provide us
Data Protection Policy – How long do we keep your information
Data protection policy – Rights of Access to Information Members have the right of access to information held by CSC.
Any member wishing to access their personal data should put their request in writing to the Commodore via the Club Secretary.
CSC will respond to any such written requests as soon as is reasonably practicable and in any event, within the requirements of the GDPR.
Disclosing data for other reasons
In certain circumstances the GDPR allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these rare circumstances CSC will disclose requested data after ensuring that the request is legitimate.
Enforcement If an individual believes that CSC has not complied with this Policy or acted otherwise than in accordance with the Data Protection Act, the member should utilise the CSC grievance procedure and should also notify the DPC.
CCTV CSC owns and operates a CCTV network for the purposes of crime prevention and detection, and Safeguarding. Where a data subject can be identified, images must be processed as personal data.
Providing information
CSC aims to ensure that individuals are aware that their data are being processed, and that they understand:
• How their data are being used (see Data Protection Policy)
CSC has a separate CCTV Policy which covers;
• Objectives of the CCTV Policy
• Statement of intent
• Operation of the system
• Control of Software and access to the system
• Monitoring procedures
• Breaches of the code (including breaches of security) and compliance
• Complaints
• Access by the Data Subject
• Public information
IT Asset Protection
The club maintains an IT asset list. Any new items of IT and or related hardware and or software bought outside the IT committee remit, should be conveyed to the IT secretary, to be added to the list.
All club IT assets should be securely locked away or hidden out of sight, when not in use, so far as is practicable and whilst within the Club house and its surrounding buildings. Ultimately, the clubs appointed Locking up Rosta representatives will be responsible for securing the premises and the IT assets thereon.
Club IT assets which are in the custody and control of assigned members (those who have a particular responsibility) should take all steps to ensure that the assets are secure at all times. Any loss or damage to such property should be reported immediately to the Club IT secretary.
The Website
The club’s official website is located at https://chipsteadsc.org.uk
The club maintains control of its own website and there are currently 3 members of the IT Committee with Full access to the site.
CSC will endeavour to keep the site up to date, refreshed and accurate in so far as its outward showing to the public at large.
The Backing up of data
Files on the main Server are currently backed up to : An Online provider – Cloud service provider. These areas and protected by the appropriate levels of security.
CSC related, data, files, documents, spreadsheets, images and other, stored on Club Assets and on the Personal Computers / devices used by The Executive Committee The Sailing Committee The IT committee The Social Committee The Training Committee The House Committee The Finance Committee The Junior section including Chipmates, shall ALL be backed up, by the individual concerned, to the allocated position within the CSC DROPBOX account for which the IT committee has overall responsibility.