Data Protection Policy | Saxmundham Sports Club

Saxmundham Sports and Recreational Club

DATA PROTECTION POLICY

Introduction

The club is required to comply with the law governing the management and storage of personal data, as set out in the General Data Protection Regulation 2016 (GDPR) which came into force on 25 May 2018 and replaces all previous national legislation.

Purpose

This policy aims to protect and promote the data protection rights of data subjects (see below), by informing committee members trustees and employees of club as well as volunteers of:

their data protection obligations; and
the procedures they must follow to comply with the GDPR.

Key Data Protection Terms

Anyone engaging with data protection needs to be aware of the key terms which the GDPR uses.

Briefly:

Data subject: a natural identifiable person. For our purposes, the main categories of data subject are consumers (audience members) employees and trustees. But they may also include volunteers, “friends” hirers and suppliers.

Personal data: data about a data subject from which they can be identified

Special categories of personal data: data about health, sexual orientation, ethnic background and other data which is intrinsically sensitive

Processing: collecting using and storing personal data, either electronically or in a manual filing system.

Controller: the individual or entity which processes personal data, in our case the club.

Data Protection Officer: where the controller is an organisation such as a club, the person with responsibility for the organisation’s compliance with the GDPR.

Schedule 1 provides more detailed definitions of these terms, and further definitions.

Data Protection Principles

Everything in the GDPR and the procedures we must follow derive from seven principles.

Lawfulness: our data processing must be lawful, fair and transparent

Purpose limitation: we should process data only for necessary lawful purposes

Data minimisation: we shouldn’t collect more data than we need

Accuracy: our procedures should ensure that the data we collect is accurate and where applicable remains up to date

Storage limitation: we shouldn’t keep personal data longer than we need to.

Confidentiality and security: we must keep personal data confidential and secure

Accountability: we must be able to demonstrate compliance with 1-6.

Rights Of Data Subjects

The GDPR gives data subjects rights which include the following:

Right of information and access: that is the right by way of a subject access request to know what personal data the organisation holds and for what purpose(s)
Right of rectification: that is the right to correct inaccurate information
Right to object: the right to object to the processing of personal data.

Other rights of data subjects (which are not generally material to the club’s operation) are for completeness set out in schedule 2.

Compliance In Practice

If it is a requirement, we must be registered with the Information Commissioner’s Office.
Privacy By Design. the confidentiality of personal data we hold is to be a priority in the design of all the systems we use, for example our data base of members.
Lawful purpose. We do not need a data subject’s consent to process their data for a lawful purpose, that is a purpose for which the data subject implicitly gives consent when they give us their personal data. So if we collect personal data from a member to keep them informed about club events that is a lawful purpose for which we can use the member’s personal data without express consent.
Circular emails. We do not require consent to send members circular emails about club business as long as we include an unsubscribe button.
If we want to do anything else with the data subject’s personal data – for example send them emails about matters other than club business – we need their express consent (opt-in) to do so.
Privacy notices. In order to comply with the principle of transparency, we must provide data subjects with access to our privacy notice. The privacy notice should: identify the data controller; explain the purpose for which personal data is to be processed; and the likely consequences of that processing.
Special categories of personal data. We should strive not to process special categories of personal data, but if we do so then we must comply with the conditions in schedule 3.
Sharing personal data. Sharing is likely to breach our obligation of confidentiality, unless we are required by law to share personal data (unlikely in our case) or we have express consent from the data subject. We should therefore be very wary of requests to share personal data.
Subject Access Request. A data subject is entitled to know what personal data we hold about them and for what purpose. We must comply with a subject access request within one month.
Personal Data Management. We should manage personal data systematically so that for example we can destroy it when no longer needed and retrieve it if required by a subject access request.
Data Protection Impact Assessments. We are required to carry out a DPIA to:

identify data protection risks:

assess the impact of these risks;

show how we mitigate risks;

We should carry out a new DPIA when we introduce new systems which involve processing of personal data.

Our DPIA should be regularly reviewed and updated and is the key to showing compliance with the principle of accountability.

Breaches and reporting. All data protection breaches must be reported to the Data Protection Officer as soon as they are known about so that the DPO can implement a containment and management plan. The DPO must then decide if the breach should be reported to the ICO, which is required if the breach is likely to result in a risk to the rights and freedoms of data subjects.

Responsibility

For the purposes of the GDPR:

Saxmundham Sports And Recreational Club is the data controller; and
Mark Fairweather is the current data protection officer.

The data protection officer’s responsibilities are set out in schedule 4.

Everyone in the club however is responsible for ensuring that they comply with this policy.

Schedule 1 Key GDPR Terms

Personal data Means any information relating to an identified and identifiable natural person (‘data subject’)

E.g. information from which a person can be identified, directly or indirectly, by reference to an identifier i.e. name; ID number; location data; online identifiers etc.

It also includes information that identified the physical, physiological, genetic, mental, economic, cultural or social identity of a person.

For the club’s purposes, our clients are data subjects (other individual third parties that we hold personal data about are also likely to be data subjects).

Controller Means the natural or legal person, public authority, agency or other body who alone or jointly with others, determines the purposes and means of processing the personal data.

I.e. the controller is the individual, organisation or other body that decides how personal data will be collected and used.

For the club’s purposes, this club is a data controller.

Processing Means any operation which is performed on personal data such as: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

For the club’s purposes, everything that we do with client information (and personal information of third parties) is ‘processing’ as defined by the GDPR.

Special categories Means personal data revealing:

of personal data a) racial or ethnic origin.

b) political opinions.
c) religious or philosophical beliefs.
d) trade-union membership.
e) the processing of genetic data or biometric data for the purpose of uniquely identifying a natural person.
f) data concerning health or data concerning a natural person’s sex life or sexual orientation

N.B. data relating to criminal convictions and offences is not included within the special categories however there are additional provisions for processing this type of data (see Regulation 10 of GDPR)

Schedule 2 Other Rights Of Data Subjects

Right of erasure (in certain circumstances)
Right to restriction on use of personal data (in certain circumstances)
Right of portability: the right to require data to be transferred from one data controller to another

Schedule 3 Special Categories of Personal Data

The conditions for processing special categories of personal data that are most relevant to our club are:

Explicit consent from the data subject.

The processing is necessary for the purposes of carrying out the club’s obligations in respect of employment and social security and social protection law.

The processing is necessary to protect the vital interests of the data subject or another person.

The processing relates to personal data that has already been made public by the data subject; or

The processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

Schedule 4 Data Protection Officer’s Responsibilities

Developing and implementing data protection policies and procedures.
Arranging periodic data protection training for all staff which is appropriate to their role.
Acting as a point of contact for all colleagues on data protection matters.
Monitoring the club’s compliance with its data protection policy and procedures.
Promoting a culture of data protection awareness.
Assisting with investigations into data protection breaches and helping the club to learn from them.
Advising on Data Protection Impact Assessments; and
Liaising with the relevant supervisory authorities as necessary (i.e. the Information Commissioner’s Office in the UK).