LONDON EDWARDIANS HOCKEY CLUB
PRIVACY NOTICE FOR OUR MEMBERS
We are committed to respecting your privacy. This notice is to explain how we may use personal information we collect before, during and after your membership with us. This notice applies to you if you have registered to become or are a member of our club. This notice explains how we comply with the law on data protection, what your rights are and for the purposes of data protection we will be the controller of any of your personal information.
References to we, our or us in this privacy notice are to London Edwardians Hockey Club.
We have not appointed a Data Protection Officer to oversee our compliance with data protection laws as we are not required to do so, but our Chairman and our Committee have overall responsibility for data protection compliance in our organisation. Contact details are set out in the "Contacting us" section at the end of this privacy notice.
1. PERSONAL INFORMATION WE MAY COLLECT FROM YOU
Depending on the type of membership you register for with us, you may initially provide us with or we may obtain personal information about you, such as information regarding your (note, this list is not exhaustive):
o personal contact details that allows us to contact you directly such as name, title, email addresses and telephone numbers;
o date of birth;
o membership start and end date;
o references and other information as part of the application process for membership;
o records of your interactions with us such as telephone conversations, emails and other correspondence and your instructions to us;
o any credit/debit card and other payment details you provide so that we can receive payments from you and details of the financial transactions with you;
o use of and movements through our online portal (including our website), passwords, personal identification numbers, IP addresses, user names and other IT system identifying information;
o attendance at any events hosted by us;
o images in video and/or photographic form and voice recordings;
o marketing preferences so that we know whether and how we should contact you;
o identification documents such as passport and identity cards;
o details of any county membership and previous club;
o details of next of kin, family members, coaches and emergency contacts;
o records and assessment competition results, details regarding games and training attended and performance (including statistics and that generated through player pathway programme);
o disciplinary and grievance information;
o kit information (including squad number and clothing sizes);
o dietary requirements;
o umpiring and coaching qualifications; and
o committee position.
2. SPECIAL CATEGORIES OF PERSONAL INFORMATION
We may also collect, store and use the following “special categories” of more sensitive personal information:
o information about your race or ethnicity, religious beliefs and sexual orientation;
o information about your health, including any medical condition, health and sickness records, medical records and health professional information; and
o biometric information about you, for example fingerprints, retina scans.
We may not collect all of the above types of special category personal information about you. In relation to the special category personal data that we do process we do so on the basis that:
o the processing is necessary for reasons of substantial public interest, on a lawful basis;
o it is necessary for the establishment, exercise or defence of legal claims;
o it is necessary for the purposes of carrying out the obligations and exercising our or your rights in the field of employment and social security and social protection law; or
o based on your explicit consent.
In the table below we refer to these as the “special category reasons for processing of your personal data”.
We may also collect criminal records information about you. For criminal records history we process it on the basis of legal obligations or based on your explicit consent.
3. WHERE WE COLLECT YOUR INFORMATION
We typically collect personal information about our members when you apply to become a member of the club, you register an account with us at www.edwardians.com, when you purchase any services or products we offer (including kit), when you make a query and/or complaint or when you correspond with us by phone, e-mail, WhatsApp, social media or in some other way.
We also may collect personal information about you from any third party references you provide as part of the application process for membership.
If you are providing us with details of referees, next of kin, beneficiaries, family members and emergency contacts they have a right to know and to be aware of how what personal information we hold about them, how we collect it and how we use and may share that information. Please share this privacy notice with those of them whom you feel are sufficiently mature to understand it. They also have the same rights as set out in the “Your rights in relation to personal information” section below.
4. USES MADE OF THE INFORMATION
The table below describes the main purposes for which we process your personal information, the categories of your information involved and our lawful basis for being able to do this. This table is not exhaustive.
