Introduction

Inverclyde Chamber of Commerce (“ICC”) requires to collect, process and store data which relates:

 

• to its members (current, former and potential);
• to its applicants (current, former and potential); and
• to other living individuals.

 

Where information relates to or identifies a living individual, it is considered ‘personal data’ under the Data Protection Act 2018 (hereafter referred to as “the Act”).

 

From time to time, ICC may also require to process some types of personal data which are classed as “sensitive personal data”. This is data relating to racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, trade union membership, physical or mental health or condition, sexual life and any alleged offences and/or criminal convictions.

 

Data Subjects i.e. members, applicants and potential applicants, will be asked by ICC to provide/confirm their personal and/or sensitive personal data as required. By providing this information the Data Subjects consent to ICC collecting, processing and storing this information.

 

It is crucial that the Law Clinic adheres to the Principles of Data Protection, as detailed in the Data Protection Act 2018. 

 

Specifically, the Principles require that personal information:

 

The Principles are:

Your data will be:

1. processed lawfully, fairly and in a transparent manner in relation to individuals;
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
3. adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

 

All staff members of ICC who process or use any personal information must ensure that they follow these Principles at all times.

 

Processing Personal Data

Personal data relating to data subjects is processed (both manually and electronically) for various administrative, management, pastoral and health and safety reasons, including but not limited to:

 

• Maintenance of members’ records on our system and in hard file;
• The management of Chamber social events;
• The provision of advice and support to members;
• Communication with members (including by electronic means) relating to any and all Chamber administration;
• The management of members’ equalities monitoring forms, and any data held on the equalities monitoring database;

 

Disclosure of personal data

ICC discloses information about members (potential, current, and former) to a variety of third parties. This will always be done in accordance with the Act. The consent of data subjects will be sought where necessary. Third parties include (but are not limited to):

• Employees and agents of other potential, current, and former members (on a ‘need to know’ basis);
• Professional bodies, for example Scottish Chambers of Commerce;
• Law enforcement agencies; and
• Relevant authorities dealing with emergency situations at the University.

 

ICC will not disclose your personal data to any unauthorised third parties without obtaining your consent, except where required to do so by law.

 

Retention of Personal Data

ICC may retain personal information for an indefinite period of time for research and development purposes.  Throughout this time, the personal information will be processed in accordance with the six stated Principles on page 1 of this document. Please note that after completion of your contact and/or membership with ICC, we may still require to hold your personal data for a period of time to satisfy statutory/legal obligations and/or to meet administrative requirements.

 

Rights under the Data Protection Act

As a ‘Data Subject’ you have a number of rights under the Act. These include the right to:

• access to the personal data ICC holds about you;
• have inaccurate data corrected;
• prevent processing of information which may cause you harm or distress;
• prevent unsolicited marketing; and
• prevent automated decision-making.

 

More information can be found here.

 

Responsibilities of Members

All members are responsible for:

• Checking that any information that they provide to ICC in connection with their membership is accurate and up-to-date;
• Informing ICC of any changes to the personal data which they have previously provided e.g. change of address;
• Checking the information that ICC sends out to them advising of the data that is kept and processed about them; and
• Informing ICC of any errors or changes in their personal data.

 

If, in the course of their dealings with ICC, members process information about other people, they have a responsibility to ensure they are doing so in accordance with the Act.

 

Staff members who have a responsibility for supervising other members who are undertaking processing of personal data have a responsibility to ensure that the member is informed as to his/her responsibilities under the Act by reference to this policy and other relevant materials. In addition, relevant members (including, but not limited to Directors and/or administrators) must ensure that new members provide consent to their data being process. This consent must be retained and recorded.

 

Responsibilities of Others Working or Volunteering for and on Behalf of ICC

ICC is responsible for the use made of personal data by anyone acting on its behalf. Where ICC engages third parties to work or to volunteer, and those third parties handle personal data on ICC’s behalf, ICC must ensure that these third parties:

• are made aware of this policy and adhere to its terms;
• do not have access to personal data beyond that required for the work to be carried out; and
• return or destroy personal data on completion of the work.

 

Data Security

All staff members are responsible for ensuring that:

• any personal data which they hold is kept securely (either by physical storage means i.e. locked cabinets/drawers or by using appropriate IT equipment/security measures); and
• personal information is not disclosed either orally or in writing, accidentally or otherwise, to any unauthorised third party.

 

Unauthorised disclosure of personal data is a breach of the Act and may also be a disciplinary matter. Members may also incur criminal liability if they knowingly or recklessly obtain and/or disclose personal information without the consent of the ICC i.e. for their own purposes, which are outside the legitimate purposes of ICC.

 

Right to Access Information

As a data subject you have a right to request a copy of the information ICC holds about you.  This is known as a ’Subject Access Request’ (SAR). To find out about submitting a SAR, visit the ICO’s webpage (link found here), or contact, in the first instance, Corey Beaton (Business Development & Membership Executive) at membership@inverclydechamber.co.uk.

 

ICC strives to ensure your personal data remains accurate; to assist with this, please ensure you keep your record up-to-date via the contact listed above.

 

Other Rights under the Act

ICC recognises that, under the Act, an individual can request that ICC does not process information about him/her if that processing causes substantial unwarranted damage or distress. Where such a request is made, ICC will work to ensure full compliance with the law. If an individual chooses to exercise this right, it in no way affects his/her other rights under the Act.

 

Disposal of Personal Data

Staff members must ensure that the destruction of personal data is carried out confidentially and completely. Where multiple copies of the data exist, all paper and electronic copies must be destroyed/deleted.

 

Breaches

Where a breach of the Act occurs, any possible actions to mitigate the breach should be taken by the relevant person immediately upon discovery of the breach, i.e. removing personal data from a publicly-accessible website, etc.

 

Designated Data Protection Officer

 

ICC’s Data Protection Officer is responsible for ensuring compliance with the Data Protection Act and implementation of this policy.  The Data Protection Officer is Corey Beaton and is contactable at

 

Inverclyde Chamber of Commerce

Aves Business Centre

11 Jamaica Street

Greenock

PA15 1XX

 

Membership@inverclydechamber.co.uk

 

Any questions or concerns about the interpretation or operation of this policy should be taken up in the first instance with the Data Protection Officer.