Our website uses cookies so that we can provide a better service. Continue to use the site as normal if you're happy with this, or find out how to manage cookies.
X

Data
Protection

1 - Introduction
2 - The Data Protection Act 1998
2.1 - The Principles for Good Information Handling
3 - Background
3.1 - Why does MSA collect and hold Data?
3.2 - The Data Subject
3.3 - Data Processing
3.4 - Data Protection Officer
4 - The Data Protection Principles
4.1 - Data to be Fairly and Lawfully Processed
4.2 - Data to be Processed for Limited Purposes
4.3 - Data to be Adequate, Relevant and not Excessive
4.4 - Data to be Accurate
4.5 - Data not to be kept for longer than is necessary
4.6 - Data Processed in line with the data subject’s rights
4.7 - Data to be Secure
4.7.1 - Access Control for HQ Systems
4.7.2 - Access Control for Clubs, Stewards and Officials
4.7.3 - Use of Data
4.7.4 - Release of Data
4.7.5 - Data Backup

Appendix A - MSA Data Protection Statement
Appendix B - Application Form, etc. Text (including Web Applications)
Appendix C - MSA Web Site Privacy Statement
Appendix D - Licence/Membership Department Scripts
Appendix E - Data Subject Access Request Form

Introduction

This document sets out how The Royal Automobile Club Motor Sports Association Limited t/a Motor Sports Association (‘MSA’) adheres to the requirements of the Data Protection Act 1998.  It explains the requirements of the Act, the steps the MSA as an organisation has taken to comply with the Act, and the actions that MSA staff and users of MSA data must take to ensure compliance with the Act.

The Data Protection Act 1998

The Data Protection Act 1998 came into force on 1 March 2000. It sets out rules for processing personal date i.e. information held about living individuals who can be identified from the data either by itself or when taken with other information we hold about them. It applies to some paper records and to those held on computer.
The Act has eight principles of good practice for the processing of personal data.  This Policy addresses each of the eight principles, describing how the MSA adheres to the requirements of the Act.

The principles for good information handling

The eight principles set out in the Act are that data must be:
Fairly and lawfully processed;
Processed for limited purposes and not in any manner incompatible with those purposes;
Adequate, relevant and not excessive
Accurate;
Not kept for longer than is necessary;
Processed in line with the data subject’s rights;
Secure; and
Not transferred to other countries without adequate protection .

Background

Why does MSA collect and hold data?

In order to deliver services to its members, the MSA needs to hold personal data about members.  As member services become more personalised, more data about members needs to be collected.  The MSA also collects and holds data as part of its role in delivering services to organisations and in its role as a national governing body, as a business and as an employer.

The data subject

This is the term used in the Act to define the individual who is the subject of personal data.

Data processing

The Act sets out rules for the “processing” of data.  Processing is defined as “obtaining, recording or holding information or data or carrying out any operation or set of operations on the information or data”.
This definition therefore encompasses all of the MSA’s operations and more importantly, includes activities taking place outside of MSA headquarters.  Processing of MSA data is carried out by companies operating on the MSA’s behalf and by the MSA’s registered clubs, who are sent membership information to use for contacting members in their area.  This policy therefore applies to these bodies as well as to MSA headquarters.

Data Protection Officer

The Data Protection Officer is responsible for notification under the Act, ensuring compliance with the Act, documentation relating to the Act, responding to the individual requests for information or complaints, and the training of staff in relation to the Act.
The Data Protection Officer, who oversees day to day compliance, is Mr DK Gangahar, Finance & Operations Director, based at Motor Sports House, Riverside Park, Colnbrook, Berkshire, SL3 0HG. Tel: 01753 765000. Email: danesh.gangahar@msauk.org

The data protection principles

Data to be fairly and lawfully processed

The conditions set out in the Act for fair and lawful processing of information relevant to the MSA are:
That the data subject has given their consent to the processing.
Consent is obtained by including the relevant text on all application and similar forms, including the MSA website, and including relevant wording in the scripts used by the Licence Department; and
The processing is necessary for the performance of a contract to which the data subject is a party.
This covers commercial contracts taken out by the MSA as well as contracts of employment.
The following other conditions might also be relevant:

  • The processing is necessary for the taking of steps at the request of the data subject with a view to entering into a contract.
  • The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
  • The processing is necessary in order to protect the vital interests of the data subject.
  • The processing is necessary for the exercise of any other functions of a public nature exercised in the public interest by any person.

The Act introduces the concept of “sensitive personal data ” for which specific rules apply.  At present, only staff employment records include any sensitive data.

