General Data Protection Regulations


  Data Protection & General Data Protection Regulations Policy

Berkeley and District Skittles League
Policy No:DP01
Issue No:1
Originator:Keith Driver (DPM)Date:20.03.2019
Approver:Lloyd Pennington (Chair)Date:25.04.2019

Contents

  1. Introduction and Scope
  2. Frequently used Terms
  3. Lawful Processing of Data
  4. Compliance
    4.1 Data Register
    4.2 Training
  5. Data Security
  6. Reporting a Breach
  7. Retention of Data & Disposal Methods
  8. Right to be forgotten
  9. Responsibilities
  10. Personal Data
  11. Examples of information held
  12. Providing Information to Third Parties
  13. Processing Data in line with Individual Rights
  14. Subject Access Requests
  15. Privacy Statement

1. Introduction & Scope

The League takes its responsibilities seriously in respect of the management of data held in relation to its members and other stakeholders.

This policy clarifies the League’s obligations in relation to the management of data. It sets out how the League protects personal data to ensure that all officers of the League, understand the rules governing their use of personal data which they have access to during the course of their work.


2. Frequently used Terms

Personal Data means data kept electronically or in a structured paper file and relating to a living individual who can be identified from that data (or from that data and other information in the League’s possession). Personal data can be factual or it can be an opinion or statement of intention in relation to the individual.

Sensitive Personal Data includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings.

Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, passing the data on, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.


3. Lawful Processing of Data

The League must establish one (or more) of the following reasons for processing data:

  1. To fulfil legal obligations.
  2. To perform a contract, to take steps to enter into a contract or at the data subjects request.
  3. To fulfil a legitimate interest – where this is used to establish a purpose for processing of data, the League would need to be able to demonstrate why this is necessary.

4. Compliance

The League will process personal data in compliance with established principles of good practice. These provide that personal data must be:

  1. Processed lawfully, fairly and in a transparent manner.
  2. Collected and processed for specified, legitimate purposes and not processed in a manner that is incompatible with those purposes.
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed.
  4. Accurate and up to date, whilst having regard for the purposes for which data is processed, every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified without delay.
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Additionally, the following principles in relation to rights for individuals will be complied with. These are:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to object
  • The right not to be subject to automated decision-making including profiling
  • The right to data portability (only applies to personal information an individual has provided to a Data Protection Officer), where processing is based on the individuals consent or for the performance of a contract and when processing is carried out by automated means.

4.1 Data Register

The League will create and maintain a Data Register, to ensure that all systems and processes comply with this Policy. A Privacy Impact Assessment will be carried out on all systems to establish the appropriateness of the type of data being collected and to ensure that the necessary steps are put in place to comply with the regulations and this Policy.

4.2 Training

The League will provide training to all officers about their data protection responsibilities.

Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.


5. Data Security

The League will take appropriate security measures against unlawful or unauthorised processing of personal and sensitive personal data, and against the accidental loss of, or damage to, personal data. All officers have a responsibility to keep personal data secure against loss or misuse and are required to comply with the following:

  1. Retain sensitive personal data in secure, locked cabinets.
  2. Information which is stored electronically is to be subject to access controls, passwords and where appropriate using encryption.
  3. Sensitive personal data is not permitted to be held on memory sticks or any other unsecure portable device.
  4. Personal data will not be transferred to a third party.
  5. Use password-protected and encrypted software for the transmission and receipt of emails containing sensitive personal data.
  6. Officers must have good disciplines in relation to their electronic data and ensure that it is removed and where appropriate disposed of.
  7. Hard copies of personal data that are to be deleted, must be shredded or disposed of using confidential waste collection service or any alternative confidential method.

6. Reporting a Breach

All officers have an obligation to report actual or potential data protection failures and breaches. This allows the League to investigate the failure and take remedial steps where appropriate, maintain a register of compliance failures and notify the Information Commissioners Office of any compliance failures as appropriate.

Where a breach or potential breach has occurred, these must be notified to the Data Protection Officer in order that the failure or breach can be reported or recorded and investigated as appropriate. This is essential as the regulations stipulate that significant breaches must be reported to the Information Commissioners Office (ICO) within 72 hours of the incident occurring.


7. Retention of Data & Disposal Methods

The League is required to retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, considering the reasons that the personal data was obtained, but should be determined in a manner consistent with data retention guidelines. The League will maintain a retention of data matrix which will comply with the different types of legislation and regulation.

Once it is no longer necessary to retain the personal or sensitive personal data, it will be disposed of confidentially either by using a confidential waste collection service, or approved shredding facilities or in the case of information held electronically, permanently deleted.


8. Right to be Forgotten

A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies. If a lawful reason for processing the data remains then this overrides the request to erase. Under the regulations this is also referred to as the right of erasure.


9. Responsibilities

During the course of the League’s activities, personal data not only about officers and members but also other stakeholders will be collected, processed and stored. All officers are obliged to comply with this Policy when processing personal data on behalf of the League (including that of other officers). Where an officer is in any doubt about what to do with personal information, guidance should be sought from the Data Protection Officer.

The following definitions regarding responsibilities in relation to this Policy apply:

Data Protection Officer (DPO) has overall responsibility for the day to day implementation of this Policy. The Data Protection Officer for the League is the Fixture Secretary.

Officers / Data Protection Processors are responsible for ensuring that they comply with this policy when processing any personal and or any sensitive personal data.

Members must take reasonable steps to ensure that the personal data held by the League in relation to them is accurate and updated as required. For example, informing the League when their personal circumstances change.

