Berkeley and District Skittles League | |||
---|---|---|---|
Policy No: | DP01 | ||
Issue No: | 1 | ||
Originator: | Keith Driver (DPM) | Date: | 20.03.2019 |
Approver: | Lloyd Pennington (Chair) | Date: | 25.04.2019 |
Contents
1. Introduction & Scope
The League takes its responsibilities seriously in respect of the management of data held in relation to its members and other stakeholders.
This policy clarifies the League’s obligations in relation to the management of data. It sets out how the League protects personal data to ensure that all officers of the League, understand the rules governing their use of personal data which they have access to during the course of their work.
2. Frequently used Terms
Personal Data means data kept electronically or in a structured paper file and relating to a living individual who can be identified from that data (or from that data and other information in the League’s possession). Personal data can be factual or it can be an opinion or statement of intention in relation to the individual.
Sensitive Personal Data includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings.
Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, passing the data on, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
3. Lawful Processing of Data
The League must establish one (or more) of the following reasons for processing data:
4. Compliance
The League will process personal data in compliance with established principles of good practice. These provide that personal data must be:
Additionally, the following principles in relation to rights for individuals will be complied with. These are:
4.1 Data Register
The League will create and maintain a Data Register, to ensure that all systems and processes comply with this Policy. A Privacy Impact Assessment will be carried out on all systems to establish the appropriateness of the type of data being collected and to ensure that the necessary steps are put in place to comply with the regulations and this Policy.
4.2 Training
The League will provide training to all officers about their data protection responsibilities.
Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.
5. Data Security
The League will take appropriate security measures against unlawful or unauthorised processing of personal and sensitive personal data, and against the accidental loss of, or damage to, personal data. All officers have a responsibility to keep personal data secure against loss or misuse and are required to comply with the following:
6. Reporting a Breach
All officers have an obligation to report actual or potential data protection failures and breaches. This allows the League to investigate the failure and take remedial steps where appropriate, maintain a register of compliance failures and notify the Information Commissioners Office of any compliance failures as appropriate.
Where a breach or potential breach has occurred, these must be notified to the Data Protection Officer in order that the failure or breach can be reported or recorded and investigated as appropriate. This is essential as the regulations stipulate that significant breaches must be reported to the Information Commissioners Office (ICO) within 72 hours of the incident occurring.
7. Retention of Data & Disposal Methods
The League is required to retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, considering the reasons that the personal data was obtained, but should be determined in a manner consistent with data retention guidelines. The League will maintain a retention of data matrix which will comply with the different types of legislation and regulation.
Once it is no longer necessary to retain the personal or sensitive personal data, it will be disposed of confidentially either by using a confidential waste collection service, or approved shredding facilities or in the case of information held electronically, permanently deleted.
8. Right to be Forgotten
A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies. If a lawful reason for processing the data remains then this overrides the request to erase. Under the regulations this is also referred to as the right of erasure.
9. Responsibilities
During the course of the League’s activities, personal data not only about officers and members but also other stakeholders will be collected, processed and stored. All officers are obliged to comply with this Policy when processing personal data on behalf of the League (including that of other officers). Where an officer is in any doubt about what to do with personal information, guidance should be sought from the Data Protection Officer.
The following definitions regarding responsibilities in relation to this Policy apply:
Data Protection Officer (DPO) has overall responsibility for the day to day implementation of this Policy. The Data Protection Officer for the League is the Fixture Secretary.
Officers / Data Protection Processors are responsible for ensuring that they comply with this policy when processing any personal and or any sensitive personal data.
Members must take reasonable steps to ensure that the personal data held by the League in relation to them is accurate and updated as required. For example, informing the League when their personal circumstances change.
Failure to comply with this Policy will be investigated as part of the League’s Disciplinary Policy.
10. Members Personal Data
The League needs to keep information on file about its officers, captains, members and stakeholders for normal administration of the Leagues and cup competitions. The information held for administrative use only.
This information enables the League to comply with its obligations and to protect its legal position in the event of claims against it. Most of the information held will have been provided by the data subject. but some may come from other sources, such as a team captain.
