Home » Committee » Policy Documents » Data Protection

Data Protection Policy

INTRODUCTION

 

The Data Protection Act 1998 ("DPA") gives rights to individuals, about whom information or "data" is obtained or processed, whether manually or automatically (i.e. computer and word processed). The DPA places obligations on business’s, employers and institutions which hold and/or process data about any such individuals.

 

Principles of Data Protection

 

Anyone processing personal data must comply with the eight enforceable principles of good practice. They say that data must be:

 

• fairly and lawfully processed;
• processed for limited purposes;
• adequate, relevant and not excessive;
• accurate;
• not kept longer than necessary;
• processed in accordance with the data subject's rights;
• secure;
• not transferred to countries without adequate protection.

 

Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply. With processing, the definition is far wider than before. For example, it incorporates the concepts of 'obtaining', holding' and 'disclosing'

 

This document sets out the club’s policy and procedures to meet the requirements of the DPA. It will be made immediately available to members and other external agencies (having a legitimate interest) upon request, although it is not a substitute for understanding the Act.

 

 

1. PROCESSING OF DATA

1.1 Data processing within this policy means the obtaining, recording or holding of information or data or the carrying out of any operation using that information or data such as altering or deleting it, consulting it or disclosing it.

 

1.2 The club will appoint a Data Control Officer as the individual responsible for supervising data control and for assisting those processing data to comply with this policy. This person shall also be responsible for notifying the Information Commissioner of the registerable particulars and ensuring that the notification is kept up to date and is amended or reviewed as appropriate. The name of the Data Control Officer will be the current chairperson of the club. Any person who has access to and processes personal data (referred to in this policy as a data processor) must ensure that he/she complies fully with this policy and with the registerable particulars notified to the Information Commissioner as required under the DPA.

 

1.3 Where members are processing personal data as a legitimate part of their club activities, they should be able to rely upon the notification to the Information Commissioner provided by the club. Members can consult the notification on the Information Commissioner's Web site ( http://www.dataprotection.gov.uk/ dprhome.htm).

 

1.4 It is the responsibility of each individual data processor to ensure his/her familiarity with this policy and the registerable particulars to ensure compliance with the Club’s requirements. Further information/ guidance on any aspect of this policy or details of the registerable particulars may be obtained from the Data Control Officer(s).

 

2. PURPOSE AND METHOD OF DATA COLLECTION

2.1 The purpose of data collection is to facilitate the processing of data on the Club’s members and is designed specifically to provide:

 

2.1.1 Information, whenever required, for planning and managing the Club’s activities.

 

2.1.5 Information, whenever required, for responding to legitimate external enquiries about the Clubs members.

 

2.2 The Data Control Officer shall review annually the nature of information being collated or held to ensure there is a sound business reason requiring the information to be held.

 

2.3 Wherever possible, Club members or potential club members should be advised of what personal information/data is obtained or retained, its source, and the purposes for which the data may be used or disclosed.  In all cases the individual's consent will be sought. In the main this will be by way of general consent, given at the point at which the information is collected.

 

2.4 Initial personal data is ordinarily obtained from the club membership form.  A statement at the end of the membership form clearly outlines that the information collected will be used only for legitimate purposes.

 

3. DISCLOSURE OF DATA

3.1 To ensure compliance with the DPA and in the interests of privacy and member confidence, disclosure and usage of information held by the Club is governed by the following conditions:

 

3.1.1 It must be used only for one or more of the purposes specified in the notification and, can only be used in accordance with the statement within that document clearly outlining its intended use.

 

3.1.2 Provided that the identification of individual members is not disclosed, aggregate or statistical information may be used to respond to any legitimate internal or external requests for data, eg, market research (see also paragraph 12)

 

3.1.3 Personal data must not be disclosed, either within or outside the Club, to any recipient who is not authorised in the terms of the Data Protection Act, or for any purpose which is not authorised by our notification

 

3.1.4 Data processors should seek guidance from the Data Control Officer(s) or if any doubt surrounds a request for data, whether internal or external.

 

NB. External requests for information should be made in writing and data processors should be satisfied about the legitimacy of requests for information and seek valid documentary evidence if appropriate.

 

3.2 Authorised requests for data by external recipients of data, which do not require the consent of the data subject are:

 

3.2.1 Requests made for the purposes of law enforcement (i.e. for the prevention or detection of crime, the assessment or collection of any tax or duty or the assessment or collection of any liability via the Child Support Agency). Disclosure is only allowed where failure to make disclosure would be likely to prejudice one of those purposes. In all cases written evidence should be obtained from the Police, Inland Revenue, Customs and Excise and the Child Support Agency (as appropriate) as to the purpose of the request.

 

3.2.2 Requests in relation to any other compulsory legal processes; again, appropriate written evidence should be obtained beforehand.

 

3.2.3 Requests, if urgently required, for the prevention of injury and damage to health. If needed to protect the vital interests of the member, disclosure may be made without prior consent. Otherwise, the written consent of the member must be obtained beforehand.

 

3.3 Authorised requests for data by external recipients of data, which do require the consent of the data subject are:

 

3.3.1 Requests from agents authorised by the member who is the subject of the data, for e.g. mortgage requests, employment references. Confirmation should be sought from the member, that the information is to be released and, if possible, the members written consent should be obtained.

 

NB All data processors should endeavour to restrict disclosures requested from outside of the Club to those required by law as much as possible and should, at all times follow the Club's security requirements detailed in paragraph 7.

