Our committee member responsible for Information Security is Kathryn Prevezer, and the Data Controller and Information Security Manager is David Brown.
This policy was approved at the committee meeting dated 08/05/2018 and will be reviewed annually.
The purpose and objective of this policy is to protect CIGA’s information assets (note 1) from all threats, whether internal or external, deliberate or accidental, to ensure business continuity, minimise damage and maximise the success of our association following legal requirements for Information Security, including the General Data Protection Regulation (GDPR).
What data do we use and why?
- names of members, mailing addresses, email addresses, telephone numbers, last used ip addresses
- photographs of members
- details of the year that they qualified
- additional information about the services (tours, specialist information) that they provide which appears on our website
- and in some cases the bank account details so we can pay members when they do walks provided through CIGA.
- names of clients, email addresses and optional mobile address
- information on the walk that they have undertaken
- if they have given consent to be placed on our mailing list
- names of clients, email addresses, and IP addresses
- details of consent obtained from clients
This data is held in Mailchimp. Retention period is five years at which point we would check to ensure that people are still interested in belonging to our mailing list.
To meet any legal obligations that we have as the standards and insuring body for our members (the lawful purpose is compliance with a legal obligation – in this case claims for ). The data we hold to meet legal obligations is:
- contact details (address, email and telephone number) for past members
- contract details (name, email, walk booked) for past clients
To operate the website for the public and members (the lawful purpose is contractual). The data we hold is:
- we do not use any cookies ourselves directly, but some of the software we use does – for example if you leave a comment, then you may opt-in to saving your name, email address and website in cookies.
It is the Policy of CIGA to ensure that the eight rights of individuals under the GDPR are maintained. These are
- The right to be informed (we notify members and clients on the mailing list of the details of this information policy)
- The right of access (most data is held in mail chimp or eventbrite, both of which provide members and clients with secure access to their data, and any member or client can apply to email@example.com to receive details of all the information we hold on them within a month)
- The right of rectification (any requests for information to be corrected should be made to firstname.lastname@example.org, and this will be completed within one month, unless it means we are unable to meet our legal obligations)
- The right of erasure (any requests for information to be erased should be made to email@example.com, and this will be completed within one month, unless it means we are unable to meet our legal obligations)
- The right to restrict processing (any requests for information to be restricted for processing should be made to firstname.lastname@example.org, and this will be completed within one month)
- The right to data portability (any requests for information to be transferred out of our systems should be made email@example.com, data will be provided in comma separated values format, and this will be completed within one month).
- The right to object (any objections to processing of the data should be made to firstname.lastname@example.org, and this will be completed within one month, unless it means we are unable to meet our legal obligations)
- The rights related to automated decision making including profiling ( we don’t use automated decision making).
Data Controllers and Data Processors
CIGA is a data controllers for all the data we hold. Nearly all the data is held on external third party run providers (Eventbrite, Mailchimp, WordPress) who act as data processors. CIGA has a limited role as a data processor – and occasionally the membership secretary, treasurer or webmaster handle bulk data mainly during the membership renewal process, when badges or membership cards are created or commissioned. All our third party run systems are global, so data could be exported outside the EU, but we understand that all the services we use are compliant with GDPR regulations, and all are part of the USA:EU safe harbour agreement.
It is also the policy of CIGA that:
- other than our data processor providers we do not pass on data on members or clients to any other party.
- we do not allow any third party use of the data for members or clients for third party marketing purposes
- we do not collect data on children under 16 or special category data
It is also the policy of CIGA that (based on earlier data protection legislation):
- information will be protected from a loss of: confidentiality (note 2), integrity (note 3), and availability (note 4).
- all regulatory and legislative requirements will be met (note 5)
- business continuity plans will be produced, maintained and tested (note 6).
- information security training will be available to all people with access to our systems.
- all breaches of information security, actual or suspected will be reported to, and investigated by the Information Security Manager..
- the role and responsibility of the designated Information Security Manager (note 7) is to manage information security and to provide advice and guidance on implementation of the Information Security Policy.
- all CIGA people with access to Information Systems are directly responsible for implementing the Information Security Policy.
- it is the responsibility of each CIGA person with access to Information Systems to adhere to the Information Security Policy.
Notes to policies
1. Information takes many forms and includes data printed or written on paper, stored electronically, transmitted by post or using electronic means, stored on tape or video, spoken in conversation
2. Confidentiality: ensuring that information is accessible only to authorised individuals.
3. Integrity: safeguarding the accuracy and completeness of information and processing methods.
4. Availability: ensuring that authorised users have access to relevant information when required.
5. This includes the requirements of legislation such as the Companies Act, the Data Protection Act, the Computer Misuse Act and the Copyright, Design and Patents Act,
6. This will ensure that information and vital services are available to users whenever they need them.
7. For our association this is a part-time role for the nominated person.
Guidance and Procedures
Control of Physical Security :
As CIGA has no sites, buildings, computer rooms or equipment and the information assets of the association are principally held online in suppliers databases during normal working, physical security for records is normally irrelevant. There will be copies of data required for business continuity, which will be kept in encrypted format elsewhere (usually on a different online service), and under lock and key if held on physical media owned by CIGA. Similarly any membership records held by officers or members at home will be maintained under lock and key.
Controls on Access to Information:
Selected members of the association will be provided with usernames that provide password controlled access to information that is relevant to the member. Committee members and technical support team will have password controlled access to the platform services, but will be required to follow the principles of the Information Security Policy. Access to all our data provider services (except for records used by officers for finance and membership purposes maintained on spreadsheets and other software on home computers) is monitored by the suppliers, and audit trails of who accessed what are maintained by them. Access to records kept by officers on spreadsheets and other software is password protected and a register of people with passwords is maintained.
Business Continuity Plan
Our information assets are stored with suppliers who are well protected against disasters. Most of our association activities are also not time critical. Most transactions are of a short term nature, and duplicated (for example every transaction is echoed in emails to guides). The worst case disaster would be the death or removal of the main operations person.
As a back up a regular dump of information from each of the key resources will be made, encrypted and available to selected committee members and the technical support team, so that the association could continue.
There are no directly employed staff. All members of the committee have agreed to the Information Security Policy and these Guidelines and Procedures. Individual members of the association are briefed (through association meetings, emails from our secretary and also through guidance on the membership pages of our web site) on the responsibility they have as guides to maintain the principles of the Data Protection Act.
Detecting and investigating breaches of security when they occur:
The committee member appointed as Data Controller and Information Security Manager is responsible for investigating any breach of security and reporting to the committee of the association on the results of the investigation, and then implementing any resulting changes to policy and security procedures.
8th May 2018