More

Castletown Golf Club

Castletown Golf Links Collective Data Protection and IT Security Policy

Policy information

This policy applies to:

Langness Golf Course Limited (LGCL);
all sites under the control of LGCL;
all staff operating on behalf of LGCL.
It applies to paid staff and volunteers.

Policy operational date:

With effect from 01/01/2016

Policy prepared by:

Data Protection Officer –PJ Vermeulen

Date approved Management: 30/04/2018

Policy review date: 30/04/2018

Introduction

The purpose of this policy is to enable LGCL to:

comply with the law in respect of the data it holds about individuals;
follow good practice;
protect LGCL’s supporters, staff and other individuals
protect the organisation from the consequences of a breach of its responsibilities.

The Data Protection Principles require that personal information is:

processed fairly and lawfully
processed for limited purposes
adequate, relevant and not excessive
accurate and up to date
not kept for longer than is necessary
processed in line with the rights of individuals
secure
not transferred to other countries without adequate protection

This policy applies to information relating to identifiable individuals, even where it is technically outside the scope of the General Data Protection Regulations, by virtue of not meeting the strict definition of ‘data’ in the Act.




Policy statement

LGCL will:

comply with both the law and good practice
respect individuals’ rights
be open and honest with individuals whose data is held
provide training and support for staff and volunteers who handle personal data, so that they can act confidently and consistently

LGCL has identified the following potential key risks, which this policy is designed to address:

Breach of confidentiality (information being given out inappropriately).
Insufficient clarity about the range of uses to which data will be put — leading to Data Subjects being insufficiently informed
Breach of security by allowing unauthorised access.
Failure to establish efficient systems of managing changes leading to personal data being not up to date.
Harm to individuals if personal data is not up to date.
Insufficient clarity about the way staff or volunteers’ personal data is being used e.g. given out to general public.

Responsibilities

LGCL recognises its overall responsibility for ensuring that it complies with its legal

obligations.


Reviewing Data Protection and related policies
Advising other staff and legal entities, namely Castletown Golf Club Limited, Charlie Simpson Golf and Number19 Limited on Data Protection issues.
Ensuring that Data Protection induction and training takes place
Notification
Handling subject access requests
Approving unusual or controversial disclosures of personal data

All staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.





Security

This section of the policy only addresses security issues relating to personal data. It does not cover security of the building, business continuity or any other aspect of security.

LGCL has identified the following risks:

Staff or volunteers with access to personal information could misuse it.
Poor web site security might give a means of access to information about individuals once individual details are made accessible on line.
Staff may be tricked into giving away information, either about supporters or colleagues, especially over the phone, through “social engineering”.
Setting security levels Access to information on the Member Management System will be controlled in accordance with required access and through Intelligent Golf’s Access Level Structures.

Data recording and storage

LGCL will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:

ICT systems utilised, will where possible, to encourage and facilitate the entry of accurate data.
Data on any individual will be held in as few places as necessary, and all staff will be discouraged from establishing unnecessary additional data sets.
Effective procedures will be in place so that all relevant systems are updated when information about any individual changes.
Member’s data held on website can be managed to ensure personal information is not accessible by other members, who do not have sufficient rights to access the information.
Members have the ability to limit the information available to other members by Logging-in into the Intelligent Golf system, selecting ‘My Golf’ then ‘Preferences’ under the sub-menu and selecting the ‘Ex-directory’ tick box which will not show contact details to other members. This is also where emailing preferences can be managed.

Data is stored on the Intelligent Golf member management software which is hosted by Intelligent Golf. LGCL will retain data for a minimum period of six years.

Archived records of members are stored by Castletown Golf Club Limited.


In a review conducted in April 2018, we have gained sufficient comfort that the Intelligent Golf system provides adequate controls for data protection, including new measure put in place such as download audits, review of messaging, etc.



CCTV

LGCL has;

installed a CCTV system which produces clear images which the law enforcement bodies can use to investigate crime and these can easily be taken from the system when required.
positioned cameras so that they provide clear images.
positioned the cameras to avoid capturing images of persons not visiting the premises.
sited monitors in a position that provides the staff with the security required whilst restricting as far as is practical the ability of the public to see them.
placed visible signs showing that CCTV is in operation.
a limited number of authorised persons that may access the recorded images from the CCTV system, which are securely stored. The recorded images are held for 28 days and with the exception of law enforcement bodies and/or investigation of possible breaches of the law, images will not be provided to third parties.


