Privacy

Our committee member responsible for Information Security is Kathryn Prevezer, and the Data Controller and  Information Security Manager is David Brown.

This policy was approved at the committee meeting dated  08/05/2018 and will be reviewed annually.

Objective

The purpose and objective of this policy is to protect CIGA’s information assets (note 1) from all threats, whether internal or external, deliberate or accidental, to ensure business continuity, minimise  damage and maximise the success of our association following legal requirements for Information Security, including the General Data Protection Regulation (GDPR).

What data do we use and why?

To enable us to provide services to our members (the lawful purpose is contractual). The data we hold for members is:
  • names of members, mailing addresses, email addresses,  telephone numbers, last used ip addresses
  • photographs of members
  • details of the year that they qualified
  • additional information about the services (tours, specialist information) that they provide which appears on our website
  • and in some cases the bank account details so we can pay members when they do walks provided through CIGA.
This data is held in Mailchimp, and in WordPress, and also used for creating processing membership badges and membership cards.   Members data provided for tours can also appear on our social networks (Facebook, Twitter and Instagram) and used on promotional sites (like Timeout, Londonist, local press).  Bank account details are held in the banking systems used by the association.    Retention period is one year when a member resigns or fails to renew membership.

 

To provide walks to our clients (the lawful purpose is contractual). The data we hold for clients is:
  • names of clients, email addresses and optional mobile address
  • information on the walk that they have undertaken
  • if they have given consent to be placed on our mailing list
This data is held in Eventbrite.  Retention period is seven years as we keep data on past events on Eventbrite until clients can no longer make legal claims against us (see below).  But walk client information is not used for any purpose not to do with walks they have booked for.  Group visits or walks are dealt with through email and written correspondence.

 

To manage a mailing list to clients interested in our services or applying for the training courses that we undertake (the lawful purpose is consent). The data we hold for mailing list clients is:
  • names of clients, email addresses, and IP addresses
  • details of consent obtained from clients

This data  is held in Mailchimp.  Retention period is five years at which point we would check to ensure that people are still interested in belonging to our mailing list.

 

To meet any legal obligations that we have as the standards and insuring body for our members (the lawful purpose is compliance with a legal obligation – in this case claims for ). The data we hold to meet legal obligations is:

  • contact details (address, email and telephone number) for past members
  • contract details (name, email, walk booked) for past clients
This data is held in Mailchimp (for members), and Eventbrite (for past clients).  Retention period is seven years until clients and past members can no longer make legal claims against us.

 

Policy

It is the Policy of CIGA to ensure that the eight rights of individuals under the GDPR are maintained.  These are

  • The right to be informed (we notify members and clients on the mailing list of the details of this information policy)
  • The right of access (most data is held in mail chimp or eventbrite, both of which provide members and clients with secure access to their data, and any member or client can apply to webmaster@ciga.org.uk to receive details of all the information we hold on them within a month)
  • The right of rectification (any requests for information to be corrected should be made to webmaster@ciga.org.uk, and this will be completed within one month, unless it means we are unable to meet our legal obligations)
  • The right of erasure (any requests for information to be erased should be made to webmaster@ciga.org.uk, and this will be completed within one month, unless it means we are unable to meet our legal obligations)
  • The right to restrict processing (any requests for information to be restricted for processing should be made to webmaster@ciga.org.uk, and this will be completed within one month)
  • The right to data portability (any requests for information to be transferred out of our systems should be made towebmaster@ciga.org.uk, data will be provided in comma separated values format, and this will be completed within one month).
  • The right to object (any  objections to processing of the data should be made to webmaster@ciga.org.uk, and this will be completed within one month, unless it means we are unable to meet our legal obligations)
  • The rights related to automated decision making including profiling ( we don’t use automated decision making).

Data Controllers and Data Processors

CIGA is a data controllers for all the data we hold. Nearly all the data is held on external third party run providers (Eventbrite, Mailchimp, WordPress) who act as data processors.  CIGA has a limited role as a data processor – and occasionally the membership secretary, treasurer or webmaster handle bulk data mainly during the membership renewal process, when badges or membership cards are created or commissioned.   All our third party run systems are global, so data could be exported outside the EU, but we understand that all the services we use are compliant with GDPR regulations, and all are part of the USA:EU safe harbour agreement.