Data to be processed for limited purposes

The purposes for which data may be processed are set out in a notice issued by the Data Controller to data subjects (see Appendix A) or in a notification to the Information Commissioner.  The MSA’s notification has been drawn up widely to include all known or anticipated activities. Copies of the MSA’s notifications are held by the Data Controller.

Data to be adequate, relevant and not excessive

This is self-explanatory, and simply means that the MSA should not hold personal data that is not relevant to the operation of the MSA.

Data to be accurate

Clearly the personal data the MSA holds should be accurate.  The MSA has procedures in place to verify certain information (such as address and banking information), but staff must make sure that information they record is both accurate and relates to the correct data subject (for example by asking members contacting the MSA to quote both their membership number and postcode).  Errors must be corrected immediately.
The Act requires the MSA “to take reasonable steps to ensure the accuracy of data”.

Data not to be kept for longer than is necessary

The MSA currently has no historic data which it is not appropriate to retain. The MSA reviews regularly what personal data we hold and how long it is held in conjunction with the needs of the business, the costs, risks and liabilities associated with retaining such information. Any information that is no longer needed will be deleted securely.

Data processed in line with the data subject’s rights

The rights of data subjects under the Act are:
a right of access to a copy of the information comprised in their personal data; 
a right to object to processing that is likely to cause or is causing damage or distress;
a right to prevent processing for direct marketing;
a right to object to decisions being taken by automated means;
a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
a right to claim compensation for damages caused by a breach of the Act.
This is achieved by logging “suppressions” against membership records.  Staff extracting mailing lists must review all suppressions that have been set up and include all suppressions that may be relevant.
If it is not practicable to apply suppression, the staff responsible for the mailing must make special effort to explain the reasons for this.

Data to be secure

There are two aspects to keeping data secure:
anyone seeing or receiving information they shouldn’t; and
data getting damaged, lost or destroyed.

Access control for HQ systems

The MSA’s physical and technical access controls include the following:
Physical access controls on headquarters itself;
The servers being kept in a locked room with access limited to a few key staff;
A hardware firewall configured to allow external access from specific IP addresses only;
System passwords configured to require a change;
Application passwords to be set and changed at regular intervals by users where possible, or changed at user request if not;
All PCs to be locked when not in use;
Screen savers / automatic locking to be applied to all PCs, Tablets and Phones;
Paper records being kept in locked cabinets except when actually in use.

Access control for Clubs, Officials, Marshals, Consultants and Officers of the MSA

Membership lists are provided to Clubs, Officials, Consultants, Marshals and Officers and other association members for legitimate purposes under the terms of the Act and the MSA’s notification. Club members and officers receiving such information and keeping it at locations separate from MSA Headquarters must adhere to the following requirements:
The information may only be held and used at the officer’s / member’s home.
Normal domestic security precautions should be taken to prevent unauthorised access to the building and to the PC on which such data may be held.
If the data is stored on a PC hard drive a password should be applied to prevent unauthorised access to the data.  Data held on floppy disks or other media should be securely stored.

Use of data

Data held by the MSA may only be used for the purposes for which it has been collected and stored.
For headquarters staff and consultants, data may only be accessed and used in relation to their day-to-day duties.
iFinity Plc only may access MSA data for the purpose of supporting the MSA’s iMIS, Customer Relationship Management application.
Information must not be used for any other purpose whatsoever.

Release of data

Users of MSA data must not release any data to a third party in any circumstances.
If a mailing list of MSA members is to be provided to a third party (such as an affinity partner) for any reason whatsoever, the prior permission of the data subject must be obtained.  All direct mailing must include an option for the individual to be excluded from any future direct mailing (by writing to the Data Controller at MSA).  Any arrangements with third parties must include the explicit agreement of the third party to:
abide by the requirements of the Data Protection Act 1998 and this policy;
use the data only for the purpose for which it was provided, and
either return or destroy the data immediately after the approved use.
MSA data must not be published in any manner whatsoever. 
Users must be aware of inadvertent disclosure of data to third parties.  For example, when confirming with a member telephoning the MSA that the correct record has been located, staff must ask the member to quote their address, not ask the member “is your address …”.
All requests for data must be referred to the Data Controller.

Data back-up

Server based applications and data are replicated automatically on a near real time basis to an offsite secure data location.

In addition to the offsite replication individual servers are also backed up daily to an onsite backup server.

