RAFSAA Abides by UK GDPR Guidance aand Policy:

Under the UK GDPR, individuals have the right to be informed about the collection and use of their personal data, and this information is usually set out in a privacy policy which should be readily available at the time personal data is collected from an individual. The UK GDPR specifies what you need to tell individuals when you collect personal data from them, and there are some types of information that you must always provide, while the provision of other types of information depends on the particular circumstances of your organisation, and how and why you use people’s personal data.

RAFSAA GDPR POLICY

Date Approved/Reviewed: 3 Sept 2024

Review cycle/date: Every 3 years: April 2027

Party responsible: Secretary & Trustees

SCOPE OF THE POLICY

1. This policy covers all members of RAFSAA (Employees, Trustees, Committee members General Members and Associate members) who potentially have access to personal data of held by the Association and its members.

KEY POINTS

2. GDPR is Data Protection LAW[1] which says you must “protect the rights and freedoms of individual’s data information”.

   a. It gives everybody protection rights for their personal information.

   b. Anybody with access to other people’s personal information must ensure its non-disclosure to others unless specific written authority is held.

   c. RAFSAA, and its members, have a moral and legal obligation to protect all members from unauthorised divulgence of any personal information.

   d. What does GDPR apply to?

      i. Collection of Data.

      ii. Keeping of Data.

      iii. Removing or deleting Data.

      iv. ANYTHING to do with Data

3. RAFSAA need to hold this personal data for the following reasons:

   a. The data subject has given consent to the processing of their personal data.

   b. To fulfil contractual obligations with a data subject; (specifically around membership and renewals).

   c. To comply with a data controller's legal obligations (namely, reporting to the police details of members with FACs).

POLICY

4. Data Controller and Data Processor. RAFSAA is the data controller and MyClubhouse is the Data Processor for personal information while Clover is the Data Processor for payment card information.

5. MyClubhouse (Membership and Club Management database), Clover (Payment system) and One Drive (MS Cloud Service) are the primary systems used by RAFSAA for collecting and storing data. Access to these systems should be limited to those that need the data to fulfil their duties.

   a. Clover provides a PCI DSS compliant platform[2] and MyClubhouse (Membership and Club Management database) is a GDPR compliant platform.

   b.  OneDrive must not hold any personal or payment card information.

6. The following guidelines should be followed in matters relating to RAFSAA GDPR and Data:

   a. All users must keep data secure.

   b. All Members have the right to refuse to provide personal data should they so wish but it should be explained that this may restrict RAFSAA’s ability to keep them  fully updated. However, we cannot comply with statutory requirements to inform police about members with FACs etc if a member refuses to allow us to process and store personal information on them.

   c. If you have access to MyClubhouse, Clover and One Drive or any data source must not be divulged to others without specific authorisation of the owner of the data.

   d. Information held MyClubhouse, Clover and One Drive must not be downloaded or copied into any other record.

   e. Any data held by RAFSAA must only be used for appropriate communication of RAFSAA and its associated disciplines.

   f. Under no circumstances should marketing or promotional material from external sources be communicated using data held by RAFSAA.

   g. Data must be removed and securely destroy when it is no longer required.

7. RAFSAA will share your personal information with legal authorities as required of it by the Firearms Acts 1968. We will not share your personal information with any other external organisations.

8. RAFSAA retains the right to refuse membership to any member or prospective member who does not wish RAFSAA to hold data regarding their membership as we have legal reporting responsibilities and they do not have a right to membership.

9. If you have any doubts about how you can use the information that you can access, then it is imperative that you seek guidance from the Secretary and/or Committee before taking any action with the data.

AUDIT & REVIEW

10. This policy will be audited again on an annual basis and reviewed in 3 years’ time or sooner should legislation or audit dictate such a review. 

[1] 2018 Data Protection Act is the enacting legislation in the UK for the GDPR

[2] Compliance via Annual Self-Assessment (Questionnaire C for use with PCI DSS Version 3.2.1)