|Purpose||Personal information used||Lawful basis|
|To administer any membership you have with us and managing our relationship with you, including dealing with payments and any support, service or product enquiries made by you||All contact and membership details, transaction and payment information, records of your interactions with us, and marketing preferences.||This is necessary to enable us to properly manage and administer your membership.|
|To send you information which is included within your membership, including newsletters, details about ticket information, competitions and events (including socials), courses, products, partner offers and discounts and any updates on hockey||Contact and membership details.||This is necessary to enable us to properly manage and administer your membership.|
|To send you other marketing information we think you might find useful or which you have requested from us, including information about our commercial partners||Contact details and marketing preferences.||Where you have given us your explicit consent to do so|
|To answer your queries or complaints||Contact details and records of your interactions with us||We have a legitimate interest to provide complaint handling services to you in case there are any issues with your membership.|
|Retention of records||All the personal information we collect.||We have a legitimate interest in retaining records whilst they may be required in relation to complaints or claims. We need to retain records in order to properly administer and manage your membership and run our club and in some cases we may have legal or regulatory obligations to retain records. We process special category personal data on the basis of the “special category reasons for processing of your personal data” referred to in section 2 above. For criminal records history we process it on the basis of legal obligations or based on your explicit consent.|
|The security of our IT systems||Your usage of our IT systems and online portals.||We have a legitimate interest to ensure that our IT systems are secure.|
|To conduct data analytics studies to better understand event attendance and trends within the sport||Records of your attendance at any events or competitions hosted by us.||We have a legitimate interest in doing so to ensure that our membership is targeted and relevant.|
|For the purposes of promoting the club, our events and membership packages||Images in video and/or photographic form.||We have a legitimate interest in doing so to ensure that we attract new members and/or promote our events|
|To comply with health and safety requirements||Records of attendance, medical information about your health||We have a legal obligation and a legitimate interest to provide you and other members of our organisation with a safe environment in which to participate in sport. We process special category personal data on the basis of the “special category reasons for processing of your personal data” referred to in section 2 above|
|To administer your attendance at any courses or programmes you sign up to (including umpiring courses)||All contact and membership details, transaction and payment data.||This is necessary to enable us to register you on to and properly manage and administer your attendance on the course and/or programme.|
|To arrange for any trip or transportation to and from an event||Identification documents details of next of kin, family members and emergency contacts, transaction and payment information, health and medical information||This is necessary to enable us to make the necessary arrangements for the trip and/or transportation to an event. We process special category personal data on the basis of the “special category reasons for processing of your personal data” referred to in section 2 above.|
|To use information about your physical or mental health (including any injuries) or disability status, to ensure your health and safety and to assess your fitness to participate in any events or activities we host and to provide appropriate adjustments to our sports facilities.||Health and medical information||We process special category personal data on the basis of the “special category reasons for processing of your personal data” referred to in section 2 above.|
|To gather evidence for possible grievance or disciplinary hearings||All the personal information we collect||We have a legitimate interest in doing so to provide a safe and fair environment for all members and to ensure the effective management of any disciplinary hearings, appeals and adjudications. We process special category personal data on the basis of the “special category reasons for processing of your personal data” referred to in section 2 above. For criminal records history we process it on the basis of legal obligations or based on your explicit consent.|
|For the purposes of equal opportunities monitoring||Name, title, date of birth, gender, information about your race or ethnicity and health and medical information||We have a legitimate interest to promote a sports environment that is inclusive, fair and accessible. We process special category personal data on the basis of the “special category reasons for processing of your personal data” referred to in section 2 above.|
|To comply with legal obligations, for example, regarding people working with children or vulnerable adults to comply with our safeguarding requirements||Information about your criminal convictions and offences||For criminal records history we process it on the basis of legal obligations or based on your explicit consent.|
|For match days||All contact and membership details and dietary information||This is necessary to enable us to properly manage and administer your membership.|
|For kit orders||All contact and membership details, kit sizes||Where you have given us your explicit consent to do so|
You will have a legal, contractual or other requirement or obligation to provide us with some of your personal information. If you do not provide us with the requested personal information we may not be able to admit you as a member or we may not be able to properly perform our contract with you or comply with legal obligations and we may have to terminate your membership. For other personal information you may not be under an obligation to provide it to us, but if you do not provide it then we may not be able to properly perform our contract with you.
Where you have given us your consent to use your personal information in a particular manner, you have the right to withdraw this consent at any time, which you may do by contacting us as described in the "Contacting us" section below.
Please note however that the withdrawal of your consent will not affect any use of the data made before you withdrew your consent and we may still be entitled to hold and process the relevant personal information to the extent that we are entitled to do so on bases other than your consent. Withdrawing consent may also have the same effects as not providing the information in the first place, for example we may no longer be able to provide certain member benefits to you.
5. DIRECT MARKETING
Email, post, WhatsApp, social media and SMS marketing: from time to time, we may contact you by email, post, WhatsApp, social media or SMS with information about products and services (including social events) we believe you may be interested in.
