Chichester Harbour Conservancy: the data controller
Chichester Harbour Conservancy respects your privacy and is committed to protecting your personal data. We comply with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR)
The Conservancy is registered as a ‘data controller’ with the Information Commissioner’s Office (ICO – Reg. No. Z5481848), the UK supervisory authority for data protection issues. We ensure that your personal data is processed fairly and kept securely for no longer than is necessary. The nominated Data Protection Officer for Chichester Harbour Conservancy is Rosie Chase, Executive Officer.
You have the right to know how we use your personal data. It is important that the personal data we hold about you is accurate and up to date, so please tell us if your personal details change during your relationship with us. If you are under 18, get your parent or guardian’s permission before you provide personal information to us.
What information we collect and how we use it
In order to register and receive or use many of the services the Conservancy provides, you need to give us some personal information. The type of information we collect depends on the service involved, but may include any of the following,
- identity – name and date of birth
- contact – address, email address, phone numbers
- financial – bank account, payment card, transaction data,
- The details of your vessel (boat name, size, construction material, vessel type, hull shape, colour, where it is kept)
- The Conservancy uses CCTV for the detection and prevention of crime
We may also receive your personal data from outside agencies or third parties where there is a sound legal basis and purpose for us to receive it.
We will only use your personal data when the law allows us to. The bases are set out in Article 6 GDPR and in most cases the basis for processing is to enable the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. We will also process data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Public task: to perform a task in the public interest or for an official function, for example the collection of harbour dues.
- Legal obligation: to comply with the law (not including contractual obligations), for example in the enforcement of byelaws
- Contract: for a contract with you, or because you have asked us to take specific steps before entering a contract, for example, the collection of harbour dues or the hire of Conservancy moorings.
- Vital interests: to protect someone’s life, for example, if our patrol attends a casualty
- Legitimate interests: to protect the interests of the Conservancy or someone else unless there is a good reason to protect your data which overrides those other interests.
- Consent: you have specifically agreed to our use of your data and we have no other legal basis for processing it. Where possible, the Conservancy will seek consent for the use of your information. We will be transparent in how it is processed,
We will use your personal data in the following circumstances:
- To communicate with you
- To respond to complaints
- Internal record keeping.
- Identify if you meet our eligibility criteria (where applicable) for services.
- To administer and contact you about accounts and records related to your application/service.
- Help to prevent and detect fraud or loss.
- For maintaining the security of our property and premises and for preventing and investigating crime.
- To contact you about an incident or accident in the harbour that you were directly involved in or have witnessed.
- Where you give us information on behalf of someone else (for example if a boat is in shared ownership), you confirm that you have provided them with the information set out in this privacy notice, and that they agree to the uses of their personal information described in it;
- Comply with relevant legislation and regulation.
- For service improvement
Special category data (sensitive data)
We will only use your special category personal data when the law allows us to. The bases are set out in Article 9 GDPR.
We will use your special category data in the following circumstances, where processing:
- is with your explicit consent
- is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
- is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
- relates to personal data which are manifestly made public by the data subject
- is necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity
- is necessary for reasons of substantial public interest
- is necessary for the purposes of preventive or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care, or treatment or the management of health or social care systems and services • is necessary for reasons of public interest in the area of public health • is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association, or any other not-for-profit body with a political, philosophical, religious or trade union aim. This is on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes. Also, that the personal data are not disclosed outside that body without the consent of the data subjects.
How long we will keep your personal data
We will only hold your personal information for as long as necessary. We use our retention schedules to work out how long we need to keep your information for. Retention periods are set considering statutory requirements and service/business needs.
Who we share your information with?
We use external trusted services or suppliers who provide business support services, including IT security, building maintenance, archiving, data storage, email and text services and surveys.
We will only share your personal data when the law allows us to.
We will only share your special category data, under Article 9 GDPR, when the law allows us to.