 

4. ACCURACY OF DATA

4.1 Updating is required only "where necessary" on the basis that, provided the Club has taken reasonable steps to ensure accuracy, data held is presumed accurate at the time it was collated.

 

4.2 All members should be made aware of the importance of providing the Club with notice of any change in personal circumstances. The Club has standard forms for updating change of address, telephone number, and those to contact in an emergency, which can be obtained from the membership secretary(s) and the Club website.

 

5. MEMBER’S RIGHTS

5.1 Club member’s are, on receipt of a written request entitled to have access to personal data held upon them. No fee will be levied for this service.  They are also entitled to be informed of the purpose for which the data is or is intended to be used and the likely recipient (or class of recipient).

 

5.2 Once a Club member makes a request for confirmation of, or sight of data held, which must be in writing, the Membership Secreatry(s) will refer it to the Data Control Officer to respond promptly on behalf of the Club and in any event before the end of 40 days from the date on which the request was received.  This is however, conditional upon the Data Control Officer himself/herself being provided with sufficient information to identify the relevant member and to locate the information sought. The Club is not allowed to charge a fee for providing this information. 

 

5.3 In addition to seeking disclosure of information, a member is also entitled to request that the Club does not process data concerning him/her where this will cause or be likely to cause substantial and unwarranted damage or distress, either to the member concerned or to a third party. Such a request will need to be submitted in writing and, where possible, will be agreed by the Club. The member will not be able to prevent processing, however, if the processing is necessary for compliance with any legal obligation (other than one imposed by contract), it is necessary to protect the vital interests of the member or is necessary for the performance of a contract to which the member is a party. Upon receipt of a written request from an employee a Data Control Officer will write to the member within 21 days confirming that the request will be upheld or giving reasons why it will not.

 

5.4 A member who feels that he/she has, or is likely to suffer damage as a result of either inaccuracy in the data held by the Club or as a result of unauthorised disclosure of information must notify the Data Control Officer in writing immediately. Where appropriate, the Club will correct or erase that information.

 

5.4 Club members have a number of remedies open to them through the Courts in the event that this policy or their legal rights in respect of personal data are not complied with.  In all cases however, members should use the official Complaints Procedure published on the Club Website

 

6. TRANSFER OF DATA OUTSIDE THE UK

6.1 It is a requirement of DPA that personal data shall not be transferred to any country or territory outside of the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

 

6.2 For the avoidance of doubt the European Economic Area currently includes Austria, Belgium, Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Liechtenstein, Luxembourg, Netherlands, Norway, Portugal, Spain, Sweden and UK. The member is, however, able to consent to the transfer of data in circumstances where the transfer is necessary.

 

6.3 The Club will seek the explicit consent of a member, if it becomes necessary to process and transfer data relating to that member to a country or territory outside the European Economic Area.

 

7. SECURITY

This policy is designed to fulfil statutory requirements and to prevent unauthorised disclosure of/or access to personal data. The following security measures will therefore be required in respect of the processing of any personal data.

 

7.1 Access to personal data on members is restricted to those members of the Club who have a legitimate need to access such data in accordance with the Club's notification to the Information Commissioner.

 

7.2 Members authorised to access personal data under paragraph 7.1 above, will be allowed to do so, only in so far as they have a legitimate need and only for the purposes recorded in the notification

 

7.2 All persons processing data and individuals requesting access to personal data in accordance with this policy must have familiarised themselves with this policy and it will be the task of the Data Control Officer to ensure that all such persons are thoroughly trained in its use.

 

7.3 Access to computer held data is subject to the same restrictions as above.

 

7.4 All personal data will be stored in such a way that access is only permitted by authorised persons. This includes data stored in filing cabinets and other storage systems.

 

7.5 Personal data should be transferred under conditions of security commensurate with the anticipated risks and appropriate to the type of data held.

 

7.6 Personal data held electronically should be appropriately backed up and stored securely to avoid incurring liability to individuals who may suffer damage or distress as a result of the loss or destruction of their personal data.

 

7.7 Any disposal of personal data will be conducted in a secure way, normally by shredding or security waste. All computer equipment or media to be sold or scrapped must have had all personal data completely destroyed, by re-formatting, over-writing or degaussing.

 

11.  USE OF PERSONAL DATA

11.1 Those persons processing personal data should ensure they take reasonable precautions to prevent the data from being accessed, disclosed or destroyed as a result of any act or omission on their part. They should notify the Data Protection Officer immediately in the event of theft.

 

12. USE OF PERSONAL DATA IN RESEARCH

12.1 The 1998 act provides certain exemptions for 'research purposes' including statistical or historical purposes.

 

12.2 Provided that the purpose of research processing is not measures or decisions targeted at particular individuals and it does not cause substantial distress or damage to a data subject, then personal data may be:

 

i. Processed for purposes other than for which they were originally obtained

 

ii. Held indefinitely

 

iii.Exempt from the right of access by data subjects where the results do not identify individual data subjects

 

12.3 Most of the Data Protection Principles still apply to personal data used for research purposes and researchers should always provide clear guidance to individuals whose personal data will be used in research as to why the data is being collected and the purposes for which it will be used.

 

13. COLLECTION OF PERSONAL DATA FROM WEB PAGES

13.1 The Club will provide the following information on any Web pages designed to collect personal data:

 

i.The purpose for which the data is being collected

 

ii. The recipients or classes of recipients to whom the data may be disclosed

 

iii. An indication of the period for which the data will be kept

 

iv. Any other information to ensure that the processing is 'fair'

 

Last Updated – 14^th March 2005

 

 

 

 

 

 

 

 

The Footer