We will only send marketing messages to you in accordance with the marketing preferences you set. You can then let us know at any time that you do not wish to receive marketing messages by replying stating “unsubscribe” to the marketing messages we send to you.
6. DISCLOSURE OF YOUR PERSONAL INFORMATION
We share personal information with the following parties (note, this list is not exhaustive):
o Any party approved by you.
o Hockey governing bodies or regional bodies: (i) to allow them to properly administer hockey on a local, regional and national level; and (ii) in respect of any welfare or safeguarding issues for vulnerable adults within the club;
o Opposition teams: where we need to share information to arrange and organise matches (including dietary information for match teas);
o Other members: to administer your membership;
o Service providers: for example, email marketing specialists, payment processors, data analysis CCTV contractors, promotional advisors, contractors or suppliers and IT services (including CRM, website, video- and teleconference services);
o Supply chain partners: such as couriers, import/export agents, shippers and kit suppliers;
o Commercial partners: for the purposes of providing you with information on any tickets, special offers, opportunities, products and services and other commercial benefits provided by our commercial partners as part of your membership package;
o The Government or our regulators: where we are required to do so by law or to assist with their investigations or initiatives; and
o Police, law enforcement and security services: to assist with the investigation and prevention of crime and the protection of national security.
7. TRANSFERRING YOUR PERSONAL INFORMATION INTERNATIONALLY
The personal information we collect is not transferred to and stored in countries outside of the UK and the European Union. However, the personal information we collect may, from time to time, be transferred to and stored in countries outside of the UK and the European Union. Some of these jurisdictions require different levels of protection in respect of personal information and, in certain instances, the laws in those countries may be less protective than the jurisdiction you are typically resident in. We will take all reasonable steps to ensure that your personal information is only used in accordance with this privacy notice and applicable data protection laws and is respected and kept secure and where a third part processes your data on our behalf we will put in place appropriate safeguards as required under data protection laws. For further details please contact us by using the details set out in the "Contacting us" section below.
8. HOW LONG DO WE KEEP PERSONAL INFORMATION FOR?
The duration for which we retain your personal information will differ depending on the type of information and the reason why we collected it from you. However, in some cases personal information may be retained on a long-term basis: for example, personal information that we need to retain for legal purposes will normally be retained in accordance with usual commercial practice and regulatory requirements. Generally, where there is no legal requirement we retain all physical and electronic records for a period of 6 years after the later of your last contact with us or the end of your membership. Exceptions to this rule are:
o Details regarding unsuccessful membership applicants where we hold records for a period of not more than 12 months;
o Information that may be relevant to personal injury or discrimination claims may be retained until the limitation period for those types of claims has expired. For personal injury or discrimination claims this can be an extended period as the limitation period might not start to run until a long time after the event.
It is important to ensure that the personal information we hold about you is accurate and up-to-date, and you should let us know if anything changes, for example if you change your phone number or email address. You may be able to update some of the personal information we hold about you through our website, WhatsApp or social media. Alternatively, you can contact us by using the details set out in the "Contacting us" section below.
9. YOUR RIGHTS IN RELATION TO PERSONAL INFORMATION
You have the following rights in relation to your personal information:
o the right to be informed about how your personal information is being used;
o the right to access the personal information we hold about you;
o the right to request the correction of inaccurate personal information we hold about you;
o the right to request the erasure of your personal information in certain limited circumstances;
o the right to restrict processing of your personal information where certain requirements are met;
o the right to object to the processing of your personal information;
o the right to request that we transfer elements of your data either to you or another service provider; and
o the right to object to certain automated decision-making processes using your personal information.
You should note that some of these rights, for example the right to require us to transfer your data to another service provider or the right to object to automated decision making, may not apply as they have specific requirements and exemptions which apply to them and they may not apply to personal information recorded and stored by us. For example, we do not use automated decision making in relation to your personal data. However, some have no conditions attached, so your right to withdraw consent or object to processing for direct marketing are absolute rights.
Whilst this privacy notice sets out a general summary of your legal rights in respect of personal information, this is a very complex area of law. More information about your legal rights can be found on the Information Commissioner’s website at https://ico.org.uk/for-the-public/.
To exercise any of the above rights, or if you have any questions relating to your rights, please contact us by using the details set out in the "Contacting us" section below.
