Old Loughtonians Hockey Club Limited (the “Club”)
General Data Protection Regulations (“GDPR”)
Data Protection Policies and Procedures
This is a guidance note for:
(a) the board of the Club and the members of ManCom and the other officers of the Club;
(b) the employees of the Club; and
(c) those members of the Club who have access to personal data and sensitive data.
Background
The Data Protection Act 2018 came into force on 25 May 2018 (replacing the 1998 act).
The Information Commissioner’s Office (“ICO”) became the new supervisory authority for data protection.
First the key Definitions
“Personal data” any form of data used to identify a person including accident records, address, bank account details, benefits, CV, date of birth, emergency contact details, employee name or number, expenses, medical records, NI number, passport details, salary details and work history;
“Sensitive Data” would include physical or mental health records, political opinions, racial/ethnic origin, religious beliefs and trade union membership;
“Processing” covers obtaining, recording, amending, disclosing, deleting, destroying, organising and using;
“Breach” a breakdown of security that leads to a disclosure, loss, alteration or destruction of data.
“Data” is information which is, stored on digital devices, part of a filing system or part of an accessible record (but not just separate documents (such as working notes about selection kept on a pad on your desk) which are not compiled in a specific filing system).
Data Protection Principles
As an organisation processing personal data the Club must follow the data protection principles. This means having a fair reason for using that data. All data must only be used in accordance with the Club’s Privacy Policy on the basis for which it was collected.
The seven principles are:
1. Lawfulness, fairness and transparency
The Club can therefore use the data collected with specific consent (our membership form provides this) or in order to comply with a legal obligation.
2. Purpose limitation -The use must be for specific agreed reasons.
An example would be to contact a member for selection. The agreed purposes are set out on our membership form.
3. Data minimisation
The Club should only collect and use information which is needed by the Club. Therefore copies should not be taken (unless needed) and documents destroyed following a meeting if they do not need to be retained. Member details should not be copied from the website onto other systems or media other than where temporarily necessary.
4. Accuracy
Information must be kept up to date-hence the request for members to keep their details up to date and annual checks.
5. Storage limitation
Information should not be kept by the Club for longer than needed. If needed for alumni purposes (for which consent is asked) then we should keep only what is actually needed.
6. Integrity and confidentiality
All information should be kept securely and safely.
Accountability
There is a further principle of “accountability”. The Club is under a duty to implement “appropriate technical governance” measures to show compliance. The ICO can ask for proof at any time.
Examples of these measures would be:
- the review of the Club’s data protection procedures on a regular basis;
- seeking to ensure that all officers, employees and volunteers have appropriate guidance and training; and
- keeping the Privacy Policy (and, if separate, the privacy notices and data protection policies) up to date.
This note covers the second aspect – training.
What can I do with personal data and what do I do if I discover a breach?
The Club collects and processes data from:
(a) members (and former members);
(b) EH and other regulatory authorities;
(c) employees; and
(d) suppliers and customers; and
(e) other contract partners (eg child care company, shop and landlord).
The Club stores member details in the membership area of its website (to which access is restricted to those who need to see and use the membership data) and on the Club’s computer system. It stores non member details on the Club’s computer system and (where necessary) in separate files.
Jo Davey (office manager and Data Protection Officer (“DPO”)) has access to the data and is primarily responsible for the Club complying with GDPR.
Individual captains, coaches and managers and club officers have limited access to member details for the purpose of team selection, selection notification, reporting and where necessary noting medical conditions specifically brought to their attention by a player or parent. All have responsibility for protecting the data and reporting a breach if one occurs.
Data must always only be used for the purposes provided as set out on the membership form as regards members details. It must also be protected if processed. These are examples of good practice.
Protecting data
Devices
- always use the information from the Club website (do not copy details on to other external devices)
- keep access to your laptop/mobile/desktop password protected
- change passwords regularly
- never leave screens unattended and shut down the device when not in use
- USB sticks are easily lost so do not use them
- always use anti-virus software
Paper copies
- do not print out details unless necessary
- destroy copies once used
- do not leave paper copies unattended
Information
- do not give out data to other players, parents or individuals who do not have consent to process that data
- always check recipients of emails before sending information
- avoid group emails unless you are sure of the recipients
- encrypt messages if sensitive information involved
Breach
If you discover a breach tell the DPO at once. The Club must notify the ICO within 72 hour of a high risk breach. Any minor breach must be recorded in the Club’s breaches register. Failure to do so can result in fines from the ICO or being sued by the person at risk. The person at risk must also be informed if there is a high risk breach.
A high risk breach might be, for example, leaving a schedule of credit card details on the train or amending medical records without consent.
A low risk breach example is emailing a list of member’s names and addresses to the East league instead of England Hockey or destroying the records of a member by accident.
If in doubt ask the DPO for advice
Policies
Please read the Club’s Privacy Policy on the website.
Some answers from the DPO to possible questions.
