Data Protection Policy
A Statement About the Information Held on Our Website
We make every effort to make sure that the information held on this website is as accurate, as up to date, and as complete as possible. However, there can be occasions where we experience problems in achieving this. This means that we cannot accept liability for any loss, damage, or inconvenience which may occur through your use of the information on this site.
​
We recommend that you contact us for clarification before going any further with anything which you feel could cause loss, damage or inconvenience, as a result of using information on our site. If you find any information on our site that gives you cause for concern, then please tell us, and we will investigate, as appropriate. Also, please understand that we are not in control of any of the sites that we link to from ours. This means that again we do not accept liability for any loss, damage, or inconvenience which may occur through your use of the information on those sites. Please contact the appropriate organisations to check that their information is up to date and accurate.
A Statement About the Copyright of Information/Facilities Held on Our Site
All of the pages on this website are the copyright © of The Light Aircraft Association (unless otherwise stated). Our copyright is protected by UK laws, and by international treaties worldwide. All rights are reserved.
​
Please read the statements below if you would like to publish our information further :
​
We expect notification of further publication of our information as a courtesy. However, permission to use our information (for non-commercial purposes) is given, if we are acknowledged as the source.
​
Privacy Statement
GENERAL DATA PROTECTION REGULATION - LAA POLICY
​
​1. INTRODUCTION
As an organisation which holds personal data in the form of membership and aircraft ownership information, we are required to ensure compliance with the UK General Data Protection Regulations (GDPR), which are designed to ensure more robust security and more transparency in the use of personal data.
​
Our previous systems and databases were designed to be fully compliant with the Data Protection Act (DPA) of 2018, therefore most of our approach to compliance remains valid under the GDPR. This Policy paper provides the basis for compliance with the new regulations.
​
The GDPR places specific legal obligations on the LAA. For example, we are required to maintain records of personal data processing activities. We will have legal liability if we are responsible for a breach of confidential member data and members have a right to request sight of the data we hold on them, how it is used and if necessary to request that data is removed from our database.
2. OVERALL POLICY
The LAA holds personal data from members and data linked to aircraft built or operated by members. We only hold data when there is a justifiable need to do so and will remove data if it is no longer required. The LAA has robust security systems to protect data and information, and will promptly inform anyone affected should any breach occur. Finally, the LAA will not circulate any member information to third parties without prior consent.
​
3. WHAT WE HOLD
We currently hold data which is pertinent to GDPR in six main areas:
a) Membership Data.
All filing is electronic, via a remotely sited database with no hard copy filing. Name, address, contact numbers and e-mails; age; type and duration of membership; aircraft owned linked to Engineering database; bank details; correspondence sent and received. No credit or debit card details are recorded or retained. Members names and addresses are supplied to the LAA magazine publishers for the distribution of Light Aviation magazine only. Stuts receive details of new members with prior consent when they join up.
​
b) Engineering Data.
Links from the aircraft ownership database to the member database include correspondence sent and received; lists of permit revalidation dates and related information, categorised both by aircraft type and aircraft registration. Permit issue and revalidation applications, modification and repair applications are held both electronically and as hard copy in a locked, secure archive. These typically include member name and address data and may also record pilot licence number. There is a legal requirement to hold aircraft files for future scrutiny by organisations such as CAA and AAIB. Engineering admin also process debit and credit card information for fees and transactions. No debit or credit card details are recorded or retained.
​
c) Transactional Data.
Held electronically and in some cases as hard copy. Records of membership fees paid, permit revalidation payments, modification and repair fees, training course fees and merchandise sales. Records of sales transactions are held for one year in case of queries and also for the purposes of audit. No debit or credit card details are recorded or retained. Magazine advertising transactions held include name, address, payment levels and future commitments. Rally advertising and stand space transactions are logged by the Office Manager and contracted accountant. Other charges and transactions are controlled by contracted accountant via Sage accounting software.
​
d) Inspector Records.
Information held by Chief Inspector on LAA Inspectors includes: name, address, age, qualifications, contact numbers and e-mail addresses, inspection approval categories, reports on reviews and competency assessments. Held both electronically and as filed hard copy.
​
e) NPPL Data.
Information is processed on behalf of CAA for the National Private Pilot Licence scheme. Name, address, contact numbers and e-mails, age. Financial transactions recorded as part of licensing process are forwarded to the CAA for processing. Payments for the LAA are made either online or virtually. No debit or credit card details are recorded or retained.
​
f) Employee Information.
