Braintree Hockey Club is committed to complying with data protection law and to respecting the privacy rights of individuals. The policy applies to all of our staff, workers, directors, volunteers and consultants (“Workers”).
This Policy (“Policy”) sets out our approach to data protection law and the principles that we will apply to our processing of personal data. The aim of this Policy is to ensure that we process personal data in accordance with the law and with the utmost care and respect.
We recognise that you have an important role to play in achieving these aims. It is your responsibility, therefore, to familiarise yourself with this Policy and to apply and implement its requirements when processing any personal data. Please pay special attention to sections 14, 15 and 16 as these set out the practical day to day actions that you must adhere to when working or volunteering for the club.
Data protection law is a complex area. This Policy has been designed to ensure that you are aware of the legal requirements imposed on you and on us and to give you practical guidance on how to comply with them. This Policy also sets out the consequences of failing to comply with these legal requirements. However, this Policy is not an exhaustive statement of data protection law nor of our or your responsibilities in relation to data protection.
If at any time you have any queries on this Policy, your responsibilities or any aspect of data protection law, seek advice. Contact the Club Secretary.
1. Who is responsible for data protection?
1.1 All our Workers are responsible for data protection, and each person has their role to play to make sure that we are compliant with data protection laws.
1.2 We are not required to appoint a Data Protection Officer (DPO),
2. Why do we have a data protection policy?
2.1 We recognise that processing of individuals’ personal data in a careful and respectful manner cultivates trusting relationships with those individuals and trust in our brand. We believe that such relationships will enable our organisation to work more effectively with and to provide a better service to those individuals.
2.2 This Policy works in conjunction with other policies implemented by us from time to time and any other policies we implement from time to time.
3. Status of this Policy and the implications of breach.
3.1 Any breaches of this Policy will be viewed very seriously. All Workers must read this Policy carefully and make sure they are familiar with it. Breaching this Policy is a disciplinary offence and will be dealt with under our Disciplinary Procedure.
3.2 If you do not comply with Data Protection Laws and/or this Policy, then you are encouraged to report this fact immediately to the Secretary. This self-reporting will be taken into account in assessing how to deal with any breach, including any non-compliance which may pre-date this Policy coming into force.
3.3 Also, if you are aware of or believe that any other representative of ours is not complying with Data Protection Laws and/or this Policy you should report it in confidence to the Secretary. Our Whistleblowing Procedure will apply in these circumstances and you may choose to report any non-compliance or breach through our confidential whistleblowing reporting facility.
4. Other consequences
4.1 There are a number of serious consequences for both yourself and us if we do not comply with Data Protection Laws. These include:
4.1.1 For you:
18.104.22.168 Disciplinary action: If you are an employee, your terms and conditions of employment require you to comply with our policies. Failure to do so could lead to disciplinary action including dismissal. Where you are a volunteer, failure to comply with our policies could lead to termination of your volunteering position with us.
22.214.171.124 Criminal sanctions: Serious breaches could potentially result in criminal liability.
126.96.36.199 Investigations and interviews: Your actions could be investigated and you could be interviewed in relation to any non-compliance.
4.1.2 For the organisation:
188.8.131.52 Criminal sanctions: Non-compliance could involve a criminal offence.
184.108.40.206 Civil Fines: These can be up to Euro 20 million or 4% of group worldwide turnover whichever is higher.
220.127.116.11 Assessments, investigations and enforcement action: We could be assessed or investigated by, and obliged to provide information to, the Information Commissioner on its processes and procedures and/or subject to the Information Commissioner’s powers of entry, inspection and seizure causing disruption and embarrassment.
18.104.22.168 Court orders: These may require us to implement measures or take steps in relation to, or cease or refrain from, processing personal data.
22.214.171.124 Claims for compensation: Individuals may make claims for damage they have suffered as a result of our non-compliance.
126.96.36.199 Bad publicity: Assessments, investigations and enforcement action by, and complaints to, the Information Commissioner quickly become public knowledge and might damage our brand. Court proceedings are public knowledge.
188.8.131.52 Loss of business: Prospective members, participants, players, customers, suppliers and contractors might not want to deal with us if we are viewed as careless with personal data and disregarding our legal obligations.
184.108.40.206 Use of management time and resources: Dealing with assessments, investigations, enforcement action, complaints, claims, etc takes time and effort and can involve considerable cost.
5. Data protection laws
5.1 The Data Protection Act 1998 (“DPA”) applies to any personal data that we process, and from 25th May 2018 this will be replaced by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (“DPA 2018”) (together “Data Protection Laws”) and then after Brexit the UK will adopt laws equivalent to these Data Protection Laws.
5.2 This Policy is written as though GDPR and the DPA 2018 are both in force, i.e. it states the position as from 25th May 2018.
5.3 The Data Protection Laws all require that the personal data is processed in accordance with the Data Protection Principles (on which see below) and gives individuals rights to access, correct and control how we use their personal data (on which see below).
6. Key words in relation to data protection
6.1 Personal data is data that relates to a living individual who can be identified from that data (or from that data and other information in or likely to come into our possession). That living individual might be an employee, customer, prospective customer, supplier, contractor or contact, and that personal data might be written, oral or visual (e.g. CCTV).
6.2 Identifiable means that the individual can be distinguished from a group of individuals (although the name of that individual need not be ascertainable). The data might identify an individual on its own (e.g. if a name or video footage) or might do if taken together with other information available to or obtainable us (e.g. a job title and company name).
6.3 Data subject is the living individual to whom the relevant personal data relates.
6.4 Processing is widely defined under data protection law and generally any action taken by us in respect of personal data will fall under the definition, including for example collection, modification, transfer, viewing, deleting, holding, backing up, archiving, retention, disclosure or destruction of personal data, including CCTV images.
