It is a requirement of the Association that all members must be committed to protecting and respecting the privacy of each other and any non-members whose information they have the need to see and use.
This policy explains when and why we collect personal information, how we use it, the conditions under which we may disclose it to others, how we keep it safe and secure, and everyone's rights and choices in relation to their information.
Any questions regarding this policy and our privacy practices should be sent by email to firstname.lastname@example.org, or in writing to the CXX Association Secretary, c/o OC Lossiemouth Transition Team, MacQueen House, Royal Air Force, LOSSIEMOUTH, IV31 6SD, UNITED KINGDOM.
Who are we?
The CXX Squadron Association is formed of members united under a Constitution to a common aim, with administrative responsibilities carried out by an annually-elected Committee of its members.
In this policy ‘the Association’, ‘we’, ‘us’ or ‘our’ means the CXX Squadron Association.
What are our four golden rules for dealing with information?
As a non-profit organization we adhere to four golden rules for dealing with information:
- We will process only information necessary to establish or maintain membership or support; or where necessary to provide or administer activities or services for people who are members of the organization or have regular contact with it;
- We will hold only information about individuals whose data we need to process for this purpose;
- The personal data we process is restricted to personal information that is necessary for this purpose;
- We will keep the information only while the individual is a member or supporter, or as long as necessary for member/supporter administration.
All members of our Association must commit to upholding these golden rules. Further details on how and why we do this are explained in the rest of this policy.
How do we collect information?
We obtain information in the following ways:
Information people give us directly
For example, we may obtain information about when people apply to join the Association, update their personal details using our website or in writing, take part in one of our events, make a donation, make a purchase from our shop, or other ways.
Information we receive indirectly
Information may be shared with us by third parties, which might include:
- An organization giving us personal details so we can request access to a restricted site for a certain event.
- Organizations acting on our behalf who provide us with technical, payment or delivery services, analytics providers and search information providers.
When people visit this website
We, like many organizations, automatically collect the following information:
- technical information, including the type of device being used, its IP address, browser and operating system being used to connect the computer to the internet. This information may be used to improve the website experience, the services we offer, and provide protection from malicious attacks.
- information about visits to our website, for example we collect information about pages people visit and how they navigate the website, i.e. length of visits to certain pages, products and services viewed and searched for, referral sources (e.g. how visitors arrived at our website).
When people interact with us on social media platforms such as our secret Facebook group we may obtain information (for example, when people publicly tag us or other members in an event photo). The information we receive will depend on the privacy preferences people have set on those types of platforms.
We supplement information with information from publicly available sources when we think there will be a mutual benefit to the Association and the person. For example, if someone publicly states that they were a former member of 120 Squadron, we may note that the person would be eligible to be granted Full Membership of the Association.
What type of information is collected?
The personal information we collect, store and use might include:
- name and contact details (including postal address, email address and telephone number);
- information about activities on our website and about the device used to access it, for instance the IP address and geographical location;
- bank or credit card details. If people make a payment online, their full card information is not held by us, it is collected by our third party payment processors, who specialize in the secure online capture and processing of credit/debit card transactions. However, our systems may retain reference numbers and redacted payment information sufficient to cross-reference payments with our specialist payment processors.
- information as to whether people are UK taxpayers in case we wish to reclaim gift aid in the future; and
- any other personal information shared with us.
Data protection laws recognize certain categories of personal information as sensitive and therefore requiring greater protection, for example information about health, ethnicity and religion.
We do not usually collect sensitive data unless there is a clear and valid reason for doing so and data protection laws allow us to. For example, we may collect information about health if we are arranging an event that some people might find it difficult to participate in, such as arranging an aircraft visit that involves climbing up ladders or airstairs; similarly, we may collect information about religion if attendees specify certain dietary requirements for a meal we are organizing.
How and why is personal information used?
We may use personal information for a number of different purposes, which may include:
- providing the services, products or information people asked for;
- processing orders that have been submitted;
- carrying out our obligations under any contracts entered into;
- keeping a record of individuals' relationship with us;
- conducting analysis and market research so we can understand how we can improve our services, products or information;
- checking for updated contact details against third party sources so we can stay in touch if people move;
- dealing with entries into a competition or auction;
- seeking views or comments on the services we provide;
- notifying people about changes to our services;
- ensuring the safety of attendees at events;
- sending communications which people have requested and that may be of interest to them. These may include information about events, merchandise, and both Squadron and Association business; and
- processing membership applications.
How long is information kept for?
We keep information for no longer than is necessary for the purposes it was collected for. The length of time we retain personal information for is determined by operational and legal considerations. For example, we are legally required to hold some types of information to fulfil our statutory and regulatory obligations (eg health/safety and tax/accounting purposes).