Name, address, contact numbers and e-mails, age, bank details, tax and salary information, as well as working records, for members of staff, contractors and some volunteers. Accessible only to senior personnel; CEO, Office Manager, Accountant and Chief Technical Officer. Terms of staff member access to own records specified in Staff Handbook.
​
It is noted too that every staff member and Board member holds personal information which comes under the jurisdiction of the GDPR in the form of e-mails, applications and transactional records. All staff and Board members are to be reminded that all correspondence and address details held remain confidential, and a Data Handling Code of Conduct, including advice on computer security, will be followed. All e-mails issued should contain a standard confidentiality notice.
​
In addition to information held at LAA HQ, LAA Member Clubs and Struts will also hold information such as member data which will require GDPR compliance. The LAA will brief these organisations accordingly on a regular basis, giving advice on how they can comply in their own right.
​
4. OVERSIGHT
The GDPR requires that public authorities and large-scale data processing organisations designate a Data Protection Officer to take responsibility for data protection compliance. The size and structure of our organisation does not justify a dedicated post, therefore a GDPR steering team led by the CEO will provide this oversight.
​
The CEO, Office Manager, Chief Technical Officer and Chief Inspector will meet at least quarterly to identify areas that could cause compliance problems under the GDPR and will report regularly to the Board.
​
5. PRIVACY
All members, by completing their application and thereby entering into a contractual relationship for the LAA to provide membership services, have effectively agreed to their use of their name and address, exclusively by the LAA, to ensure they receive benefits including Light Aviation magazine.
​
We fulfil the terms of the GDPR in having a lawful basis for processing this data (see 6), which will be held on our database for the duration of their membership. In the case of lapsed membership, the data is held for a further five years to allow lapsed members to more easily rejoin (needs updating when records have been deleted). Deceased members’ records are removed after two months, with the exception of LAA Inspectors, as their records are regarded as a part of an inspected aircraft’s history.
​
Engineering and aircraft-related data linked to members is retained (see 3b), as we have a requirement to hold records linked to aircraft to meet the requirements of organisations such as the CAA and AAIB.
​
We are currently reviewing our privacy notices to accommodate GDPR requirements. These privacy notices make clear our identity and how we intend to use member information.
​
Each form requiring Member Information input will henceforth carry the line; “Data privacy: personal data submitted on this application form may be stored electronically but will only be used in relation to the application (and to support the safety of any aircraft to which it relates)*. Statutory obligations excepting, personal data will not be passed on to third parties without your permission. The full LAA data protection policy can be found on our website at www.laa.uk.com”
*this section for engineering forms only.
​
6. INDIVIDUALS' RIGHTS
The GDPR includes the following rights for individuals: the right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and the right not to be subject to automated decision-making including profiling.
​
We are confident that current procedures fulfil the GDPR and we do not operate any data profiling processes. We will regularly review our procedures to ensure they cover areas such as the deletion of personal data and will provide a member with the data we hold on them, if requested, in electronic format. The CEO will make any final decisions about deletion or release of information.
​
7. SUBJECT ACCESS REQUESTS
We acknowledge that individuals have a right to seek access to information held on LAA databases or if they think there is a problem with the way we are handling their data. We will comply with any such request within the new statutory one month period. However, we can refuse or charge for requests that are manifestly unfounded or excessive.
​
Individuals will have the right to have their personnel data deleted where they believe it is being held without a practical or lawful basis. If we refuse a request, we must tell the individual why and that they have the right to complain to the ICO and to seek a judicial remedy. We must do this, at the latest, within one month.
​
8. CHILDREN
There is a requirement to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. This is unlikely to directly affect the Light Aircraft Association Limited, but it may be pertinent if Struts or LAA YES is holding information on individuals under the age of 13. A briefing on these requirements will be forwarded to LAA Struts and YES as part of their briefing process.
​
9. DATA PRIVACY IMPACT ASSESSMENT (DPIA)
LAA systems fulfil the GDPR recommended ‘privacy by design’ approach. ‘Data Protection Impact Assessments’ will be carried out if a new technology is being deployed; or if there is processing on a large scale of the special categories of data held. While this is unlikely to directly affect the LAA, we will work with our IT contractors to ensure that awareness of this is included in any future development programmes.
​
10. BREACHES OF DATA
Should we become aware of any personal data breach, we will notify members as rapidly as is feasibly possible, notifying the Information Commissioner’s Office if a breach is likely to result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage to those concerned.
June 2024