Data Protection Policy (GDPR)
The Glasgow Vintage Vehicle Trust has a duty of care to safeguard personal data that we hold. We must also comply with the requirements of both the Data Protection Act and General Data Protection Regulations (GDPR).
This means that we have to securely collect, store, process and destroy any information of a personal nature. Membership details such as names and address and contact details including email addresses would be regarded as personal data. Personal data should only be shared with Trustees and/or Office Bearers who require this information to carry out the business of Trust.
The GDPR was introduced to safeguard individual’s personal data in a digital era. It provides additional requirements, we must have a Privacy Notice to advise people how and when we will use their personal data, we must ensure that their information is accurate and up to date and we must delete their information if we no longer need it. It also strengthens people’s right to access the data we hold on them.
As a Membership Society we only collect personal data from individuals who provide information in order to become a Member. We do not collect information electronically or from third party organisations.
The Trust has written a privacy notice which will be used when collecting personal data in order to inform individuals how their data will be used.
As part of the changes in legislation under the General Data Protection Regulation (GDPR), we want to advise that:
- The Glasgow Vintage Vehicle Trust is committed to protecting your personal data and your privacy by informing you about the way we use, store, process and protect personal data entrusted to us
- As a membership society we require that you provide some personal data in order to register as a member. We regard the lawful basis for the collection of such personal data as Legitimate Interest.
- This information may be collected and stored in both electronic and paper formats
- We will use (process) this information to provide membership services, to provide you with our regular newsletter and information about activities, events and any relevant business associated with the Glasgow Vintage Vehicle Trust
- We will not sell or divulge your personal data to any third party organisations
- We may share your details with an external provider for the distribution of the Trust’s Newsletter
- Trustees and Office Bearers may use their own personal computers for the storage of personal data associated with membership details. Where this is the case, databases will be password protected and will have suitable firewall protection.
- We will not ask you for any sensitive personal data
- We will not use any electronic profiling software to manage any data provided
- We will delete any personal data that we hold, once you cease being a Member
General Data Protection Regulations
As part of the GDPR requirements, the Glasgow Vintage Vehicle Trust is required to select a lawful basis on which to collect personal data.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data.
In order to provide services to our members, the GVVT must have a necessary and lawful basis to process personal data. In order to be a member, we need to process some basic personal data.
We have reviewed the purposes of our processing activities and selected the most appropriate lawful basis for Membership. We have assessed these activities and have concluded that the use of ‘Legitimate Interest’ would be the most appropriate lawful basis that would apply to the collection of Personal Data in order to process data for Membership.
We have assessed that this is the most appropriate basis to use personal data and will use it in a way that Members would reasonably expect and which would have a minimal privacy impact. We require people’s name and address in order to provide membership services, to provide our newsletter and information on activities and events and business of the Glasgow Vintage Vehicle Trust. Their identity would need to be supplied in order for the GVVT to issue a membership card. We have advised in our Privacy Notice the lawful basis of Legitimate Interest and have also informed that we will not collect sensitive personal data, we will not transfer or sell their information to third parties or use electronic profiling to manage data. We will destroy information held once individuals cease being a Member.
CCTV is regulated by the Data Protection Act but is also covered by the GDPR. Data Subjects would have the same right of access to CCTV images as other forms of personal data. Subject Access Requests should be made in writing and a log of these should be maintained.
Although we may be able to rely on legitimate interests to comply with legal requirement for operating CCTV, we do need to able to justify this against the area of coverage. Data subject’s rights and freedoms cannot be overridden, especially in the case of legitimate interests. Even inside a work premises, employees have a right to privacy. We would need to assess the coverage and number of CCTV cameras deployed. In essence, we should only use CCTV for legitimate purposes and if there is no other way to achieve the same outcome.
Access to CCTV systems should be limited and those individuals need to know the legal requirements and understand the GVVT Data Protection Policy.
The GVVT is registered with the Information Commssioner as a Data Controller.
In order that the Trust remains compliant with all these regulations, all Trustees and Office Bearers, including Event Organisers, will be required to sign and adhere to the data protection declaration.
Data Protection Declaration
The Glasgow Vintage Vehicle Trust is registered as a data Controller with the Information Commissioner under the provisions of the Data Protection Act (2000). This registration, in addition to covering the CCTV systems at Bridgeton Bus Garage, covers all personal Data collected or handled by the Glasgow Vintage Vehicle Trust. In addition the General Data Protections Regulations (GDPR) came into force in May 2018 and we as an organisation also have to comply with these requirements.
All Officers of the Trust involved in collecting or handling Personal Data must adhere to the following Code of Practice:
- Personal Data will only be collected or handled by authorised Officers of the Trust
- Personal data maybe information as simple as name, address, contact details, including email address
- Personal Data will only be used in connection with the Trust’s business, or for membership purposes, or in connection with the Trust’s social activities and any information collected will be relevant to these purposes
- Personal Data on will be kept in a secure manner, should be accurate and kept up to date and details should not be kept for longer than is necessary to allow the completion of their intended purpose.
- If Office bearers are required to use their own personal computers, then personal data will be password protected and a suitable firewall protection will be installed
- Personal data will be destroyed after completion of its intended purpose in a secure and safe manner.
- Personal data will not be passed to third parties out with the Glasgow Vintage Vehicle Trust
- It should be recognised that individuals have a right of access to personal data that is we hold on held them. Individuals must make an application in writing and details of these will be kept on file. The GVVT will have 30 days to comply with these requests.
- On a practical level, officers should not divulge personal data such as individual email details when sending bulk mail. This provides basic security to prevent email scams and phishing.