York Advanced Motorcyclists

The Data Protection Policy for YAM is outlined below

1. INTRODUCTION 

This policy document provides a description and review of GDPR data processing and a framework of retention and disposal of categories of information and documents, thereby ensuring that York Advanced Motorcyclists (YAM - affiliated group to the IAM RoadSmart) meets our obligations in relation to data management. The implementation of these guidelines demonstrates the committment to the principles of data protection, including the principle that information is only to be retained for as long as necessary for the purpose concerned. 

Member’s data will be held under the principles of data protection; they are: 

(i) Accurate 

(ii) Securely held 

(iii) Used in Accordance with GDPR guidelines 

(iv) Retained 

(v) Destroyed 

2. ICO REGISTRATION 

YAM is (and will remain) registered as a Tier 1 category with the Information Commissioner’s Office (ICO). The YAM Data protection Officer name is registered along with the YAM registration. 

3. DATA ACQUISITION 

Upon registration with the IAM, the YAM member record is held on the DARTS (The IAM Roadsmart Database system). The DARTS allows for periodic extraction and download of members data by the groups and for members belonging to this group only. This data is used solely for communication purposes. 

3.1 Personal data download – list of fields , all of them from the IAM application form.

YAM Member ID, Surname, Forename, Title, Category (Full or Associate), Age, email address, Home telephone no, mobile telephone no, Address, Post Code, YAM reference no. 

This format is defined & controlled by the IAM RoadSmart DARTS system (the parent organisation); YAM have no control over this format. 

From this list of fields, the only ones that YAM retains are a minimum dataset. IAM Mem No, Surname, Forename, Category, email, Ref 1 (YAM Mem Id) and Ref2 (list of codes of the various groups that the member belongs to - Observer, Committee member etc.- These codes are for internal YAM use only. 

4. DATA STORAGE 

(i) No data is stored on paper. 

(ii) No data is stored on PC/laptop hard drives, mobile phones or portable tablet devices. 

The data is securely stored and protected in the form of Google Sheets in the industry-standard platform of the Google G Suite/ Secure Cloud Infrastructure. Access is controlled by the Data Manager’s administrative privileges and restricted via authenticated user id and strong password to the Data Manager, the Membership Secretary, the Group Secretary and the Data Protection Officer, all of which have a necessary and legitimate purpose for access. 

5. DATA SHARING 

The personal data will be shared with the IAM only (the parent organisation and the original source). YAM will NOT disclose or share any of this data with any third party, company or individual. The only exception will be in the case of a legitimate disclosure under a Freedom of Information (FOI) request. 

Data will be shared across the club’s officers for training purposes. 

6. DATA PROCESSING 

A weekly run sheet is created in electronic form containing the relevant details of that particular run: 

Date, destination, Observer Name (but not the personal details), role, Associate Name (but not the personal details) 

Once recorded onto the electronic system, the run sheet is destroyed. 

7. PAPER RECORD DESTRUCTION 

As no data is held on paper, there is no need to destruct 

8. RETENTION / DELETION 

The key principle behind Data Retention is that Information is only to be retained for as long as necessary for the purpose concerned. 

(i) Personal data 

By the very nature of the perpetual/real time data download from the IAM DARTS system the YAM secure storage holds only current YAM (IAM group no 4229) members’ minimal data at any given time. The extraction is activated periodically by YAM’s membership secretary and replaces the previous version, thus ensuring that only current data is extracted. As members are transferred to other groups or leave the IAM for whatever reason the latest extraction contains only current YAM members and previous members’ data is deleted at source ; there is therefore no need or means for deletion at a local level. 

(ii) Historical run sheet data 

As stated in the GDPR principles historical data retention (5 years) is permitted for performance management or statistical purposes so that their use is deemed necessary. 

The run sheet information (containing names but NOT personal data - meaning that the data is desensitised and no reference can be made to the member’s personal details) forms an integral part of YAM’s operation, essential in order to perform its function. 

Examples of reasons for keeping historical run sheet information (the list is not exhaustive):  

(i) Number of runs per observer per year (so that they maintain their observer status) 

(ii) Observer who undertook the progress check for a particular associate failing test. 

(iii) Number of runs on average for associate to take test (may scan over two calendar years) 

(iv) Observer names (usually more than one) who trained a particular associate 

(v) The ratio of normal observing runs to development training 

The training records of non-active observers will be deleted in line with GDPR / IAM requirements