OLD VERULAMIAN RUGBY CLUB LIMITED

DATA PROTECTION POLICY AND PROCEDURES

March 2018

1              COMMITMENT

1.1          The Old Verulamian Rugby Club Limited (“the Club”) holds personal data about members of the Club at senior and junior level including all levels of membership ("Members").

1.2          The Club is committed to ensuring that any personal data is dealt with properly and securely however it is collected, recorded and used, whether on paper, computer or recorded on any other material.

1.3          The Club regards the lawful and correct treatment of personal data as very important to the successful and efficient performance of its functions, and to maintain confidence between those with whom it deals. To this end, the Club fully endorses and adheres to all applicable data protection and privacy legislation, regulations and guidance ("Data Protection Legislation"). Prior to 25 May 2018 this will be the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations and any guidance or codes of practice issued by the Information Commissioner from time to time (all as amended, updated or re-enacted from time to time); and from 25 May 2018 onwards this will be Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR") and the Privacy and Electronic Communications (EC Directive) Regulations and any guidance or codes of practice issued by the European Data Protection Board or Information Commissioner from time to time (all as amended, updated or re-enacted from time to time).

2              POLICY

2.1          The aim of this policy is to set out how the Club seeks to protect personal data and ensure that the Club’s governing body (“the Committee”), sub committees and other working parties formed from time to time, volunteers, and where appropriate Members to whom tasks might be delegated are clear about the purpose and principles of data protection and to ensure that they have guidelines and procedures in place which are consistently followed.

3              DEFINITION OF DATA PROTECTION TERMS

In this policy:

3.1          Data is information which is stored electronically, on a computer, or in certain paper-based filling systems.

3.2          Data controllers are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with Data Protection Legislation. The Club is the data controller of all personal data used in pursuing its objects in accordance with its rules.  

3.3          Data subjects include all living individuals about whom the Club holds personal data. All data subjects have legal rights in relation to their personal information.

3.4          Data users are those entities and individuals described in clause 2.1 above whose work involves processing personal data. Data users must protect the data they handle in accordance with this policy at all times.

3.5          Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in the Club's possession), such as contractors and suppliers, Members and their partners, and members of affiliated organisations. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about the person, their actions and behaviour.

3.6          Processing data means obtaining, recording, holding or doing anything with data, such as organising, using, altering, retrieving, disclosing or deleting it.

3.7          Sensitive personal data means personal data about an individual's race or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health conditions, sexual life, criminal offences or related proceedings. Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned, although it is unlikely that the Club will collect such data.

4              COMPLIANCE

4.1          Anyone processing personal data must comply with Data Protection Legislation. To comply with the law, personal data must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

4.2          The Club will observe the following principles in respect of the processing of personal data:

4.2.1      personal data will be processed fairly and lawfully;

4.2.2          personal data will only be processed  for limited  purposes and in an appropriate way;

4.2.3      personal data processed for a specific purpose will be adequate, relevant and not excessive for that purpose;

4.2.4          personal data will be accurate and up to date;

4.2.5          personal data will not be held any longer than is necessary;

4.2.6          personal data will be processed in line with data subjects’ rights;

4.2.7      personal data will be kept secure against loss or misuse; and

5              SCOPE

5.1          Failure to adhere to Data Protection Legislation is unlawful and could result in legal action being taken against the Club or its volunteers with potential substantial fines.

5.2          The principles apply to personal data and the Club’s Members to whom duties are delegated by the Club or any of the Club’s committees who process or use any personal information in the course of their duties will ensure that these principles are followed at all times.

6              RESPONSIBILITY

6.1          During the course of their duties with the Club, volunteers (the definition of which embraces all Club Committee members) may be required to deal with information such as the names/addresses/phone-numbers/e-mail addresses of Members, Members' partner's names, suppliers and/or other members of the Club.

6.2          Volunteers may be told or overhear sensitive information while working for the Club. Data Protection Legislation gives specific guidance on how this information should be dealt with. In short, to comply with the law, personal data must be collected and used fairly, stored safely, and not disclosed to any other person unlawfully.

6.3          The Club will regard any unlawful breach of any provision of Data Protection Legislation by any volunteer as a serious matter which could result in disciplinary action. Any volunteer or Member who breaches this policy statement will be subject to the Club’s disciplinary procedure. Any such breach could also lead to criminal prosecution.

7              FAIR AND LAWFUL PROCESSING

7.1          Data Protection Legislation is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.

7.2          For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in Data Protection Legislation. These include, among other things, the data subject's consent to the processing, or that the processing is necessary for the performance of a contract with the data subject, for the compliance with a legal condition to which the data controller is subject, or for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, additional conditions must be met. When processing personal data as data controller in the course of its activities, the Club will ensure those requirements are met.  

8              NOTIFYING DATA SUBJECTS

8.1          If the Club collects personal data from data subjects, the Club will inform them about:

8.1.1      The purpose or purposes for which the Club intends to process that personal data.

8.1.2      The types of third parties, if any, with which the Club will share or to which the Club will disclose that personal data.

8.1.3      The means, if any, with which data subjects can limit the Club's use and disclosure of their personal data.

8.2          If the Club receives personal data about a data subject from other sources, the Club will provide the data subject with the information as soon as possible thereafter.

8.3          The Club will also inform data subjects whose personal data it processes that it is the data controller with regard to that data and who to contact in this regard.  

