This information, created by The Kennel Club's data protection team, provides guidance on the data protection legislation (UK GDPR and Data Protection Act 2018). We wish to address any confusion around the application of the data protection legislation to the usual activities of a club or society, and, in particular, the need to obtain consent.
You do not have to follow this guidance, it is merely our intention to try to keep matters as simple as possible.
The principles of protecting data have not changed. However, there is now a need to demonstrate compliance to a greater extent and so we are providing some of the main tools a club or society will need, mainly:
- a data audit template, to record who/what/why/when and where you may process data
- a privacy notice template, to inform members/judges and exhibitors/competitors as to how data is used
The EU GDPR came into effect on 25 May 2018. After Brexit, the UK incorporated the EU GDPR requirements into UK law via the UK GDPR (and existing Data Protection Act 2018) but there may be further changes.
Whilst there are compliance issues, the principles of data protection will be largely and broadly as now.
1. Data protection principles for processing data
- Lawful/fair and transparent
- Accountable; demonstrate compliance
- Purpose limited
- Adequate/relevant/limited data
- No longer than necessary
- Data security - technological etc. protection from breach/notification of breach/planning
To some extent, registered clubs and societies are likely to have fairly limited data processing activities. The first step is to assess the data processing activities. The five Ws are a good place to start with a data mapping exercise.
This will actually be beneficial in helping to secure compliance under the new data protection law. It is important that the registered club or society knows what it does with data. The data map will then help develop an information notice which will serve as the rationale and legal basis for processing data – a requirement under the data protection legislation.
A club or society needs to complete an overview of how it handles data by asking five key questions:
- Why? - The purpose/reason for holding data
- Who? - Whose data are you holding?
- What? - What data is being held?
- Where? - Where is the data being held?
- When? - For how long is the data held?
If your club has any queries or wishes to ‘walk through’ a data mapping document, please email the data protection team.
2. More information about the data protection legislation
The aim of GDPR is to remove uncertainty and bring consistency and harmonisation in data protection throughout the EU, and to make data protection important and to embed it throughout organisations.
It will not be affected by Brexit as to exchange data/trade with the EU the UK will maintain an adequacy status (its data protection legislation providing at least the equivalence in data protection requirements to the GDPR).
The legislation applies only to personal data of “natural persons” i.e. living individuals.
3. Lawful bases of data processing
At least one of the following conditions is required for processing or storing of personal data to be lawful:
- Consent of the data subject:
- Freely given, specific, informed and unambiguous
- If processing for multiple purposes; specific, granular, unbundled
- Consent must be affirmative – silence or inactivity does not constitute consent, it requires ‘opt-in’ rather than ‘opt-out’
- Written consent must be clear, intelligible and easily accessible
- Consent can be withdrawn at any time, and it must be as easy to withdraw consent as to give it
- Necessary for the performance of a contract:
- Or steps preparatory to such a contract
- Necessary for compliance with a legal obligation
- Necessary to protect the vital interests of the data subject
- Necessary for the performance of a task carried out in the public interest of in the exercise of official authority
- Necessary for the purposes of legitimate interests:
- Where there is a valid legitimate interest in processing an individual’s data e.g. for purposes directly related to the purpose for which it was collected
- The individual should reasonably expect their data to be used in this way
- A balancing test is required; legitimate interests can be overridden by interests or fundamental rights and freedoms of the data subject
4. Data subject rights
The data protection legislation confirms and expands rights in current data protection law:
- Right to withdraw consent:
- It must be as easy to withdraw consent as to give it
- Individuals must be able to withdraw their consent at any time
- Right of access:
- To confirm if and how an individual’s personal data is processed and provide a copy of the data if an individual makes a subject access request
- Right of rectification:
- To rectify inaccurate or incomplete personal data
- Right of portability:
- For an individual to have data transferred to another data controller
- This right is limited and only applies in specific conditions
- Right to object:
- Individuals can object to specific types of processing
- These are: direct marketing, those that are based on legitimate interests or the performance of a task in the public interest/exercise of official authority, and processing for research/statistical purposes
- Right of restriction:
- In certain circumstances an individual can request their data be stored but any further processing restricted; e.g. whilst a complaint is being resolved
- Right of erasure:
- Except in certain circumstances, individuals can require data to be erased where there is a problem with the underlying lawfulness of processing or where consent is withdrawn
- Automated decision making:
- Individuals have a right to be informed of the existence of automated decision making, including profiling, and the anticipated consequences
- Individuals have a right not to be subject to automated decision making, except where necessary for a contract, authorised by law or based on consent
- Right to lodge a complaint with the ICO
5. Personal data breaches and reporting
A personal data breach will include the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
There is a strict, short time limit to notify the ICO of the breach without undue delay and should be no later than within 72 hours.
Reporting is only required where there is a risk to the rights/freedoms of data subjects. However, the risk is wide ranging, so consider reporting any suspected breaches.
