We undertake to respect everyone's privacy and use the personal information they provide only for the specific purpose we describe here.
We will not pass personal information on to a third party without express permission.
We comply with the Data Protection Act and - in particular - the data protection principles as well as the EU General Data Protection Regulation (GDPR).
We hold very little personal information - only that which is necessary for the operation of Portsmouth CTC. Specifically we do not hold personal bank, credit card or debit card data.
Data is held in a database that supports this web site. The database is stored with our Internet Service Provider (ISP): 1&1.
We refer here to "members". For the purposes of this note a Portsmouth CTC member is a member of Cycling UK (but not an associate member) that has asked to be included in our web site.
Lawful basis of processing
The GDPR requires us to declare why our processing of personal data is lawful. We claim a 'legitimate interest' defined as "Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
Guidance from the Information Commissioner's Office is that "It is likely to be most appropriate where you use people's data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing".
We see the legitimate interests as being:
- Our interest in administering Portsmouth CTC
- Members’ interests:
- Being kept informed
- Allowing them to communicate with each other (subject to their own choices)
- Notifying emergency contacts if necessary
This is the information held about Portsmouth CTC members. If you are a member you can see it in your your user profile.
We need the following pieces of information about members in order to operate the web site:
- An indication of whether a ride leader, probationer, or not
- An indication of who is allowed to see the member's contact information
- Email preferences
- Cycling UK membership number
Members may also provide:
- An email address (which can be an address shared with a spouse or partner)
- A postal address
- Emergency contact(s)
- Home phone number
- Mobile phone number
Keeping basic data up-to-date
Members can also ask the Secretary to change details on their behalf.
- Removes data held for past members - usually following a failure to renew subscriptions
- Maintains the ride leader status based on decisions made by the Portsmouth CTC committee
Access to basic data
The following have access to elements of basic data:
... can see:
- A member's name if it is mentioned in a page or if they are a ride leader, committee member, or other officer
- Links to email:
- Ride leaders
- Event organisers
- Committee member and supporting officers
The link does not disclose the email address and cannot be re-used after a short time has elapsed (preventing spammers from repeatedly mailing the member). Links are provided only for members that have provided an email address.
Member contact details will also appear to the public in the text of pages but only with their agreement or at their request. Typically this will be because they are administering some activity involving the public.
Note that we can adapt page content based on whether the person viewing is logged in as a member, or not. It is therefore possible members will see additional information on public pages that is not available to the general public.
Portsmouth CTC members
Members that are logged in to the site with their personal username and password can see:
- The data that can be seen by the public; and
- Contact details for other members, but only for those members that have provided contact details and have opted to make them visible to other members
Ride leaders can see emergency contact details for any member since the most likely time this would be needed is on a ride.
The Secretary and members he/she appoints to carry on in case he/she becomes unavailable can see all basic data.
Retention of basic data
We keep data about members for the duration of their membership.
When we detect a membership has lapsed we remove the member's details. Any posts made by the member are updated to show "Past member" as author.
If requested, we will remove a member's details immediately but they will be unable to participate fully in the club's activities since they will no longer be able to use the web site.
In addition to basic data, the web site holds information about:
Rides and events
Most rides and events identify a leader or organiser, and - optionally - a supporter.
The public can:
- See the names of leaders, organisers and supporters
- Email leaders, organisers and supporters (that have provided an email address) using links that do not disclose email addresses
Members can see all available contact details for leaders, organisers and supporters.
Relevant rides and events are automatically anonymised when we remove a member's details.
If members participate in the Ride Logging service they submit details about their rides either directly or via the Secretary. The member and the Secretary can see their ride details. All members can see monthly distance summaries for participating members.
Distance data is removed from the site automatically when we remove a member from the site. We will also delete it on request.
If members participate in the Online Tracking service, their GPS device submits details about their position to the site. The members' tracks are visible to:
- Non-members that have been given a password generated by a member
Position data is removed from the site automatically when we remove a member from the site. We will also delete it on request.
Members have the option to upload a photograph. The photo is visible to other members via the Member Lookup and Member Gallery services. Members can change or delete their photo at any time.
Photos are removed from the site automatically when we remove a member from the site. We will also delete photos on request.
We do not retain any information from these forms:
- Contact us
- Email CTC member(s)
- Club kit orders
- Cathedral Challenge registration
- Problem report
- Barn dance booking (not currently used)
- BBQ request (not currently used)
Instead, the forms generate emails to the target individual(s).
We will introduce new email forms as needed.
Securing web site data
We keep a number of backups of web site data:
- We assume that 1&1, our Internet Service Provider, keeps backup copies but we don't rely on them.
- We make a backup copy every day for storage on the web site. The backup file is encrypted with a key known only to Portsmouth CTC.
- We copy each day's encrypted backup file to a PC held by the Secretary where they are retained for at least 20 days.
Apart from those pages available to the general public, access to the site is restricted to Portsmouth CTC members who log in with their personal username and password. Passwords are encrypted before they are stored in such a way that no-one, not even site administrators, can retrieve the password (we use a process known as one-way encryption).
All traffic between our web site and web browsers is encrypted automatically using industry-standard https protocols.
Access to web site programming and site administration details is restricted to the Secretary and members he/she appoints to carry on in case he/she becomes unavailable.