MSA Data Protection statement

The Data Protection Act 1998 defines your rights as an individual in relation to the information held about you and how it may be used.
Like any membership organisation, the MSA holds information about our members, including names and addresses, other membership details, activities and history, methods of payment, and communications with the MSA.

The most important way in which we use data is providing you with the licence services you have requested and the licence benefits available to you as a member of the MSA.  The MSA does not, as a matter of general policy, pass on information about you to third parties.  In some circumstances, with your consent, the MSA may provide lists of MSA members to its affinity partners for the sole purpose of providing or drawing to your attention member benefits negotiated by MSA.

It is absolutely essential that you should trust the MSA to act responsibly and in your interests.  The MSA fully accepts this responsibility and is happy to give you an undertaking that it will keep information about you up to date and accurate, and do everything it can to prevent the data from being used in any unauthorised or illegal way.

In addition to the MSA’s commitment, the Data Protection Act gives you more extensive rights in relation to the information held about you.  If you prefer that the MSA stops using your information for the purpose of advising you about MSA services, or if you feel that it is using information about you in any way that which you believe may cause you (or another person) substantial damage or distress, you can write to the MSA at the address below to request that your records are no longer used in this way.

If you would like the MSA to send you a copy of the information we hold about you, please write to the address below specifying your membership number and enclosing a cheque for £10 payable to “ Motorsports Safety Fund”.
Correspondence about The Data Protection Act should be sent to:
The Data Protection Officer
The Royal Automobile Club Motor Sports Association Limited
Motor Sports House
Riverside Park
Colnbrook
Berkshire
SL3 0HG

Application form, etc. text

(including web applications)

The MSA will use the information you have provided here for the purpose of providing you with an MSA licence/membership, goods and services. The MSA may release mailing details to nominated third parties, where express consent is held to release such information.
The MSA will not disclose this information to any other person or organisation except in connection with the above purposes.

MSA website privacy statement

PRIVACY POLICY

  • GENERAL
    The MSA is committed to safeguarding your privacy on-line.  The purpose of this Privacy Policy is to tell you what personal information the MSA collects about you and the purposes for which it processes this information.  This Privacy Policy does not apply to third party sites, which the MSA site links to.
     
  • 2.INFORMATION COLLECTED
    Personal information about you is collected when you register or fill in a form, place an order for goods on the MSA website or when you send an e‑mail to MSA.  This information will be used for the purpose for which it is provided, unless you are informed otherwise at the time of giving the information.  You may inform the MSA at any time if you wish it to cease using your personal information.  The MSA will from time to time also collect information about you that does not reveal your identity.  It will use this information for editorial purposes and occasionally for other internal purposes.  At all times it will be used in aggregate form and will not be connected to any name, address or other personal identifying information.
     
  • USE OF PERSONAL INFORMATION
    The MSA processes personal information in order to conduct market research surveys, run competitions and provide you with information about products and services on offer and process your orders for such products and services.  The MSA may from time to time use your contact information to tell you about news or events run by the MSA or one of its strategic partners.  You may opt out of receiving such mailings either when you register with the MSA or at any time afterwards.  The MSA may also contact you with important information about your registration details even if you have opted out of receiving promotional emails.
     
  • DISCLOSURES
    The MSA might disclose your information under strict terms of confidentiality and restriction of use to partners of the MSA who supply services on behalf of the MSA and who require to process personal data in order to provide such services.  When you use MSA services you consent to the disclosure of your personal information to the MSA’s partners for this purpose.  The MSA will not disclose any of your personal information to any other third parties without your express consent.
     
  • USE OF COOKIES 
     
  • Cookies are small amounts of information that are sent to and stored on your computer.  They are used to identify you when you visit our web site and to make the site more convenient and pleasurable.  Cookies are used to remember user names, passwords and preferences and to deliver a faster and more personalised service.  The MSA website may contain adverts created and provided by a third party.  These adverts may place cookies on your computer that collect information about you and your use of the Internet.  MSA does not control the collection or use of your information by such advertisers and this Privacy Policy does not apply to such information. A copy of our Cookies Policy is available at http://www.msauk.org/site/cms/contentChapterView.asp?chapter=283
     
  • If you do not wish to have cookies placed on your computer you can disable cookies on your Internet browser.  Turning them off, however, might mean that you will not be able to enjoy the MSA website to its fullest.
     
  • LINKS
    There are links to the MSA website on third party websites over which the MSA has no control.  The MSA accept no responsibility or liability for any third party practices on third party websites.  The MSA advises you to carefully read third party privacy statements prior to use of their sites.
     