9              ADEQUATE, RELEVANT AND NON-EXCESSIVE PROCESSING

The Club will only collect personal data to the extent that it is required for the specific purpose notified to the data subject.

10           PROCESSING IN LINE WITH DATA SUBJECTS' RIGHTS

The Club will process all personal data in line with data subjects' rights as set out in further detail in the Club's privacy notices.  

11           SECURITY

The Club will take appropriate measures against unlawful or unauthorised processing or personal data, and against the accidental loss of, or damage to, personal data.

12           DEALING WITH SUBJECT ACCESS REQUESTS

12.1        Data subjects must make a formal request for information it holds about them. This must be made in writing.

12.2        When receiving telephone enquiries, the Club will only disclose personal data it holds on its systems if the following conditions are met:

12.2.1    The Club will check the caller's identity to make sure that information is only given to a person who is entitled to it.

12.2.2    The Club will suggest that the caller put their request in writing if it is not sure about the caller's identity and where their identity cannot be checked.

12.3        The Club Chairman will escalate any request as appropriate for assistance in difficult situations. Staff should not be pressured into disclosing personal information.  

13           PROCEDURES

The following procedures have been developed in order to ensure that the Club meets its responsibilities in terms of data protection in respect of all data subjects.

13.1        Internal Data Records

Purpose

13.1.1    The Club uses personal data for a variety of purposes in order to perform its obligations to Members to comply with legal obligations or otherwise in pursuit of its legitimate social, civic and ceremonial interests. The data is stored and processed for the following purposes:

·      Registration

·      Reporting on Emergency or Health & Safety issues

·      Providing such information to the Rugby Football Union

·      Application for membership forms

·      The day to day management of tasks and responsibilities

·      Social events

·       

This list is not exhaustive and the Club may undertake additional processing in line with the purposes set out above. The Club will update this policy in that case to reflect any notable changes in the purposes for which it processes any personal data.

Access

13.1.2    The contact details of Members (at all levels etc.) will only be made available to appropriate other Members and volunteers. Any other information supplied on application is maintained in secure filing cabinets and is not accessed during the day to day running of the Club.

13.1.3    Contact details of Members and volunteers will not be passed on to anyone outside the Club without their explicit consent unless required by law.

Accuracy

13.1.4    The Club will take reasonable steps to keep personal data up to date and accurate.

Storage

13.1.5    Personal data is kept in paper-based systems and on the Club’s secure password-protected computer system.

13.1.6    Every effort is made to ensure that paper-based data is stored in organised and secure systems.

Use of Photographs

13.1.7    Where practicable, the Club will seek consent from individuals and in respect of Mini and Junior Members their legal guardian before displaying photographs in which they appear. If this is not possible, the Club will remove any photograph if a complaint is received. This policy also applies to photographs published on the Club’s website, or in any other Club printed material.

13.2        External data records

Purpose

13.2.1    The Club processes an element of personal data for individuals other than those referred to above (such as names, addresses, and phone numbers). This data is obtained, stored and processed solely to assist the Committee and sub committees in the efficient running of Club’s activities.

 

Consent

13.2.2    Personal data is collected via e-mail and via other methods such as application forms.  During this initial contact, the data subject is given an explanation of how this information will be used as appropriate and will be directed to the applicable data privacy notice on the Club's website. In respect of Mini/Junior registration the legal guardian will be asked to tick a box affirming that they have understood.

13.2.3    Personal data will not be passed on to anyone outside the organisation without explicit consent from the data subject unless there is a legal duty of disclosure under other legislation, in which case the Honorary Secretary will discuss and agree disclosure with the Chairman or Club’s designated representative or representatives.

Access

13.2.4    Only the Club’s Committee, the Chairman and if appropriate the Club’s designated representative or representatives (which may constitute a specific subcommittee of the Club) will normally have access to personal data. Such persons are made aware of the data protection policy and their obligation not to disclose personal data to anyone who is not supposed to have it.

13.2.5    Information supplied is maintained in secure filing paper and electronic systems and is only accessed by those individuals involved in the delivery of the service.

13.2.6    Information will not be passed on to anyone outside the organisation without their explicit consent, excluding statutory bodies e.g. the Inland Revenue which require this information and save where required by law.

13.2.7    Individuals will be supplied with a copy of any of their personal data held by the Club if a request is made in accordance with the applicable rules.

Accuracy

13.2.8    The Club will take reasonable steps to keep personal data up to date and accurate.

Storage

13.2.9    Personal data is kept in paper-based systems and on the Club’s database on its password-protected computer system.

13.2.10  Every effort is made to ensure that paper-based data is stored in organised and secure systems.

Use of Photographs

13.2.11  Where practicable, the Club will seek consent from individuals before displaying photographs in which they appear. If this is not possible, the Club will remove any photograph if a complaint is received. This policy also applies to photographs published on the Club’s website, or in any other Club printed material.

14           RETENTION OF DATA

14.1        No documents will be stored for longer than is necessary. The Club will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.

14.2        Guidelines on retention periods will be agreed between the Honorary Secretary and the Chairman or a designated Club representative. All documents containing personal data must be disposed of securely in accordance with the data protection principles.

14.3        Any questions or concerns about the interpretation or operation of this policy statement should in the first instance be discussed between the Honorary Secretary and the Chairman or a designated Club representative.

15           MONITORING AND REVIEW

15.1        The Club will monitor the effectiveness of this policy regularly considering its suitability, adequacy and effectiveness.  As a minimum this policy will be reviewed annually.

1st March 2018