The Port and Haven of

A Trust Port  Managed  by the Sandwich Port and Haven Commissioners under Acts of Parliament

SITE MAP

Site Map

Sandwich Port and Haven

DATA PROTECTION POLICY

With acknowledgement for material used to the Information Commissioners Office at

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/


PREAMBLE

Definition:  ‘Haven’ means the same as harbour or port.

From 25th May 2018 new Data Protection laws will come into force and will be known as the General Data Protection Regulations (GDPR).  Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA).  The changes will bring unity with European law.

Included in the new legislation are laws that will;

 make it simpler for people to withdraw consent for their personal data to be used,

 let people ask for data to be deleted,

 require firms to obtain "explicit" consent when they process sensitive personal data,

 expand personal data to include IP addresses, DNA and small text files known as cookies,

 let people get hold of the information organisations hold on them much more freely, and…

 make identifying people from anonymised or pseudo-nonimysed data a criminal offence.

This places a strong burden on firms to protect data and allows for significant fines if they fail to protect information or suffer a breach.

So who does the GDPR apply to?

 The GDPR applies to ‘controllers’ and ‘processors’. 

 A controller determines the purposes and means of processing personal data.

 A processor is responsible for processing personal data on behalf of a controller.

 If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.

 However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

 The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.

The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.


PRINCIPLES

Under the GDPR, the data protection principles set out the main responsibilities for organisations.

Article 5 of the GDPR requires that personal data shall be:


“a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Article 5(2) requires that:

“the (data) controller shall be responsible for, and be able to demonstrate, compliance with the principles.”


DAY to DAY – Sandwich Port and Haven – a Trust Port.

The Sandwich Port and Haven Commissioners (SP&HC) will hold sensitive information for all persons owning craft on The Haven, the Haven limits as defined by the Principle Act of Parliament of 9th July 1847.  This information will be for the purpose of the management of The Haven, the craft thereon and the payment of Dues / Conservancy Fees – commercial and recreational.  That information will include a vessels owners name, address, telephone numbers, email addresses, vessels name (mandatory) and location of that vessel along with insurance particulars (mandatory. All craft MUST be insured whilst in the Haven).  As technology progresses other forms of information may become available and commonplace – we already have Facebook, Twitter and LinkedIn, though the SP&HC do not use these means of communication. Neither do they support blogging.

DAY TO DAY EXCEPTION

An exception to the above paragraph is made for the Sandwich Sailing and Motor Boat Club (SSMBC) where The Club act as agents in the collection of Dues / Conservancy Fees.  As such they alone shall hold the data and information pertaining to all members with a vessel afloat upon the waters of The Haven.  Club members will not be denied the opportunity of lodging their particulars with the SP&HC,  in the interests of boat security / Harbour Master patrols and the general boating community that is Sandwich Haven – should they so wish.


DATA PROTECTION

– PORT AND HAVEN REGISTRATION WITH THE INFORMATION COMMUNICATION OFFICE

The Sandwich Port and Haven Commissioners do not need to register as revealed by the ‘Do I need to Register’ online questionnaire as follows:

1. Do you use CCTV for the purposes of crime prevention?

No.

Are you processing personal information?

Yes

Do you process the information electronically?

Yes

Is your organisation responsible for deciding how the information is processed?

Yes

Do you only process information for one of the following purposes?

Judicial functions;

domestic or recreational reasons (ie information relating to a hobby); or

to maintain a public register (ie you are required by law to make the information publicly available).

No

Are you a not-for-profit organisation that qualifies for an exemption?

Answer ‘Yes’ if your organisation was established for not-for-profit making purposes and does not make a profit. Also answer ‘yes’ if your organisation makes a profit for its own purposes, as long as the profit is not used to enrich others. You must:

only process information necessary to establish or maintain membership or support; 

only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it; 

only share the information with people and organisations necessary to carry out the organisation’s activities. Important - if individuals give you permission to share their information, this is OK (you can still answer ‘yes’); and

only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration.

Yes

RESULT

You are under no requirement to register

Some not-for-profit organisations are exempt and based on the information you have provided you do not have to register with the ICO.

SP&HC use your personal information ONLY in connection with your accounts and records. Which for leisure users of The Haven means that, in processing that information, the SP&HC are processing data consequent of your hobby.  Also if the need arises in connection with the safety and security of your vessel – usually in an emergency situation –  is a part of the function of this Trust Port as an included service to vessel owners and their hobby.