We review our retention periods on a regular basis.
Who has access to information?
All information we have is stored securely and made available only to those who need it for a particular task.
We do not sell or rent information to third parties.
We do not share information with third parties for marketing purposes.
However, we may disclose information to third parties in order to achieve the other purposes set out in this policy. These third parties may include:
Third parties working on our behalf: We may pass information to our third party service providers, suppliers, agents, subcontractors and other associated organizations for the purposes of completing tasks and providing services to on our behalf (for example to process donations or generate seating plans and dietary requirements lists). However, when we use these third parties, we disclose only the personal information that is necessary to deliver the services and we have a contract or equivalent arrangement in place that requires them to keep information secure and prevents them from using it for their own direct marketing purposes. Please be reassured that we will not release information to third parties for them to use for their own direct marketing purposes, unless we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.
Data protection law requires us to rely on one or more lawful grounds to process personal information. We consider the following grounds to be relevant:
Where people have provided specific consent to us using their personal information in a certain way, such as to send emails, texts, telephone and/or social media communication.
Performance of a contract
Where we are entering into a contract or performing our obligations under it, such as when people buy CXX Association merchandise and services.
Where necessary so that we can comply with a legal or regulatory obligation to which we are subject, for example where we are ordered by a court or regulatory authority.
Where it is necessary to protect life or health (for example in the case of medical emergency suffered by an individual at one of our events) or a safeguarding issue which requires us to share information with the emergency services.
Where it is reasonably necessary to achieve our or others’ legitimate interests (as long as what the information is used for is fair and does not duly impact individuals' rights).
We consider our legitimate interests to be running the CXX Association as a non-profit organization in pursuit of our aims and ideals. For example to:
- send postal, email or social media communications which we think will be of interest to individuals;
- conduct research to better understand who our supporters are to better target our fundraising;
- monitor who we deal with to protect the Association against fraud, money laundering, cyber attacks, and other risks;
- enhance, modify, personalize or otherwise improve our services or communications for the benefit of our members; and
- understand better how people interact with our website.
When we legitimately process personal information in this way, we consider and balance any potential impact on the individual (both positive and negative), and their rights under data protection laws. We will not use personal information where our interests are overridden by the impact on individuals, for example, where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).
When we use sensitive personal information, we require an additional legal basis to do so under data protection laws, so will either do so on the basis of explicit consent or another route available to us at law (for example, if we need to process it for social protection purposes, individuals' vital interests, or, in some cases, if it is in the public interest for us to do so).
Fundraising and Marketing Communications
We may use individuals' contact details to provide them with information about the work we do to further the aims of the Association and opportunities to support us, as well as the products and services people can buy, if we think it may be of interest to them.
Email/text/phone/social media messaging
We will only send marketing and fundraising communications by email, text, telephone and social media messaging if people have explicitly provided their prior consent. Members may opt out of our marketing communications at any time by clicking the unsubscribe link at the end of our marketing emails.
We may send marketing and fundraising communications by post unless people have told us that they would prefer not to hear from us.
Everyone has a choice about whether or not they wish to receive information from us. If they do not want to receive direct communications from us about the work we do to further the aims of the Association or about the products and services they can buy, then they can select they choices by updating their preferences on our website or clicking the unsubscribe link on our emails.
We’re committed to putting everyone in control of their data so everyone is free to change their preferences (including to tell us that they don’t want to be contacted for marketing purposes) at any time by contacting us by email at email@example.com or post to the CXX Association Secretary, c/o OC Lossiemouth Transition Team, MacQueen House, Royal Air Force, LOSSIEMOUTH, IV31 6SD, UNITED KINGDOM.
We will not use personal information for marketing purposes if people have indicated that they do not wish to be contacted and will retain their details on a suppression list to help ensure that we do not continue to contact them. However, we may still need to contact them for administrative purpose, such as where we are processing a payment or thanking them for participation in an event.
We may analyse personal information to create a profile of members' interests and preferences so that we can tailor and target our communications in a way that is timely and relevant. We may make use of additional information when it is available from external sources to help us do this effectively. This allows us to be more focused, efficient and cost effective with our resources and also reduces the risk of someone receiving information they may find inappropriate or irrelevant.
We’re committed to putting members in control of their data so they are free to opt out of information being used in this way at any time by contacting firstname.lastname@example.org.
We may also use personal information to detect and reduce fraud and credit risk.
Under UK data protection law, individuals have certain rights over the personal information that we hold about them. Here is a summary of the rights that we think apply:
Right of access
Everyone has a right to request access to the personal data that we hold about them. They also have the right to request a copy of the information we hold about them, and we will provide them with this unless legal exceptions apply.