If you are unhappy with the way we are using your personal information you can also complain to the UK Information Commissioner’s Office or your local data protection regulator. We are here to help and encourage you to contact us to resolve your complaint first.
10. CHANGES TO THIS NOTICE
We may update this privacy notice from time to time. When we change this notice in a material way, we will update the version date at the bottom of this page. For significant changes to this notice we will try to give you reasonable notice unless we are prevented from doing so. Where required by law we will seek your consent to changes in the way we use your personal information.
11. CONTACTING US
In the event of any query or complaint in connection with the information we hold about you, please email email@example.com.
Version 1 dated 13 May 2018
LONDON EDWARDIANS HOCKEY CLUB
Data Protection Policy
LONDON EDWARDIANS HOCKEY CLUB (“we”, “our” or “us”) is committed to complying with data protection law and to respecting the privacy rights of individuals. The policy applies to all of our members (“Members”). References to “you”, “yourself” and “your” are to each Member to whom this Policy applies.
This Data Protection Policy (“Policy”) sets out our approach to data protection law and the principles that we will apply to our processing of personal data. The aim of this Policy is to ensure that we process personal data in accordance with the law and with the utmost care and respect.
We recognise that you have an important role to play in achieving these aims. It is your responsibility, therefore, to familiarise yourself with this Policy and to apply and implement its requirements when processing any personal data. Please pay special attention to sections 14, 15 and 16 as these set out the practical day to day actions that you must adhere to when working or volunteering for the club.
Data protection law is a complex area. This Policy has been designed to ensure that you are aware of the legal requirements imposed on you and on us and to give you practical guidance on how to comply with them. This Policy also sets out the consequences of failing to comply with these legal requirements. However, this Policy is not an exhaustive statement of data protection law nor of our or your responsibilities in relation to data protection.
If at any time you have any queries on this Policy, your responsibilities or any aspect of data protection law, seek advice. Contact the Chairman.
1. Who is responsible for data protection?
1.1 All our Members are responsible for data protection, and each person has their role to play to make sure that we are compliant with data protection laws.
1.2 We are not required to appoint a Data Protection Officer (DPO). However we have still appointed the Chairman and our committee (the “Committee”) to be responsible for overseeing our compliance with data protection laws.
2. Why do we have a data protection policy?
2.1 We recognise that processing of individuals’ personal data in a careful and respectful manner cultivates trusting relationships with those individuals and trust in our brand. We believe that such relationships will enable our organisation to work more effectively with and to provide a better service to those individuals.
2.2 This Policy works in conjunction with other policies implemented by us from time to time, including for example the Privacy Notice, and any other policies we implement from time to time.
3. Status of this Policy and the implications of breach.
3.1 Any breaches of this Policy will be viewed very seriously. All Members should read this Policy carefully and make sure they are familiar with it. Breaching this Policy is a disciplinary offence and will be dealt with under our Disciplinary Procedure.
3.2 If you do not comply with Data Protection Laws and/or this Policy, then you are encouraged to report this fact immediately to the Chairman/Committee. This self-reporting will be taken into account in assessing how to deal with any breach, including any non-compliance which may pre-date this Policy coming into force.
3.3 Also if you are aware of or believe that any other representative of ours is not complying with Data Protection Laws and/or this Policy you should report it in confidence to the Chairman/Committee.
4. Other consequences
4.1 There are a number of serious consequences for both yourself and us if we do not comply with Data Protection Laws. These include:
4.1.1 For you:
18.104.22.168 Disciplinary action: If you are a member, your terms of membership require you to comply with our policies. Failure to do so could lead to disciplinary action including termination of your membership.
22.214.171.124 Criminal sanctions: Serious breaches could potentially result in criminal liability.
126.96.36.199 Investigations and interviews: Your actions could be investigated and you could be interviewed in relation to any non-compliance.
4.1.2 For us:
188.8.131.52 Criminal sanctions: Non-compliance could involve a criminal offence.
184.108.40.206 Civil Fines: These can be up to Euro 20 million or 4% of group worldwide turnover whichever is higher.
220.127.116.11 Assessments, investigations and enforcement action: We could be assessed or investigated by, and obliged to provide information to, the Information Commissioner on its processes and procedures and/or subject to the Information Commissioner’s powers of entry, inspection and seizure causing disruption and embarrassment.