It is also the policy of CIGA that:

  • other than our data processor providers we do not pass on data on members or clients to any other party.
  • we do not allow any third party use of the data for members or clients for third party marketing purposes
  • we do not collect data on children under 16 or special category data

It is also the policy of CIGA that (based on earlier data protection legislation):

  •  information will be protected from a loss of: confidentiality (note 2), integrity (note 3), and availability (note 4).
  • all regulatory and legislative requirements will be met (note 5)
  • business continuity plans will be produced, maintained and tested (note 6).
  • information security training will be available to all people with access to our systems.
  • all breaches of information security, actual or suspected will be reported to, and investigated by the Information Security Manager..
  • the role and responsibility of the designated Information Security Manager (note 7) is to manage information security and to provide advice and guidance on implementation of the Information Security Policy.
  • all CIGA people with access to Information Systems are directly responsible for implementing the Information Security Policy.
  • it is the responsibility of each CIGA person with access to Information Systems to adhere to the Information Security Policy.

Cookies 

  • It is CIGA’s policy not to use Cookies in any code we provide, but the data processors we use do use cookies to enhance the services they provide. Details can be found on their websites at EventbriteMailchimp or WordPress.

Notes to policies

1. Information takes many forms and includes data printed or written on paper, stored electronically, transmitted by post or using electronic means, stored on tape or video, spoken in conversation

2. Confidentiality: ensuring that information is accessible only to authorised individuals.

3. Integrity: safeguarding the accuracy and completeness of information and processing methods.

4. Availability: ensuring that authorised users have access to relevant information when required.

5. This includes the requirements of legislation such as the Companies Act, the Data Protection Act, the Computer Misuse Act and the Copyright, Design and Patents Act,

6. This will ensure that information and vital services are available to users whenever they need them.

7. For our association this is a part-time role for the nominated person.

 

Guidance and Procedures

 

Control of Physical Security :

As CIGA has no sites, buildings, computer rooms or equipment and the information assets of the association are principally held online in suppliers databases during normal working, physical security for records is normally irrelevant.   There will be copies of data required for business continuity, which will be kept in encrypted format elsewhere (usually on a different online service), and under lock and key if held on physical media owned by CIGA.  Similarly any membership records held by officers or members at home will be maintained under lock and key.

 

Controls on Access to Information:

Selected members of the association will be provided with usernames that provide password controlled access to information that is relevant to the member. Committee members and technical support team will have password controlled access to the platform services, but will be required to follow the principles of the Information Security Policy.  Access to all our data provider services (except for records used by officers for finance and membership purposes maintained on spreadsheets and other software on home computers) is monitored by the suppliers, and audit trails of who accessed what are maintained by them.  Access to records kept by officers on spreadsheets and other software is password protected and a register of people with passwords is maintained.

Our members will be provided with a list of members (including their names, email addresses and telephone numbers) which is provided on the agreement of members, in order for colleagues to contact other members at short notice in case they need to replace a guide on a walk with a colleague.  This information is to be kept secure, and must not be provided to anyone outside the membership.

 

Business Continuity Plan

Our information assets are stored with suppliers who are well protected against disasters.  Most of our association activities are also not time critical.  Most transactions are of a short term nature, and duplicated (for example every transaction is echoed in emails to guides). The worst case disaster would be the death or removal of the main operations person.

As a back up a regular dump of information from each of the key resources will be made, encrypted and available to selected committee members and the technical support team, so that the association could continue.

 

Training Staff:

There are no directly employed staff.  All members of the committee have agreed to the Information Security Policy and these Guidelines and Procedures.  Individual members of the association are briefed (through association meetings, emails from our secretary and also through guidance on the membership pages of our web site) on the responsibility they have as guides to maintain the principles of the Data Protection Act.

 

Detecting and investigating breaches of security when they occur:

The committee member appointed as Data Controller and Information Security Manager is responsible for investigating any breach of security and reporting to the committee of the association on the results of the investigation, and then implementing any resulting changes to policy and security procedures.

8th May 2018