The Data Protection Act (2018) is the UK‘s implementation of the EU General Data Protection Regulation (GDPR) and controls how personal information is used by organisations, businesses or the government. ‘Personal data’ is any information from which an individual can be identified or is identifiable. There are two broad categories of compliance: data protection and data privacy. Data protection means keeping data safe from unauthorized access. Data privacy means empowering members to make their own decisions about whether ECSAC / BSAC can use their data and for what purpose.
Type of data held
Personal information that is held about members is limited to that which is required to ensure safe diving practices and communication. Name, address, date of birth, and email and telephone number are required and medical questionnaires (which will include details of current medical conditions) are stored for the purposes of ensuring that medicals are up to date. Next of Kin information and contact details are required for use in an emergency either at the club or when on a trip or training session.
All club data should be held electronically in a secure encrypted file which can only be accessed by officers of the Committee.
Paper copies of personal data should not be widely available. If paper copies are necessary, for example on a dive trip, then responsibility for the adequate destruction of these will reside with the dive manager.
The Registrar will ask members to update their personal data on a regular basis to ensure that it is kept up to date. Members can decide not to share certain information and can request erasure of their personal information.
Consent will be requested for photographs of members to be used for club purposes.
On an annual basis, the Registrar will ask members to update their personal information (address, contact details etc) and photography consent, alongside completing their medical form.
- Members have the right to access their data
- Members consent to the collection of their personal data (only that which is necessary for club communication and safe-diving practices).
- Members can withdraw their consent to data processing at any time and can request erasure of their personal record.
- For under 18s, consent must be obtained from the parent or guardian.