  • INTERNATIONAL TRANSFERS
    Whilst every effort is made to ensure that MSA data is not transmitted outside the EEA, due to the international nature of the Internet, the collecting and processing of your personal data may involve transferring the data between countries in which the MSA and its strategic partners operate.
     
  • SECURITY
    The MSA website has security measures in place to protect against loss, misuse and alteration of your personal information under the MSA’s control.  However, no data transmission of the Internet can be guaranteed to be 100% secure and, whilst the MSA strives to protect your personal information, it cannot guarantee the security of any information you transmit, and you do so at your own risk.  Once the MSA receives the transmission, it will use its best efforts to ensure the security on the system.

    You have a right to know about the personal information the MSA holds about you.  You also have a right to have your data corrected or deleted.  Please address all of your requests and / or queries about data held by the MSA to:
    The Data Protection Officer
    The Royal Automobile Club Motor Sports Association Limited
    Motor Sports House
    Riverside Park
    Colnbrook
    Berkshire
    SL3 0HG

Licence/Membership Department scripts

When contacted by telephone/email etc. the MSA will store and use the information you have provided for the purpose of providing you with MSA licence/membership, goods & services.
The MSA will not disclose this information to any other person or organisation.

Data Subject Access Request Form

THE ROYAL AUTOMOBILE CLUB MOTOR SPORTS ASSOCIATION LTD
(“MSA”)

 

DATA SUBJECT ACCESS REQUEST FORM

Please read this before completing this form:-

The Data Protection Act 1998 gives any individual rights to request to be told and see what information is held about them by the MSA.  The term “data subject” refers to the person about whom the information is being requested.

This form should be used wherever possible in making a Subject Access Request.  Using this standard form will greatly assist the MSA in meeting a request for information.  However, an individual provides all the information necessary for an officer of the MSA to comply with their request other than by completing this form, the request will still be complied with.

There is a charge of £10 for making a Subject Access Request.  You should receive a written response and copy of any appropriate access documents within 40 days of receipt of this form.

1.Details of person requesting the information

Licence Number (if known)…..……………………

Surname: …………………………………
First Name(s): …………………….

Address : 
……………………………………………………………………………
……………………………………………………………………………
…………………………………    
Postcode………………………….
Tel. No: …………………………(work)
Date of Birth: ……………………
E-mail:                  ………………………

2.Please describe the information you seek, together with any other relevant information that will help us to identify the information you require. 

……………………………………………………………………………….
……………………………………………………………………………….
……………………………………………………………………………….
3.Are you the Data Subject?

YES If you are the Data Subject please supply evidence of your identity i.e., copy of MSA licence.

NO If you are not the Data Subject, are you acting on behalf of the Data Subject with their written authority? If so, that written authority must be enclosed with this request form together with evidence of your identity and that of the Data Subject. [Please now complete Sections 4 and 5].

4.Details of the Data Subject (if different to Section 1)

Licence Number (if known)…..……………………

Surname: …………………………………
First Name(s): …………………….

Address :……………………………………………………………………………
……………………………………………………………………………
…………………………………    
Postcode………………………….
Tel. No:…………………………(work)
Date of Birth: ……………………
E-mail:……………………………………

5.Please describe your relationship with the Data Subject that leads you to make this request for information on their behalf.

……………………………………………………………………………………
…………………………………………………………………………………
…………………………………………………………………………………

DECLARATION to be completed by all applicants.  Please note that any attempt to mislead may result in prosecution. 

I, ………………………………., certify that the information given on this Subject Access Request form to The Royal Automobile Club Motor Sports Association Ltd is true.  I understand that it is necessary for The Royal Automobile Club Motor Sports Association Ltd to confirm my/the Data Subject’s identity and it may be necessary to obtain more detailed information in order to locate the correct information.

Signature …………………………………………..
Date: …………………………….

Please return the completed form and send it to: The Data Protection Officer, The Royal Automobile Club Motor Sports Association Limited, Motor Sports House, Riverside Park, Colnbrook, Berkshire, SL3 0HG. 

Documents which must accompany this application are: (a) evidence of your identity, (b) written authority and evidence of the Data Subject’s identity [if different from (a)].

MSA data is not transmitted outside the EEA, nor is there any intention to do so.  MSA’s notification under the Act states that personal data will not be transferred outside the EEA.

See Appendices

Sensitive data includes racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, physical or mental health condition, sexual life, and records of offences.

Click Here to View Full Site
Registered Office as above, Registered Number 1344829. VAT Number 242304895