18.104.22.168 Court orders: These may require us to implement measures or take steps in relation to, or cease or refrain from, processing personal data.
22.214.171.124 Claims for compensation: Individuals may make claims for damage they have suffered as a result of our non-compliance.
126.96.36.199 Bad publicity: Assessments, investigations and enforcement action by, and complaints to, the Information Commissioner quickly become public knowledge and might damage our brand. Court proceedings are public knowledge.
188.8.131.52 Loss of business: Prospective members, participants, players, customers, suppliers and contractors might not want to deal with us if we are viewed as careless with personal data and disregarding our legal obligations.
184.108.40.206 Use of management time and resources: Dealing with assessments, investigations, enforcement action, complaints, claims, etc takes time and effort and can involve considerable cost.
5. Data protection laws
5.1 The Data Protection Act 1998 (“DPA”) applies to any personal data that we process, and from 25 May 2018 this will be replaced by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (“DPA 2018”) (together “Data Protection Laws”) and then after Brexit the UK will adopt laws equivalent to these Data Protection Laws.
5.2 This Policy is written as though GDPR and the DPA 2018 are both in force, i.e. it states the position as from 25 May 2018.
5.3 The Data Protection Laws all require that the personal data is processed in accordance with the Data Protection Principles (on which see below) and gives individuals rights to access, correct and control how we use their personal data (on which see below).
6. Key words in relation to data protection
6.1 Personal data is data that relates to a living individual who can be identified from that data (or from that data and other information in or likely to come into our possession). That living individual might be an employee, customer, prospective customer, supplier, contractor or contact, and that personal data might be written, oral or visual (e.g. CCTV).
6.2 Identifiable means that the individual can be distinguished from a group of individuals (although the name of that individual need not be ascertainable). The data might identify an individual on its own (e.g. if a name or video footage) or might do if taken together with other information available to or obtainable us (e.g. a job title and company name).
6.3 Data subject is the living individual to whom the relevant personal data relates.
6.4 Processing is widely defined under data protection law and generally any action taken by us in respect of personal data will fall under the definition, including for example collection, modification, transfer, viewing, deleting, holding, backing up, archiving, retention, disclosure or destruction of personal data, including images.
6.5 Data controller is the person who decides how personal data is used, for example we will always be a data controller in respect of personal data relating to our employees.
6.6 Data processor is a person who processes personal data on behalf of a data controller and only processes that personal data in accordance with instructions from the data controller, for example an outsourced payroll provider will be a data processor.
7. Personal data
7.1 Data will relate to an individual and therefore be their personal data if it:
7.1.1 identifies the individual. For instance, names, addresses, telephone numbers and email addresses;
7.1.2 its content is about the individual personally. For instance, medical records, a recording of their actions, or contact details;
7.1.3 relates to property of the individual, for example their home, their car or other possessions;
7.1.4 it could be processed to learn, record or decide something about the individual (or this is a consequence of processing). For instance, if you are able to link the data to the individual to tell you something about them, this will relate to the individual (e.g. statistics where there is only one named individual in that position (such as a goalkeeper));
7.1.5 is biographical in a significant sense, that is it does more than record the individual's connection with or involvement in a matter or event which has no personal connotations for them. For instance, if an individual’s name appears on a list of attendees of an organisation meeting this may not relate to the individual and may be more likely to relate to the club they represent;
7.1.6 has the individual as its focus, that is the information relates to the individual personally rather than to some other person or a transaction or event he was involved in. For instance, if a selection meeting is to discuss the individual’s performance this is likely to relate to the individual;
7.1.7 affects the individual's privacy, whether in their personal, family, organisation or professional capacity, for instance, email address or location and work email addresses can also be personal data;
7.1.8 is an expression of opinion about the individual; or
7.1.9 is an indication of our (or any other person’s) intentions towards the individual (e.g. how a complaint by that individual will be dealt with).
7.2 Information about companies or other legal persons who are not living individuals is not personal data. However, information about committee members, directors, shareholders, officers and employees, and about sole traders or partners, is often personal data, so business related information can often be personal data.
7.3 Examples of information likely to constitute personal data:
7.3.1 Unique names;
7.3.2 Names together with email addresses or other contact details;
7.3.3 Job title and employer (if there is only one person in the position);
7.3.4 Video - and photographic images;
7.3.5 Information about individuals obtained as a result of Safeguarding checks;
7.3.6 Medical and disability information;
7.3.7 Member profile information (e.g. marketing preferences); and
7.3.8 Financial information and accounts (e.g. information about expenses and benefits entitlements, fees, income and expenditure).