If anyone wants to access their information, they should send a description of the information they want to see and proof of their identity by post to the CXX Association Secretary, c/o OC Lossiemouth Transition Team, MacQueen House, Royal Air Force, LOSSIEMOUTH, IV31 6SD, UNITED KINGDOM.
Right to have inaccurate personal information corrected
Everyone has the right to have inaccurate or incomplete information we hold about them corrected. The majority of information we hold on members is available to be reviewed and directly edited on an individual's edit profile page on our website.
Right to restrict use
Everyone has a right to ask us to restrict the processing of some or all of their personal information if there is a disagreement about its accuracy or whether we are lawfully allowed to use it.
Right of erasure
Anyone may ask us to delete some or all of their personal information and in certain cases, and subject to certain exceptions, we will do so as far as we are required to. In many cases, we will anonymise that information, rather than delete it.
Right for personal information to be portable
If we are processing personal information (1) based on consent, or in order to enter into or carry out a contract, and (2) the processing is being done by automated means, anyone may ask us to provide it to them or another service provider in a machine-readable format.
Right to object
Anyone has the right to object to processing where we using their personal information (1) based on legitimate interests, (2) for direct marketing or (3) for statistical/research purposes.
Anyone wishing to exercise any of the above rights should contact us by email at email@example.com, or post to the CXX Association Secretary, c/o OC Lossiemouth Transition Team, MacQueen House, Royal Air Force, LOSSIEMOUTH, IV31 6SD, UNITED KINGDOM. We may be required to ask for further information and/or evidence of identity. We will endeavour to respond fully to all requests within one month of receipt, however if we are unable to do so we will reply with reasons for the delay.
Please note that exceptions apply to a number of these rights, and not all rights will be applicable in all circumstances. For more details we recommend people consult the guidance published by the UK’s Information Commissioner’s Office, https://ico.org.uk/.
Keeping information safe
When people give us personal information, we take steps to ensure that appropriate technical and organizational controls are in place to protect it.
Every item of information, whether classed as sensitive or not, is encrypted and protected by SHA-256 with RSA Encryption on SSL. By default every page on our website will seek to connect to the devices browsing it with a secure, encrypted link. A successful secure connection is usually denoted by a lock symbol on browsers.
We will normally transmit and receive emails unencrypted over the Internet. Although we take what steps we can to protect information sent this way, such as by staggering the transmission of mailshots and not putting multiple email addresses in the header to frustrate the harvesting of email addresses, this can never be guaranteed to be 100% secure. As a result, while we strive to protect personal information, we cannot guarantee the security of any information transmitted to us by unencrypted email, and individuals do so at their own risk. Where appropriate and a higher degree of security is desired, members should consider communicating sensitive information to committee members via the website's private messaging facility, which uses secure and encrypted connections. Once we receive information, we make our best effort to ensure its security on our systems. Members are responsible for keeping their own website password confidential, and we ask them not to share their password with anyone.
Use of 'cookies'
Links to other websites
Our website may contain links to other websites run by other organizations. This policy applies only to our website‚ so we encourage users to read the privacy statements on the other websites they visit. We cannot be responsible for the privacy policies and practices of other websites even if users access them using links from our website.
16 or Under
We are concerned to protect the privacy of children aged 16 or under. Anyone aged 16 or under must get their parent or guardian's permission before providing us with personal information.
We are committed to protecting vulnerable members, supporters, customers and volunteers and appreciate that additional care may be needed when we use their personal information. In recognition of this, we observe good practice guidelines in our interactions with vulnerable people.
Transferring information outside of Europe
The Association's primary server computers are in the UK. However, as part of the services offered through our website, the information which people provide to us may be transferred to countries outside the European Economic Area (EEA). By way of example, this may happen if any of the servers storing our secure backups are from time to time located in a country outside of the EEA. Website users should be aware that these countries may not have similar data protection laws to the UK. By submitting personal data, website users are agreeing to this transfer, storing or processing. If we transfer information outside of the EEA in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that privacy rights continue to be protected as outlined in this policy.
If people use our services while they are outside the EEA, their information may be transferred outside the EEA in order to provide them with those services. We undertake regular reviews of who has access to information that we hold to ensure that information is accessible only by appropriately trained staff, volunteers and contractors.
We may record the way that people use our website, such as typical paths through and time spent on each page. The information collected would not include bank details or any sensitive personal data. Any such data collected would be for the Association's internal use only. Any information collected may be used to improve our website usability and would be stored and used for aggregated and statistical reporting.
Changes to this policy
Any changes we may make to this policy in the future will be posted on this website so please check this page occasionally to ensure that you are happy with any changes. If we make any significant changes we’ll make this clear on this website.
What happens if someone does not agree to this policy?
Review of this Policy
We keep this policy under regular review. This policy was last updated in May 2018.