GDPR Policy

The following outlines the General Data Protection Regulation Policy for The Chartered Society of Forensic Sciences (CSFS) (Compliance From 1/1/2018)

The overarching principle is that

• All data collected and/or stored by CSFS is done so for the sole purposes of CSFS business and an individual’s relationship with CSFS. This will include, but is not limited to, membership communication, internal marketing of events, notification of publications, educational quality standards, CPD, CPD. Individual’s personal data will not be shared with a third party without prior written consent.
• No member of staff or council will share any personal data with a third party without the prior consent of the individual. This includes, but is not limited to Name, address, email address and phone details.
• All CSFS Staff will sign to consent form for their business email address, phone number and associated business contact details to be circulated for the sole purposes of CSFS business.
• All CSFS Trustees must agree to allow CSFS Staff to freely use their business contact details but do not agree that they are circulated to external third parties without prior consent on a case by case basis, Trustees to avoid using their own personal details for business correspondence.
• CSFS Division Chairs, Committee members and Assessors must agree to allow CSFS Staff to freely use their business contact details for the sole purposes of CSFS business but do not agree that they are circulated to external third parties without prior consent on a case by case basis.

Data Storage

• From January 2018 CSFS will not retain any paper files of personal data, except for financial transactional data.
• The CSFS will carry out a full IT security audit biannually in collaboration with ASE their specialist IT support contractor
  • Where financial transactional data is retained onsite it will be stored in a locked filing cabinet inside a locked room where access is restricted to the CEO, PA to the CEO and the Financial administrator. The data is treated as confidential and is only shared with authorized personal.  Authorised personnel include, CSFS treasurer, the finance committee members, financial administrator and accountant.
  • Financial transactional data from previous financial years will be held off site in a secure locked building for 7 years within a secured locked room which only CSFS staff have access to. harrogateselfstorage.co.uk/
  • After their expiry any paper records will be destroyed by a registered company authorized to dispose of confidential waste at least once per quarter. http://www.russellrichardson.co.uk/downloads.php
  • Financial information for online payments are not held by CSFS and are all managed by Sagepay, CSFS hold none of this payment information.
  • When processing financial information by telephone staff taking the call must not write down or record any of the information given to them except in the designated boxes in the Sagepay payment terminal. They must not repeat back any card details and if they require clarification they will ask the caller to repeat the details.  The transaction should not be processed on speaker phone
  • Members who elect to pay by Direct Debit have their bank account and sort code held against their memberbase record. This information should only be inputted by the CEO or financial administrator.  This data should not be disclosed under any circumstances.  If and when the member resigns or cancels their direct debit the financial information will be removed
• The CSFS electronic membership database, memberbase is hosted and maintained by Senior Internet Ltd. senior.co.uk/Contact.
  • No PC or workstation shall be left unmanned without a suitable password protected screen saver. All PCs and workstations should be closed and password protected overnight.
  • All Staff should use only their own login to access PCs and membership databases and not share their login details with others.
• In order to show compliance to the General Data Protection Regulations all staff will carry out a one hour online training program and sign to agree that they understand the implications. (Signing log attached), they will also sign this policy to show they have read and understand their responsibility to personal data.
• From January 2018 the CEO, PA to the CEO and the membership administrator will meet quarterly to conduct a GDPR audit to ensure full compliance, audit log attached.
• All staff have signed as part of their contract of employment a confidentiality clause.

Membership

• On joining the Society each member must be told that the CSFS will not under any circumstances use their data for any other purpose than for processing and marketing of the Society and membership deliverables. The data will not be circulated to third parties unless members they give their prior written consent. This is made clear at the beginning of the application process and on every monthly newsletter.
• From time to time the Society is approached to circulate relevant matters on behalf of third parties, this is managed from the Societies offices and the details are not circulated for any purpose, on joining the Society members can opt out of third parties mailers.

Data Rights

• The data held by CSFS can only be as accurate as the information supplied to CSFS. It is the responsibility of the individual to ensure their data is accurate.
• Once an individual’s relationship with CSFS has become inactive their personal data will be retained electronically for 3 years before deletion.
• An individual may at any time request the removal of their personal data by contacting membership@csofs.org. It should be noted that the removal of all personal data (including email contact details) will result in CSFS no longer being able to carry out the processing of the Society and membership deliverables.
• An individual may at any time raise a concern by contacting membership@csofs.org. For further details on your rights visit https://ico.org.uk/for-the-public/

GDPR Policy