6. Publishing personal data
The data protection framework requires that personal data is processed lawfully fairly and transparently. Processing personal data requires one of the six lawful basis for doing so either based on necessity or consent.
The key question to ask – is it necessary or do I need consent?
By and large, the usual activities undertaken by a club or society will include transactional administration relating to membership and licensed event management.
If a function is necessary then it is not likely that consent will be the appropriate basis to use; to rely on consent may mean that if someone has the option to say no this could interfere in the normal and necessary processes of ordinary club business.
However, if the activity is not necessary then the member should be given the choice and control over the data processing and active consent needs to be given. Consent is a lawful basis, it is not better or more important than any other lawful basis. Consent may not always be the appropriate lawful basis to use for all the activities conducted by a club or society.
The most likely lawful bases for processing personal data will be:
- Contractual necessity: where the processing is necessary for the performance of the club membership contract. Clubs and societies will need to collect, process and store members’ data in order to provide and manage membership services, including transactional communications.
- Legitimate interests (necessity): related activity to membership and which members might reasonably expect – such as newsletters, invitations and information about club events and so on. The publication of a judges list is necessary in order to promote judges for the selection of appointments for those looking for judges for their events.If the data processing is considered necessary for the legitimate interests of the data controller then this must be balanced against the interests of the data subject and allow for the option to opt out of such processing (which is different that the stringent requirement for an active specific and granular consent).
- Consent; there is some confusion over when consent is needed for processing personal data, particularly publishing personal data. Consent will generally be required for unsolicited electronic marketing because the Privacy and Electronic Communications Regulations (PECR) demands that consent is required; processing sensitive data or transfers of personal data to jurisdictions where there is no equivalence of data protection regime. It is not the default basis for processing personal data.
The purpose, context and extent of the personal data published are all factors in determining how and to what extent personal data should be shared widely in the public domain.
To be transparent the members/judges/exhibitors/competitors need to be aware of how data will be used. This can be achieved with just-in-time notices (at the point you collect the data) and a Privacy Notice to explain how and why personal data is collected, processed and stored; this can be included on a club/society website and/or available to new members/on renewal of membership, to judges on appointment and in all other appropriate circumstances.
The publishing of members’ details (such as in a year book) is probably not strictly necessary.
There are also modern risks in the shape of identity fraud or cyber-crime which means openly sharing data with unknown third parties presents a risk – especially on line.
Publication of membership details such as in a year book is likely to need consent.
Therefore, for new members and on renewal of membership it is suggested that members are asked whether they wish to be included within the year book (and to what extent in terms of details to be published). It is also suggested that a year book includes a disclaimer to direct that the information within the year book should not be widely shared or disclosed to a third party.
This is to help ensure that personal data which is published for one purpose is not inadvertently or deliberately used for other purposes for which there is no consent or legitimate interest necessity (and as such has not been notified to the data subject) e.g. use of a membership list for global marketing/political or lobbying purposes.
It is necessary to promote judges for availability for appointments, (so consent may not be needed for publication in a judges’ list) but it should be made clear in the privacy notice that the judge will be included and published in a club/society’s listing. It is important to provide the option for a judge to opt out and/or to withhold contact details from being published.
Consideration needs to be given to the extent of the data which is necessary to be published; a judges name/credentials etc. and a way in which to contact the judge. It is suggested full contact details does not need to be published and carries risk e.g. in publishing email addresses on line and the risk of phishing.
7. Membership lists
A club processes personal data about its club members for a range of purposes. These should be outlined in a Privacy Notice.
Data will be processed in the main on the basis of this being necessary for the performance of a contract between the Club and the individual, necessary for the club’s “legitimate interests” or, on occasion (but rarely, overall) relying on the individual’s consent.
Members provide contact details upon joining and renewal of their membership. Members’ names may be listed in a yearbook as the membership has a right to know who their fellow members are.
A member should be able to indicate the extent of publication of contact details (address, email and telephone number – all, some or indeed no detail at all) and members must be free at any point to vary what is published from all, some or no contact details.
An individual member may want to contact another member but it is not expected by members that another member would contact everyone globally, at least, not without referring to the Club as to whether it was appropriate to do so.
Rules for use of membership list
It is helpful to have a set of ground rules for use of the published membership list so that expectation and legitimate use and purpose is clear. These rules could, as a minimum, place limits on mailing frequency.
The rules can also specify that:
- The membership list is primarily intended for day to day contact of members by the club
- Other members may do so on a ‘one to one’ basis
- If other members want to contact the whole membership list or groups, then publication rules apply;
- Make it clear/identify the sender
- Make clear it is not an official or endorsed club communication (no connection/association with the club
- Nothing offensive
- No harassment
- No defamation of individual or The Kennel Club
- No more than xx a year
- No selling – dog related or otherwise
- Preferably only by post, not by email – therefore avoiding possible challenge as an unsolicited contact by email for ‘marketing’ (dissemination of views)
8. Club documentation management
The data protection legislation does not prevent clubs and societies processing personal data for the club’s purposes, where justified by a lawful basis. As such, for security and compliance, only the club’s current authorised officers should have control of personal data. Former officers must pass access/control of this data to current officers upon any change in personnel.