Failure to comply with this Policy will be investigated as part of the League’s Disciplinary Policy.


10. Members Personal Data

The League needs to keep information on file about its officers, captains, members and stakeholders for normal administration of the Leagues and cup competitions. The information held for administrative use only.

This information enables the League to comply with its obligations and to protect its legal position in the event of claims against it. Most of the information held will have been provided by the data subject. but some may come from other sources, such as a team captain.

The League will keep the personal data held about officers, captains, members and stakeholders accurate and up to date. All reasonable steps to confidentially destroy or to amend inaccurate or out-of-date data will be taken.

The League will not keep personal data for longer than is necessary for the purpose or purposes for which the data was collected. All reasonable steps to destroy, or erase from systems, all data which is no longer required will be taken.


11. Examples of information held includes:

  • Officers name, address, telephone number(s) email address
  • Captains name, address, telephone number(s) email address
  • Members name (for inclusion in competition winners lists)
  • Stakeholders name, address, telephone number(s) email address i.e. Landlords
  • Names included in correspondence for general administration of the League

12. Providing Information to Third Parties

The League discloses information about officers, captains, members and stakeholders on its website. Direct permission to publish this data is granted annually. The League will not provide lists of collective or individual personal data held, directly to any person or organisation unless
  1. It is a legal requirement.

13. Processing in line with Individual Rights

The League will process personal data in line with an individual’s rights, in particular the right to:
  1. Request access to personal data the League may hold about them.
  2. Prevent the processing of personal data for direct-marketing purposes.
  3. Request that inaccurate data is amended and held accurately.
  4. Prevent processing that is likely to cause damage or distress to themselves or anyone else.

14. Subject Access Requests (SAR)

A SAR is the right to request any personal data that the League holds about an individual so they can verify that their personal data is being processed lawfully. SAR’s must be made in writing to the Fixture Secretary who acts as Data Protection Officer.

Where an individual makes a SAR, they are required to specify what data is required and where the data is believed to be held. In such cases the individual will need to provide details of whom they believe is holding this data so that the request can be managed. Individuals can ask:

  1. why their data is being processed
  2. what categories of personal data are held about them
  3. who has received or will receive their personal data
  4. where the data came from if they did not give it to you

The League has one month to respond to a SAR. This deadline can be extended by a further two months for complicated or large requests.

The League can withhold information if it regards the prevention, detection or investigation of a crime; national security; the assessment or collection of tax; and judicial or ministerial appointments. The GDPR states that personal data can be withheld if it would ‘adversely affect the rights and freedoms of others’.

Any personal data relating to third parties will be redacted prior to access to the information being provided following a subject access request.


15. Privacy statement

Where personal data is being initially collected or used for a further purpose(s) then data subjects need to be informed through a Privacy (also known as a Fair Processing) Notice, how their personal data will be used by the League. This is available as Appendix 1 Privacy Notice.


Last Reviewed: 25.04.19


  Data Mapping

GDPR Mapping

  Privacy Notice for League Officers, Captains, and Landlords


Categories of information

Categories of information that we collect, process, hold and share include:

  • Personal contact details (names, addresses, phone numbers and email addresses)
  • Pub / Club address, phone number and Contact details

Why we collect and use this information

We collect this data directly from those persons who wish to be members of the skittles league during annual registration of teams. We use this data to:

  • Enable the planning, operation and administration of the Berkeley and District Skittles League and cup competitions

The lawful basis on which we process this information

We process this information to fulfil legitimate interests in organising and administering a recreational activity for the benefit of local communities.


Storing this information

We hold personal data electronically in secure folders which are password protected and or encrypted as appropriate.


Who we share this information with

Names, and phone numbers are published directly on the League website (where permission has been positively granted). In addition, addresses are published in the annual league handbook which is provided to captains upon request. Email addresses are held in the league website which allows indirect contact through the site between identified email accounts only. Information which has been consented for use on the website is completely in the public domain. We do not share information with anyone without consent unless the law requires us to do so.


Captains, League Officers and Landlord’s Rights

Please refer to the Berkeley and District League Data Protection and General Data Protection Regulations Policy to see your rights under data protection legislation.

If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office.


Further Information

If you would like to discuss anything in this privacy notice, please contact:

Keith Driver, Data Protection Officer


  Data Retention Matrix

Type of RecordStatutory Retention PeriodApplicable Statute
League Officers
  • Names
  • Addresses
  • Phone numbers
  • Email addresses
No Statutory period
League requirements: 15 months from team registration
Data Protection Act 2018
Team Captains
  • Names
  • Addresses
  • Phone numbers
  • Email addresses
No Statutory period
League requirements: 15 months from team registration
Data Protection Act 2018
Team Members
  • Names
  • Gender
No Statutory period
League requirements: 15 months from team registration
Competition Winners & Runner Up: indefinitely as a historic record for the league
Data Protection Act 2018
Pubs / Clubs
  • Names
  • Addresses
  • Phone numbers
  • Email addresses
No Statutory period
League requirements: 15 months from team registration
Data Protection Act 2018

Note:

The appointment of officers, registration of teams members by captains and the identification of venues to be used will be declared at the Annual General Meeting in June of each year. Positive approval for the publication of personal data will be requested on the team registration form and an acceptance of office form by league officers.

Personal data from the previous season will be refreshed by the Fixture Secretary and published in the League Handbook. The Webmaster will refresh the League Website with information for which the League has positive approval to use. All obsolete personal data from the previous season (except records of winners and runners up) will be removed.

Officers will then administrate the League and competitions from the current season’s data.