There is a lot of hot air blown around about the DPA and what it means, despite it being largely common sense and the prolific amount of information on the subject with some pretty useful guidance from the
Information Commissioner’s Office (ICO) from which I quote:
The Act works in two ways. Firstly, it helps to protect your interests by obliging organisations to manage the information they hold in a proper way. It states that anyone who processes personal information must comply with eight principles, which make sure that it is:
• fairly and lawfully processed;
• processed for limited purposes;
• adequate, relevant and not excessive;
• accurate and up to date;
• not kept for longer than is necessary;
• processed in line with an individual's rights;
• secure; and
• not transferred to other countries (outside of the EU) without adequate protection.
The second area covered by the Act gives you important rights, including the right to know what information is held about you and the right to correct information that is wrong. You also have the right to claim compensation through the courts if an organisation breaches the Act and this causes you damage, such as financial loss. If it has, you can also claim for distress.
The risk to organisations (registered or not) is that someone
can claim and prove loss or damages due to a breach of the DPA. This is what most organisations are worried about and a Data Protection policy is intended to safeguard both the organisation and individuals against a breach. This does not have to be an exhaustive policy but how onerous it becomes is normally governed by the risk of a successful claim being brought against an organisation due to a breach of the information they hold. For example, as far as I am aware, none of the info AUK hold is 'sensitive personal information' that might lead to discrimination against an individual, leading to personal loss and subsequent distress/damages. Does AUK have a DP policy?
In addition, the rights of an individual, as alluded to above, are as follows:
• Ask to access information relating to them
• Ask to correct information relating to them
• Ask to prevent processing of information (you can ask but the organisation is not bound to comply)
• Ask to stop
unsolicited marketing (you can ask them to stop and they have to comply)
• Ask to stop automated decision making (i.e. where decisions are not made by people)
Whilst AUK may be exempt from notifying the ICO, it does hold and manages personally identifiable data and as such, should follow the 8 principles of the act however this does not have to be limited to AUK specifc information. For example, AUK may hold information about CTC membership as long as it is accurate, is associated and used in the context of the individual's activity or membership and is held/managed securely. It could be argued that despite the term 'DA' being an anachronism, it is still relevant to (some) individuals and the activities they are engaged in that are facilitated by AUK. In other words, although strictly speaking it should be replaced with the term 'Member Group', it could be argued that 'DA' implies the same thing until such time as the new stock of cards are printed.
One area where AUK might want to think about is the website component of AUK where personally identifiable data is shared with other members and anyone who lands on the site. This information is limited but is shared nonetheless. A stock item within most DP policies is that individuals give their consent to the processing of information and especially where this information is shared with 3rd parties. I don't see anything like that on the online entry (and couldn't remember consenting to it) but if not covered off elsewhere, I suggest two tick boxes be added to either the online entry or terms of membership with wording along the lines of
"I consent to AUK storing my details and using these to process information related to activities associated with my membership" plus
"I consent to my participation in AUK events being publicised on the AUK website and visible to both AUK members and the general public"H