6.5 Data controller is the person who decides how personal data is used, for example we will always be a data controller in respect of personal data relating to our employees.
6.6 Data processor is a person who processes personal data on behalf of a data controller and only processes that personal data in accordance with instructions from the data controller, for example an outsourced payroll provider will be a data processor.
7. Personal data
7.1 Data will relate to an individual and therefore be their personal data if it:
7.1.1 identifies the individual. For instance, names, addresses, telephone numbers and email addresses;
7.1.2 its content is about the individual personally. For instance, medical records, credit history, a recording of their actions, or contact details;
7.1.3 relates to property of the individual, for example their home, their car or other possessions;
7.1.4 it could be processed to learn, record or decide something about the individual (or this is a consequence of processing). For instance, if you are able to link the data to the individual to tell you something about them, this will relate to the individual (e.g. salary details for a post where there is only one named individual in that post, or a telephone bill for the occupier of a property where there is only one occupant);
7.1.5 is biographical in a significant sense, that is it does more than record the individual's connection with or involvement in a matter or event which has no personal connotations for them. For instance, if an individual’s name appears on a list of attendees of an organisation meeting this may not relate to the individual and may be more likely to relate to the company they represent;
7.1.6 has the individual as its focus, that is the information relates to the individual personally rather than to some other person or a transaction or event he was involved in. For instance, if a work meeting is to discuss the individual’s performance this is likely to relate to the individual;
7.1.7 affects the individual's privacy, whether in their personal, family, organisation or professional capacity, for instance, email address or location and work email addresses can also be personal data;
7.1.8 is an expression of opinion about the individual; or
7.1.9 is an indication of our (or any other person’s) intentions towards the individual (e.g. how a complaint by that individual will be dealt with).
7.2 Information about companies or other legal persons who are not living individuals is not personal data. However, information about directors, shareholders, officers and employees, and about sole traders or partners, is often personal data, so business related information can often be personal data.
7.3 Examples of information likely to constitute personal data:
7.3.1 Unique names;
7.3.2 Names together with email addresses or other contact details;
7.3.3 Job title and employer (if there is only one person in the position);
7.3.4 Video - and photographic images;
7.3.5 Information about individuals obtained as a result of Safeguarding checks;
7.3.6 Medical and disability information;
7.3.7 CCTV images;
7.3.8 Member profile information (e.g. marketing preferences); and
7.3.9 Financial information and accounts (e.g. information about expenses and benefits entitlements, income and expenditure).
8. Lawful basis for processing
8.1 For personal data to be processed lawfully, we must be processing it on one of the legal grounds set out in the Data Protection Laws.
8.2 For the processing of ordinary personal data in our organisation these may include, among other things:
8.2.1 the data subject has given their consent to the processing (perhaps on their membership application form or when they registered on the club’s website)
8.2.2 the processing is necessary for the performance of a contract with the data subject (for example, for processing membership subscriptions);
8.2.3 the processing is necessary for compliance with a legal obligation to which the data controller is subject (such as reporting employee PAYE deductions to the tax authorities); or
8.2.4 the processing is necessary for the legitimate interest reasons of the data controller or a third party (for example, keeping in touch with members, players, participants about competition dates, upcoming fixtures or access to club facilities).
9. Special category data
9.1 Special category data under the Data Protection Laws is personal data relating to an individual’s race, political opinions, health, religious or other beliefs, trade union records, sex life, biometric data and genetic data.
9.2 Under Data Protection Laws this type of information is known as special category data and criminal records history becomes its own special category which is treated for some parts the same as special category data. Previously these types of personal data were referred to as sensitive personal data and some people may continue to use this term.
9.3 To lawfully process special categories of personal data we must also ensure that either the individual has given their explicit consent to the processing or that another of the following conditions has been met:
9.3.1 the processing is necessary for the performance of our obligations under employment law;
9.3.2 the processing is necessary to protect the vital interests of the data subject. The ICO has previously indicated that this condition is unlikely to be met other than in a life or death or other extreme situation;
9.3.3 the processing relates to information manifestly made public by the data subject;
9.3.4 the processing is necessary for the purpose of establishing, exercising or defending legal claims; or
9.3.5 the processing is necessary for the purpose of preventative or occupational medicine or for the assessment of the working capacity of the employee.
9.4 To lawfully process personal data relating to criminal records and history there are even more limited reasons, and we must either:
9.4.1 ensure that either the individual has given their explicit consent to the processing; or
9.4.2 ensure that our processing of those criminal records history is necessary under a legal requirement imposed upon us.
9.5 We would normally only expect to process special category personal data or criminal records history data usually in a Human Resources context and also in the context of our members /coaches /volunteers etc. for health and safety requirements, safeguarding checks, etc.
9.6 When do we process personal data?
9.7 Virtually anything we do with personal data is processing including collection, modification, transfer, viewing, deleting, holding, backing up, archiving, retention, disclosure or destruction. So even just storage of personal data is a form of processing. We might process personal data using computers or manually by keeping paper records.
9.8 Examples of processing personal data might include:
9.8.1 Using personal data to correspond with members;
9.8.2 Holding personal data in our databases or documents; and
9.8.3 Recording personal data in personnel or member files.
10.1 The main themes of the Data Protection Laws are:
10.1.1 good practices for handling personal data;
10.1.2 rights for individuals in respect of personal data that data controllers hold on them; and
10.1.3 being able to demonstrate compliance with these laws.
10.2 In summary, data protection law requires each data controller to:
10.2.1 only process personal data for certain purposes;
10.2.2 process personal data in accordance with the 6 principles of ‘good information handling’ (including keeping personal data secure and processing it fairly and in a transparent manner);
10.2.3 provide certain information to those individuals about whom we process persona