8. Lawful basis for processing
8.1 For personal data to be processed lawfully, we must be processing it on one of the legal grounds set out in the Data Protection Laws.
8.2 For the processing of ordinary personal data in our organisation these may include, among other things:
8.2.1 the data subject has given their consent to the processing (perhaps on their membership application form or when they registered on the club’s website)
8.2.2 the processing is necessary for the performance of a contract with the data subject (for example, for processing membership subscriptions);
8.2.3 the processing is necessary for compliance with a legal obligation to which the data controller is subject; or
8.2.4 the processing is necessary for the legitimate interest reasons of the data controller or a third party (for example, keeping in touch with members, players, participants about competition dates, upcoming fixtures or access to club facilities).
9. Special category data
9.1 Special category data under the Data Protection Laws is personal data relating to an individual’s race, political opinions, health, religious or other beliefs, trade union records, sex life, biometric data and genetic data.
9.2 Under Data Protection Laws this type of information is known as special category data and criminal records history becomes its own special category which is treated for some parts the same as special category data. Previously these types of personal data were referred to as sensitive personal data and some people may continue to use this term.
9.3 To lawfully process special categories of personal data we must also ensure that either the individual has given their explicit consent to the processing or that another of the following conditions has been met:
9.3.1 the processing is necessary for the performance of our obligations under employment law;
9.3.2 the processing is necessary to protect the vital interests of the data subject. The Information Commissioner’s Office (“ICO”) has previously indicated that this condition is unlikely to be met other than in a life or death or other extreme situation;
9.3.3 the processing relates to information manifestly made public by the data subject;
9.3.4 the processing is necessary for the purpose of establishing, exercising or defending legal claims; or
9.3.5 the processing is necessary for the purpose of preventative or occupational medicine or for the assessment of the working capacity of the employee.
9.4 To lawfully process personal data relating to criminal records and history there are even more limited reasons, and we must either:
9.4.1 ensure that either the individual has given their explicit consent to the processing; or
9.4.2 ensure that our processing of those criminal records history is necessary under a legal requirement imposed upon us.
9.5 We would normally only expect to process special category personal data or criminal records history data usually in the context of health and safety requirements, safeguarding checks, etc for our members.
9.6 When do we process personal data?
9.7 Virtually anything we do with personal data is processing including collection, modification, transfer, viewing, deleting, holding, backing up, archiving, retention, disclosure or destruction. So even just storage of personal data is a form of processing. We might process personal data using computers or manually by keeping paper records.
9.8 Examples of processing personal data might include:
9.8.1 Using personal data to correspond with members;
9.8.2 Holding personal data in our databases or documents; and
9.8.3 Recording personal data in personnel or member files.
10.1 The main themes of the Data Protection Laws are:
10.1.1 good practices for handling personal data;
10.1.2 rights for individuals in respect of personal data that data controllers hold on them; and
10.1.3 being able to demonstrate compliance with these laws.
10.2 In summary, data protection law requires each data controller to:
10.2.1 only process personal data for certain purposes;
10.2.2 process personal data in accordance with the 6 principles of ‘good information handling’ (including keeping personal data secure and processing it fairly and in a transparent manner);
10.2.3 provide certain information to those individuals about whom we process personal data which is usually provided in a privacy notice;
10.2.4 respect the rights of those individuals about whom we process personal data (including providing them with access to the personal data we hold on them); and
10.2.5 keep adequate records of how data is processed and, where necessary, notify the ICO and possibly data subjects where there has been a data breach.
10.3 Every Member has an important role to play in achieving these aims. It is your responsibility, therefore, to familiarise yourself with this Policy.
10.4 Data protection law in the UK is enforced by the ICO. The ICO has extensive powers.
11. Data protection principles
11.1 The Data Protection Laws set out 6 principles for maintaining and protecting personal data, which form the basis of the legislation. All personal data must be:
11.1.1 processed lawfully, fairly and in a transparent manner and only if certain specified conditions are met;
11.1.2 collected for specific, explicit and legitimate purposes, and not processed in any way incompatible with those purposes (“purpose limitation”);
11.1.3 adequate and relevant, and limited to what is necessary to the purposes for which it is processed (“data minimisation”);
11.1.4 accurate and where necessary kept up to date;
11.1.5 kept for no longer than is necessary for the purpose (“storage limitation”);
11.1.6 processed in a manner that ensures appropriate security of the personal data using appropriate technical and organisational measures (“integrity and security”).