You may decide you do not wish your personal information to be collected or shared or may wish to set conditions on our use of it. In such cases we may not be able to provide the service you require or may only be able to provide it in a limited way. There are occasions where we have a legal obligation to collect or use personal information without consent.
We may use personal information to identify individuals who need additional support during emergencies or major incidents.
Other third parties
We do not pass personal data to third parties for marketing, sales, or any other commercial purposes without your prior explicit consent. We may process your personal information using web services hosted outside the European Economic Area (EEA), but only where a data processing agreement is in place that complies with obligations equivalent to those of the Data Protection Act.
The Conservancy must protect public funds and may use personal information to detect and prevent fraud and ensure public money is targeted and spent in the most cost-effective way.
To achieve this, information may be shared with other bodies responsible for auditing or administering public funds, including:
- the Department for Work and Pensions or other relevant government departments.
- Local authorities
- HM Revenue and Customs
- fraud investigation services
- the police.
We have put in place security measures to prevent your personal data from being lost, used, or accessed in an unauthorised way, altered or disclosed inappropriately.
We also limit access to your personal data to those employees, agents, contractors and other third parties who have a need to know in order for our service to be provided. They will only process your personal data on our instructions and are subject to a duty of confidentiality.
We have procedures to deal with any suspected breach of the rules about personal data and will notify you and the regulator of a breach where we are required to do so.
We reserve the right to monitor and record electronic communications (website, email and phone conversations) for the purposes of keeping records, staff training, detection, investigation, and prevention of crime.
- Phone conversations – we will inform you if your call is being recorded or monitored.
- Email – emails that we send to you or you send to us may be kept as a record of contact and your email address stored for future use in accordance with our record retention policy. If we need to email sensitive or confidential information to you, we will perform checks to verify the correct email address and may take additional security measures.
- To request access to your personal data.
- To request correction of our records.
- To request removal of data or limit our use of it – this right is not absolute, and we may not be able to comply with your request. You have a right to have personal data erased and prevent types of data processing in the following specific circumstances.
- a) Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- b) When you withdraw consent, we have relied upon.
- c) When you object to the processing and there is no overriding legitimate interest for continuing the processing.
- d) The personal data was unlawfully processed.
- e) The personal data must be erased in order to comply with a legal obligation.
- f) The personal data is processed in relation to the offer of information society services to a child.
- To object to processing – in some cases, we may need to explain that we have good grounds to continue to process your information.
- To data portability – this right allows individuals to obtain and reuse their personal data for their own purposes for different services. This only applies to personal data provided by you, with your consent or for the performance of a contract, and when processing is automated.
- Not to be subject to automated decision-making, including profiling – this right only applies where the decision is based on automated processing and we do not undertake any automated decision-making, including profiling.
- To withdraw consent (when this is the only basis for our use of your data).
- To find out more about your legal rights, or to request a change or deletion to your personal information, see Your rights.
- In the case of an online information service, such as email alerts, we will remove your details if you inform us that you no longer wish to continue to receive the service. We also ensure that you can unsubscribe using links in any communications from us.
- To obtain access to the records we hold about you, contact the Executive Officer, via email firstname.lastname@example.org, by telephone on 01243 510988 or via post at Chichester Harbour Conservancy, The Street, Itchenor. PO20 7AW.
Accessing your personal data in relation to complaints
We will use your personal information to investigate your complaint and check on our level of service. We compile information on complaints, which are kept for the purpose of improving services. No personal information in relation to complaints is published.
No third parties have access to your personal information unless the law allows them to do so. However, if you have made a complaint to us about someone else or another organisation, we usually have to disclose your identity to them to enable the complaint to be dealt with appropriately and in context. This also means we may receive information about you from them.
If you do not want information that identifies you to be shared with the organisation you want to complain about, we will try to respect that. However, it is not always possible to handle a complaint on an anonymous basis, so we will contact you to discuss this.
If you are acting on behalf of someone making a complaint, we will ask for information to satisfy us of your identity and, if relevant, ask for information to show you have authority to act on someone else’s behalf.