Policy review

The policy is to be reviewed on an annual basis or at such time that the General Data Protection Regulations is amended.

Appendix i: Privacy statement

When you request information from LGCL, sign up to any of our services or buy things from us, LGCL obtains information about you. This statement explains how we look after that information and what we do with it. We have a legal duty under the General Data Protection Regulations to prevent your information falling into the wrong hands. We must also ensure that the data we hold is accurate, adequate, relevant and not excessive. Member’s email address and/or telephone numbers may be given to other current members of the club for the purposes of

facilitating activities pertaining to the club, where the information is not currently available on the member’s directory via the club website.

Normally the only information we hold comes directly from you. Whenever we collect information from you, we will make it clear which information is required in order to provide you with the information, service or goods you need. You do not have to provide us with any additional information unless you choose to. We store your information securely on our member management system, we restrict access to those who have a need to know, and we train our staff in handling the information securely. We may also like to contact you in future to tell you about other services we provide.


You have the right to ask us not to contact you in this way. We will always aim to provide a clear method for you to opt out. You can also contact us directly at any time to tell us not to send you any future marketing material. You have the right to a copy of all the information we hold about you (apart from a very few things which we may be obliged to withhold because they concern other people as well as you). To obtain a copy, either ask for an application form to be sent to you, or write to the Data Protection Officer at LGCL. There is a charge of £10 for a copy of your data (as permitted by law). We aim to reply as promptly as we can and, in any case, within the legal maximum of 40 days


Identification of System Usage

Users of the Intelligent Golf system, which is used at Castletown Golf Links by the following entities and for the below purposes include:

Langness Golf Course Limited (LGCL) – where the system is used for: membership maintenance, visitor maintenance, EPOS (Point of Sale) reporting use (to manage Members’ Card Balances), website maintenance and other operational requirements.

Charlie Simpson Golf (CSG) – where the system is used for: membership maintenance, visitor management, communications, operational requirements and EPOS (Point of Sale) requirements.

Castletown Golf Club Limited (CGC) – where the system is used for membership matters including competition management and handicap management.

Number19 Limited (No19) – where the system is used for EPOS (Point of Sale) requirements, events management and member/visitor relations.



User Responsibilities


User IDs and passwords help maintain individual accountability for system usage on the Club Management Software (provided by Intelligent Golf). Any employee or person authorised by LGCL, CSG, CGC and No19 to work on the system for membership maintenance or other business related purposes, who obtains a password or ID for any of these resources must keep that password confidential, except for any instance required by authorized technical support staff to solve a computer related problems.


If an employee/member of any of the above named entities is logged into a computer with their username and password, they must ensure that they log out prior to leaving their computer unattended. This is to prevent unauthorised access to information held on the system.


Copies of personal private information residing on the Intelligent Golf system should not be made and kept outside of the Intelligent Golf system to avoid potential security breaches.


Logging into a computer system with your personal ID and password and then allowing another user to work on the network bypasses these security procedures and is not permitted. Each user that gains access to the member management system MUST have signed this agreement BEFORE using any of the systems.


Authorised users of the system are encouraged to undergo basic training including avoiding online scams; online safety, security and fraud; etc. for free via the following link: https://www.digitaldrivinglicence.barclays.co.uk/partners/manx-it-education/ (Useful modules are included to assist with upskilling)

Watch the GDPR Webinar presented by Intelligent Golf: https://intelligentgolf.webinarninja.com/webinar/23537?tok_reg=12f76538-4653-45d7-ad71-f8983a14df79-14102512

Users agree not to give out members’/users’ personal information according to the Isle of Man Information Commissioner guidelines and that individuals will be held personally responsible for breaches that occur as a direct result of their negligence. For further information on Data Protection view the following link: https://www.inforights.im/media/1040/data-protection-the-basics-traning-guides.pdf together with an overview at: https://www.gov.im/about-the-government/data-protection-gdpr-on-the-isle-of-man/data-protection-for-businesses/






Created by intelligentgolf version 10.1.2
CONGU® is Copyright Council of National Golf Unions.