12. Data subject rights
12.1 Under Data Protection Laws individuals have certain rights (“Rights”) in relation to their own personal data. In summary these are:
12.1.1 The rights to access their personal data, usually referred to as a subject access request
12.1.2 The right to have their personal data rectified;
12.1.3 The right to have their personal data erased, usually referred to as the right to be forgotten;
12.1.4 The right to restrict processing of their personal data;
12.1.5 The right to object to receiving direct marketing materials;
12.1.6 The right to portability of their personal data;
12.1.7 The right to object to processing of their personal data; and
12.1.8 The right to not be subject to a decision made solely by automated data processing.
12.2 The exercise of these Rights may be made in writing, including email, and also verbally and should be responded to in writing by us (if we are the relevant data controller) without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We must inform the individual of any such extension within one month of receipt of the request, together with the reasons for the delay.
12.3 Where the data subject makes the request by electronic form means, any information is to be provided by electronic means where possible, unless otherwise requested by the individual.
12.4 If we receive the request from a third party (e.g. a legal advisor), we must take steps to verify that the request was, in fact, instigated by the individual and that the third party is properly authorised to make the request. This will usually mean contacting the relevant individual directly to verify that the third party is properly authorised to make the request.
12.5 There are very specific exemptions or partial exemptions for some of these Rights and not all of them are absolute rights. However the right to not receive marketing material is an absolute right, so this should be complied with immediately.
12.6 Where an individual considers that we have not complied with their request e.g. exceeded the time period, they can seek a court order and compensation. If the court agrees with the individual, it will issue a Court Order, to make us comply. The Court can also award compensation. They can also complain to the regulator for privacy legislation, which in our case will usually be the ICO.
12.7 In addition to the rights discussed in this document, any person may ask the ICO to assess whether it is likely that any processing of personal data has or is being carried out in compliance with the privacy legislation. The ICO must investigate and may serve an “Information Notice” on us (if we are the relevant data controller). The result of the investigation may lead to an “Enforcement Notice” being issued by the ICO. Any such assessments, information notices or enforcement notices should be sent directly to our Chairman from the ICO.
12.8 In the event of a Member receiving such a notice, they must immediately pass the communication to our Chairman or a member of the Committee.
13. Notification and response procedure
13.1 If a Member has a request or believes they have a request for the exercise of a Right, they should:
13.1.1 get the request confirmed in writing addressed to our Chairman; and
13.1.2 inform our Chairman or a member of the Committee of the request.
13.2 If a letter, fax or email exercising a Right is received by any Member they should:
13.2.1 pass the letter to the Chairman/Committee Member;
13.2.2 our Chairman will then respond to the data subject on our behalf.
13.3 Our Chairman will co-ordinate our response. The action taken will depend upon the nature of the request. The Chairman or another member of the Committee will write to the individual and explain the legal situation and whether we will comply with the request. A standard letter/email from the Chairman should suffice in most cases.
14. Your main obligations
14.1 What this all means for you can be summarised as follows:
14.1.1 Treat all personal data with respect;
14.1.2 Treat all personal data how you would want your own personal data to be treated;
14.1.3 Immediately notify our Chairman if any individual says or does anything which gives the appearance of them wanting to invoke any rights in relation to personal data relating to them;
14.1.4 Take care with all personal data and items containing personal data you handle or come across so that it stays secure and is only available to or accessed by authorised individuals; and
14.1.5 Immediately notify the Chairman if you become aware of or suspect the loss of any personal data or any item containing personal data. For more details on this see our separate Data Breach Policy which applies to all our Committee Members regardless of their position or role in our organisation.
15. Your activities
15.1 Data protection laws have different implications in different areas of our organisation and for different types of activity, and sometimes these effects can be unexpected.
15.2 Areas and activities particularly affected by data protection law include human resources, payroll, security, customer care, sales, marketing and promotions, health and safety and finance.
15.3 You must consider what personal data you might handle, consider carefully what data protection law might mean for you and your activities, and ensure that you comply at all times with this policy.