As regards securely storing/processing membership and other personal data, the ICO guidance states:
The data protection legislation does not define the security measures that you should have in place. It requires you to have a level of security that is ‘appropriate’ to the risks presented by your processing. You need to consider this in relation to the costs of implementation, as well as the nature, scope, context and purpose of your processing.
It also states:
The security measures you put in place should seek to ensure that:
- the data can be accessed, altered, disclosed or deleted only by those you have authorised to do so (and that those people only act within the scope of the authority you give them);
- the data you hold is accurate and complete in relation to why you are processing it; and
- the data remains accessible and usable, i.e., if personal data is accidentally lost, altered or destroyed, you should be able to recover it and therefore prevent any damage or distress to the individuals concerned.
For clubs and societies we would take this to mean that only authorised officers should have control of the information and that it should be backed up somewhere, to ensure appropriate security.
9. Advice on suspicious communications
It is unfortunate fact of our digital life that during the pandemic and in these post-pandemic times there has been a rise in "phishing” attacks via email, "smishing" attacks via text message and fraudulent telephone calls being made in attempts to extract financial information.
We wanted to remind you that it is important to stay alert and vigilant and we provide some tips below which may help you to recognise any such attempt.
Phishing and smishing
Phishing and smishing attacks are customised emails or texts that can be made to look like they are coming from a recognised or official trusted individual or organisation. Responding to or clicking a link in these messages may compromise your privacy or your financial information, or install malware on your device.
Here are some "red flags" that an email or text message may be fraudulent:
- It is unexpected and requires immediate, urgent action (such as 'within 24 hours' or 'immediately')
- It may threaten you with fines or other negative consequences
- It is from an address or phone number you do not recognise
- It is poorly written with strange spelling, syntax, or grammar
- It is asking you to perform unusual actions (such as sending money)
- It is claiming to be from someone official such as a bank, HMRC, a solicitor, or a government department
- It is offering something in short supply – fear of missing out on a good deal or opportunity can make you respond quickly
- It may exploit current news stories, big events or specific times of year (like tax reporting) to make the scam seem more relevant.
If you receive an email or text of this nature purporting to be from an individual organisation:
- Take a moment to stop and think before clicking a link or parting with any money/information could keep you safe
- Challenge and verify the communication is genuine without replying – it is ok to initially reject, refuse or ignore any requests before checking, only scammers will try to rush or panic you
- Do not click on or reply to the message
- Do not complete any action requested in the message
- Contact the individual/organisation via their known/official contact details i.e. a method other than the communication you have received
- If a suspicious email/text appears to originate from The Kennel Club, please contact us via our official contact details
- If you are a club officer, notify your fellow club officers, if applicable, of the attempt in a separate email
- Report spam text messages to your mobile phone provider on a free of charge number
Please note The Kennel Club is unable to monitor and cannot control phishing emails or smishing texts sent to any clubs, judges, breeders or owners. This is true even when such emails appear to come from The Kennel Club. In such instances, the individual owner is the primary line of defence and must remain ever vigilant.
Advice on fraudulent telephone calls
Fraudsters may cold call pretending to be from a trusted organisation e.g. a bank or a utility provider and may make references to activities in which a person may be involved (and which information can be gleaned from information on websites) to instill a false confidence that the call is genuine.
There are simple steps to keep safe.
First, to remember that banks and other financial bodies will never request bank account/card details by phone in an unsolicited manner. Such approaches will be a fraudulent – you should not respond and you should never provide any bank card, bank account or financial details.
Banks and building societies will NOT do any of the following;
- Request the transfer money to a new account for fraud reasons
- Phone to ask for bank card details, including the 4-digit card PIN, or online banking password, even by tapping them into the telephone keypad
- Request the withdrawal of money to hand over to them for safe-keeping
- Send someone to a home address to collect your cash, PIN, payment card or cheque book
(in the event you are a victim of fraud)
- Make a request to purchase goods using a bank card and then hand the goods over for safe-keeping
If anyone is approached in this way then the following steps will help:
- If a suspicious approach has been made then you should call your bank to alert them and in order for them to secure your account if necessary
- Inform any payment touchpoint mentioned in the scam call (e.g. inform the breed club if a payment to a breed club is mentioned)
- A victim of a scamming phone call should report the fraud to Action Fraud (the police service for fraudulent activity)
Guidance & Advice on Suspicious Communications
The following links are the nationwide guidance and advice on fraudulent requests for banking details and individual cyber security.