- The Privacy Policy contains the Club’s Privacy Notices and explains the Data Protection Policy.
- The Club’s images policy is set out on the membership form.
- There are separate notices for CCTV images.
- The DPO is reviewing whether we need a separate Retention and Storage Policy.
More details
Further information is set out in the schedule to this note.
Schedule
Further details about data protection rules.
ICO
The ICO is the regulator responsible for upholding and monitoring data protection compliance.
The ICO regulates compliance, receives notifications of high risk breaches and tries to resolve and mediate on disputes regarding use of data. compliance. It can carry out inspections/audits, and recommend improvements in Club practices
The Club needs to pay an annual registration fee to the ICO.
SAR and FOI
A subject access request (“SAR”) is a request made by or on behalf of an individual for any personal data held on them by an organisation. It is a request for personal data. The request does not have to be in any particular form. The request can be made verbally or in writing.
Examples of a request might include a parent asking for all information held about their child or an employee asking for a copy of their performance management history. The individual can ask for the information that the Club holds as well as details of why they hold it and who they disclose it to. The Club must respond within one calendar month. The Club is unlikely to be able to charge a fee.
There are some exemptions.
Failure to respond to a SAR request may involve the matter being reported to/investigated by the ICO. This could lead to enforcement action by the ICO (including fines).
A Freedom of Information (“FOI”) request is a request for information, made under the Freedom of Information Act 2000 and provides any member of the public with access to information held by public authorities. In short, it is a means of ensuring designated public bodies are transparent with the general public. As the Club is not a public body it should not have to comply with an FOI request.
Reporting breaches
The Club must notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals.
Failure to notify of breaches correctly could result in enforcement action by the ICO (including fines).
All data breaches (even the minor ones) should be documented in a breach log at the Club to show the actions taken (and justifications for taking that action).
Only breaches which have/could cause risk to an individual needs to be reported.
Risk is not the same as inconvenience or feeling aggrieved. Risk needs to be something more (for example emotional distress or identity theft). All factors need to be looked at and the DPO can assist in taking a decision whether to report.
Notification to the ICO must be done within 72 hours of discovery of the breach, if the breach is reportable.
If there is a high risk to the rights and freedoms of individuals then the individual should be notified as well. This is a higher threshold than for notifying the ICO.
The Club should give adequate training to those with access to personal data so that they know how to recognise data breaches. All new volunteers should be trained and existing volunteers reminded.
The board (or designated ManCom member) should check the data breaches register to see if breaches are being reported correctly and in time (and to see if there are any security concerns outstanding as a result of a breach). If no breaches have been reported this could be due to lack of awareness.
Data Protection Impact Assessment (“DPIA”)
The Club needs to consider carrying out a DPIA before implementing proposals which could result in a high risk to individuals' interests. A DPIA is an opportunity to consider risks prior to implementing a new process involving sharing of personal information.
The purpose of a DPIA for the Club would be to consider data risks at the outset (rather than waiting until a problem occurs). The aim is to protect against risk from the outset.
After completing a DPIA, if the Club does not think it can mitigate against a serious risk then it should consult the ICO before carrying out this risky practice.
The most common example of when a DPIA should be carried out is when introducing a new software system which affects personal data. Linking our SAGE system to Clubbuzz would be a good example.
Also installing the new CCTV cameras would require a DPIA or hiring a new payroll provider. The problems with Stripe show where things could go wrong.
Directors’ responsibilities
Principle 4: Accuracy
The board of directors (the “Board”) has overall responsibility for the Club’s data protection practices. It might want to appoint the treasurer (or other suitable person) to oversee the practices on behalf of the Board as a whole.
GDPR practices
A DPO has been appointed. The DPO role is to advice on best practice and data protection compliance.
The DPO should have suitable expert experience in data protection and have the resources to carry out the role.
The DPO and Board should review all data related policies and procedures. It should also check that the policies are being followed. For example, is data being deleted in accordance with retention procedures or is there a backlog. Board and ManCom members should be trained as well as staff and volunteers processing data.
Sending emails to secure Club email addresses is good practice.
General Data Protection Regulation.
Although GDPR is a regulation from the European Union law, it is directly applicable in the UK through the 2018 Data Protection Act. It also includes strict regulations regarding data transferred outside of the EU.
The stated aim of GDPR is to ensure peoples' personal information is handled responsibly and that there is accountability if personal data is compromised.
GDPR is enforceable throughout the EU, and will work hand in hand with the Data Protection Act 2018. If the UK leaves the EU the data protection rules brought about by GDPR will still apply in the UK.
Privacy Notices
The Club should provide privacy notices in accessible places such as the Club website and Club notice boards. The notices should explain what information the Club is collecting, how the Club uses this information and if the Club is sharing this information with any third parties.
Consents
All consents must be positive. The Club sought specific consents in 2018 by sending a survey and asking for opting in or out.
All members are now asked to agree to our Privacy Policy before registering as members.