16. Practical matters
16.1 Whilst you should always apply a common sense approach to how you use and safeguard personal data, and treat personal data with care and respect, set out below are some examples of dos and don’ts:
16.1.1 Do not take personal data out of the organisation’s premises (unless absolutely necessary).
16.1.2 Only disclose your unique logins and passwords for any of our IT systems to authorised personnel (e.g. IT) and not to anyone else.
16.1.3 Never leave any items containing personal data unattended in a public place, e.g. on a train, in a café, etc and this would include paper files, mobile phone, laptops, tablets, memory sticks etc.
16.1.4 Never leave any items containing personal data in unsecure locations, e.g. in car on your drive overnight and this would include paper files, mobile phone, laptops, tablets, memory sticks etc.
16.1.5 If you are staying at a hotel then utilise the room safe or the hotel staff to store items containing personal data when you do not need to have them with you.
16.1.6 Do encrypt laptops, mobile devices and removable storage devices containing personal data.
16.1.7 Do lock laptops, files, mobile devices and removable storage devices containing personal data away and out of sight when not in use.
16.1.8 Do password protect documents and databases containing personal data.
16.1.9 Never use removable storage media to store personal data unless the personal data on the media is encrypted.
16.1.10 When picking up printing from any shared printer always check to make sure you only have the printed matter that you expect, and no third party’s printing appears in the printing.
16.1.11 Use confidential waste disposal for any papers containing personal data, do not place these into the ordinary waste, place them in a bin or skip etc, and either use a confidential waste service or have them shredded before placing them in the ordinary waste disposal.
16.1.12 Do dispose of any materials containing personal data securely, whether the materials are paper based or electronic.
16.1.13 When in public place, e.g. a train or café, be careful as to who might be able to see the information on the screen of any device you are using when you have personal information on display. If necessary move location or change to a different task.
16.1.14 Do ensure that your screen faces away from prying eyes if you are processing personal data, even if you are working in the office. Personal data should only be accessed and seen by those who need to see it.
16.1.15 Do challenge unexpected visitors or employees accessing personal data.
16.1.16 Do not leave personal data lying around, store it securely.
16.1.17 When speaking on the phone in a public place, take care not to use the full names of individuals or other identifying information, as you do not know who may overhear the conversation. Instead use initials or just first names to preserve confidentiality.
16.1.18 If taking down details or instructions from a customer in a public place when third parties may overhear, try to limit the information which may identify that person to others who may overhear in a similar way to if you were speaking on the telephone.
16.1.19 Never act on instructions from someone unless you are absolutely sure of their identity and if you are unsure then take steps to determine their identity. This is particularly so where the instructions relate to information which may be sensitive or damaging if it got into the hands of a third party or where the instructions involve money, valuable goods or items or cannot easily be reversed.
16.1.20 Do notify the Chairman immediately of any suspected security breaches or loss of personal data.
16.1.21 If any personal data is lost, or any devices or materials containing any personal data are lost, report it immediately to the Chairman. For more details on this see our separate Privacy Notice.
16.2 However you should always take a common sense approach, and if you see any areas of risk that you think are not addressed then please bring it to the attention of our Chairman.
17. Foreign transfers of personal data
17.1 Personal data must not be transferred outside the European Economic Area (EEA) unless the destination country ensures an adequate level of protection for the rights of the data subject in relation to the processing of personal data or we put in place adequate protections. This is mainly relevant to data held and accessed in Cloud-based services as well as some data processing the club may outsource like payroll processing or performance data analysis
17.2 These protections may come from special contracts we need to put in place with the recipient of the personal data, from them agreeing to be bound by specific data protection rules or due to the fact that the recipients own country’s laws provide sufficient protection.
17.3 These restrictions also apply to transfers of personal data outside of the EEA even if the personal data is not being transferred outside of our group of companies.
17.4 You must not under any circumstances transfer any personal data outside of the EEA without the Chairman’s prior written consent.
17.5 We will also need to inform data subjects of any transfer of their personal data outside of the UK and may need to amend their privacy notice to take account of the transfer of data outside of the EEA.
17.6 If you are involved in any new processing of personal data which may involve transfer of personal data outside of the EEA, then please seek approval of our Chairman prior to implementing any processing of personal data which may have this effect.
18.1 If you have any queries about this Policy please contact firstname.lastname@example.org.
Version 1 dated 13 May 2018