THE POLICY


It shall be The Policy of the Sandwich Port and Haven Commissioners – the Data Controllers – to gather, retain and use personal information of owners of vessels afloat upon the waters of The Haven, and of its suppliers in connection with the administrative work of The Haven.  The administrative information so gathered for vessel owners will be retained for as a long as a particular owner keeps a vessel in The Haven – and then for six years after arrival beyond that.  Then any remaining time up to the commencement of the next financial year being April 1st.  Total possible time for data retention therefore amounting to seven years.   This to take account of the nature of boating where vessels not infrequently return as residents or visitors, and is consistent with the data retention of SP&H nearby harbour of Ramsgate.  The electronic information will then be deleted and any paper records shredded.  An exception will be for Judicial reasons – infringement of Byelaws and the like – when personal records will be held for ten years.

The Sandwich Port and Haven Commissioners through this Policy will adhere to the following Principles:


1) Fair and Lawful. The data / information held will be for the sole purpose of administering vessels owners, businesses and clubs, suppliers to The Haven and others that may from time to time arise – and then only for the Lawful running of this Trust Port.  Also for the lawful employment of two employees being the Harbour Master and the Clerk to the Commissioners.  Personal data will not be shared with any other organisation / person unless in connection with crime or some sort of incident involving emergency services.

2) Purposes. The receipt of information provided shall be solely for the purposes of Port and Haven administration.  Persons unwilling to provide adequate vessel and personal data / information will be required to leave forthwith.

3) Adequacy. The information shall be sufficient to manage an account and no more, ‘designing in’ a minimalist  strategy.

4) Accuracy. The information will be as accurate as a vessel owner, supplier, employee, etc. provides.  It shall be the provider of that information responsibility to ensure it is correct and updated to the SP&H when changes occur.  Requests for information held will not be denied, upon reasonable notice being given.

5) Retention. For vessel owners, data / information will be held for six year after arrival plus the time remaining up to the end of the then current financial year.  For suppliers and business’s connected with The Haven retention will be ongoing until such relationships cease when retention will be for three years.  Employee data will be held for seven years beyond the date of their departure.

6) Rights. The GDPR includes the following rights for individuals:

I. the right to be informed;  Vessel owners are informed of goings on around the Haven by way of Notices to Mariners (NtM) posted on the Town Quay notice board and on the comprehensive website.

II. the right of access;  See 4 above.

III. the right to rectification;  See 4 above

IV. the right to erasure;  See 5 above.  In certain circumstances a person may request their data be erased – the right to be forgotten.  The request will be refused if there are outstanding fees or other problems with their vessel of interest of / to the Haven.

V. the right to restrict processing;  Processing shall be minimal sufficient only to administer a particular account.

VI. the right to data portability; N.A

VII. the right to object; and  All users of The Haven shall have the right to object to information / data concerning them to be held by the SP&HC.  However given the minimalistic amount of data held removal will prevent management of their account.  Accordingly such a request will be deemed a notice to immediately depart The Haven.

VIII. the right not to be subject to automated decision-making including profiling.  SP&HC do not operate such systems.

7) Security.Sensitive electronic information is held off site by the Clerk to the Commissioners.  Paper copies of information – such as it may be – is securely held in filing cabinets in the fortified ancient town gate the Fisher Gate.  Along with  one hundred years worth of archive material.

8) International.   N/A

9) Conditions for processing.  Vessel arrival / departure notified by Harbour Master to The Clerk for recording and raising of invoice if applicable.  Thereafter deletion of that record at the aforementioned time interval after departure.

10) Exemptions. Exemptions shall apply for the Police, emergency services and Customs / Immigration – among others such as commonality between persons of recreational / hobby activities.

11) Complaints. If unresolved with The Clerk, shall go before a meeting with two Commissioners convened for the purpose.

12) Anonymisation. This is an email sending issue.  Emails using a persons name are particularly vulnerable.  Accordingly any bulk emails will be sent using the BCC facility or a vulnerable email address sent separately.  SP&HC do not as a rule use bulk email sending anyway, so anonymisation is very low risk.

13) Big Data.  N/A

14) CCTV.   N/A

15) Data Sharing.  N/A

16) Employment.  Two employees. See 1 above.

17) Online and apps.  N/A

18) Privacy by Design. Electronic Data held off site secured behind passwords.  Operation of a simple minimalist data system by design / intent, and offsite homing of electronic data at an unspecified address.


Signed  28th March 2018



Robert L H Holden

Chairman -- Sandwich Port and Haven Commissioners.


Site Map

Click here to go to the Site Map