The League will keep the personal data held about officers, captains, members and stakeholders accurate and up to date. All reasonable steps to confidentially destroy or to amend inaccurate or out-of-date data will be taken.
The League will not keep personal data for longer than is necessary for the purpose or purposes for which the data was collected. All reasonable steps to destroy, or erase from systems, all data which is no longer required will be taken.
11. Examples of information held includes:
12. Providing Information to Third Parties
The League discloses information about officers, captains, members and stakeholders on its website. Direct permission to publish this data is granted annually. The League will not provide lists of collective or individual personal data held, directly to any person or organisation unless13. Processing in line with Individual Rights
The League will process personal data in line with an individual’s rights, in particular the right to:14. Subject Access Requests (SAR)
A SAR is the right to request any personal data that the League holds about an individual so they can verify that their personal data is being processed lawfully. SAR’s must be made in writing to the Fixture Secretary who acts as Data Protection Officer.
Where an individual makes a SAR, they are required to specify what data is required and where the data is believed to be held. In such cases the individual will need to provide details of whom they believe is holding this data so that the request can be managed. Individuals can ask:
The League has one month to respond to a SAR. This deadline can be extended by a further two months for complicated or large requests.
The League can withhold information if it regards the prevention, detection or investigation of a crime; national security; the assessment or collection of tax; and judicial or ministerial appointments. The GDPR states that personal data can be withheld if it would ‘adversely affect the rights and freedoms of others’.
Any personal data relating to third parties will be redacted prior to access to the information being provided following a subject access request.
15. Privacy statement
Where personal data is being initially collected or used for a further purpose(s) then data subjects need to be informed through a Privacy (also known as a Fair Processing) Notice, how their personal data will be used by the League. This is available as Appendix 1 Privacy Notice.
Last Reviewed: 25.04.19
Categories of information
Categories of information that we collect, process, hold and share include:
Why we collect and use this information
We collect this data directly from those persons who wish to be members of the skittles league during annual registration of teams. We use this data to:
The lawful basis on which we process this information
We process this information to fulfil legitimate interests in organising and administering a recreational activity for the benefit of local communities.
Storing this information
We hold personal data electronically in secure folders which are password protected and or encrypted as appropriate.
Who we share this information with
Names, and phone numbers are published directly on the League website (where permission has been positively granted). In addition, addresses are published in the annual league handbook which is provided to captains upon request. Email addresses are held in the league website which allows indirect contact through the site between identified email accounts only. Information which has been consented for use on the website is completely in the public domain. We do not share information with anyone without consent unless the law requires us to do so.
Captains, League Officers and Landlord’s Rights
Please refer to the Berkeley and District League Data Protection and General Data Protection Regulations Policy to see your rights under data protection legislation.
If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office.
Further Information
If you would like to discuss anything in this privacy notice, please contact:
Keith Driver, Data Protection Officer
Type of Record | Statutory Retention Period | Applicable Statute |
---|---|---|
League Officers
|
No Statutory period League requirements: 15 months from team registration |
Data Protection Act 2018 |
Team Captains
|
No Statutory period League requirements: 15 months from team registration |
Data Protection Act 2018 |
Team Members
|
No Statutory period League requirements: 15 months from team registration Competition Winners & Runner Up: indefinitely as a historic record for the league |
Data Protection Act 2018 |
Pubs / Clubs
|
No Statutory period League requirements: 15 months from team registration |
Data Protection Act 2018 |
Note:
The appointment of officers, registration of teams members by captains and the identification of venues to be used will be declared at the Annual General Meeting in June of each year. Positive approval for the publication of personal data will be requested on the team registration form and an acceptance of office form by league officers.
Personal data from the previous season will be refreshed by the Fixture Secretary and published in the League Handbook. The Webmaster will refresh the League Website with information for which the League has positive approval to use. All obsolete personal data from the previous season (except records of winners and runners up) will be removed.
Officers will then administrate the League and competitions from the current season’s data.