Microsoft



[pic]

Data Protection Policy 2018

Issue Date June 2019

LEAWAY SPORTS AND SOCIAL CLUB’S

Data Protection Act 2018 (DPA18) Policy

A guide to Leaway’s implementation of the Principles set out in the Data Protection Act 2018. This Act makes provision about the processing of personal data. The processing of personal data is subject to the General Data Protection Regulation (GDPR).

a. The GDPR, the applied GDPR and this Act protect individuals with regard to the processing of personal data, in particular by:

i. requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis,

ii. conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and

iii. conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.

b. When carrying out functions under the GDPR, the applied GDPR and this Act, the Commissioner must have regard to the importance of securing an appropriate level of protection for personal data, taking account of the interests of data subjects, controllers and others and matters of general public interest.

The policy and procedure statement of Leaway Sports and Social Club. In the policy, we believe it is important to support a culture in which; there is respect for private life, data protection, security and confidentiality of personal data.

The policy covers personal data held on any individual.

To ensure that Data held and used by the Leaway conforms with the Data Protection principles which require that Data is:

• Lawful and fair.

• Specified, explicit and legitimate

• Adequate, relevant and not excessive

• Accurate and kept up to date

• Not kept for longer than necessary

• Secure

And that it also considers the:

• Rights of the Data Subject, taking into account any exemptions

• Transfer of personal data to third Parties

|Contents |Subject |Page No |

|1 |Introduction |3 |

|2 |Statement of Policy |3 |

|3 |Data Protection |3 |

|4 |Definition of Personal and Sensitive Data |5 |

|5 |Roles and Responsibilities |5 |

|6 |Policies / Procedures |6 |

| |Membership Appication | |

| |Adverts for events | |

| |Attendance at Events | |

|7 |Data Protection Agreements of Committee members |7 |

1. Introduction

a. To carry out its role, Leaway Committee member must collect and use the personal information about the people with whom it works; members, suppliers and others. In addition, the Club may be required to sometimes use the personal information to comply with the requirements of central government/CSSC/DRSA.

b. The Act covers not only computerised data, but also manual records held in a structured filing system i.e. A set of information about individuals structured in such a way as to clearly indicate at the outset of a search whether specific information amounting to the personal data of the individual is held within the system and is designed to safeguard individuals from the harm or embarrassment that could be caused by the loss or unauthorised disclosure of their personal data. It regulates the holding and processing of information relating to living individuals and gives them legally enforceable rights. In addition, it places legal obligations on those persons who control and process personal data (Data Protection Act 2018 (DPA 18))

c. Leaway will ensure that all the principles are followed and all personal information entrusted to it is treated lawfully.

2. Statement of Policy

a. Leaway endorses and adheres to the Principles set out in the Data Protection Act 2018. The Club will ensure that all elected members, agents, partners or anyone else who has or had access to any personal data held by or for the Club are fully aware of and abide by their duties and responsibilities under the Act.

b. This Policy and the procedures set down in it are reviewed as and when necessary to ensure that the Club continues to comply with all relevant statutory requirements.

c. Leaway will ensure that all personal data is handled confidentially and securely, irrespective of whether it is held on paper or by electronic means.

This includes:

i. The obtaining of personal data

ii. The storage and security of personal data

iii. The use of personal data

iv. The disposal of or destruction of personal data.

d. Leaway will ensure that data subjects have appropriate access upon written request, to personal information pertaining to them and are given the right to correct, rectify, block or erase any incorrect data.

3. Data Protection

When collecting or handling information about people, Leaway will:

a. Ensure that personal data is collected and used fairly and lawfully

b. Ensure that the purposes for which personal data is obtained and processed are specified and that data is not used for any other purpose

c. Personal information must be adequate, relevant and not excessive. The only personal data required is that which the Leaway needs for the purposes of its activities. Leaway only holds data that is necessary for Membership purposes for ensuring that the member is eligible to join and ensure that we can advise individuals of forth coming events and their attendance at events.

d. Ensure that any data used or kept is accurate and up to date. The Membership Secretary will carry out a validation exercise annually, to ensure the accuracy of the data held and all previous validation records shall then be deleted/destroyed. These will be shredded.If an individual wishes to leave Leaway, then they are to submit a written request (email will suffice) to either the Membership Secretary or a Committee Member and then their personal details will be deleted from the membership list. NB. Their name, staff number and CSSC membership number will be kept on the list for audit purposes only, all other personal data will be removed. Any email rejection notifications will be investigated (when they occur) and corrected on advice from the individual concerned.

e. The right of rectification. When Leaway is advised of incorrect personal data, it will be corrected and the individual informed accordingly.

f. Collect, process and retain personal data only when necessary. Ensure that data is disposed of properly as soon as it is no longer needed for the purpose specified when collected. All information will be kept for the period of membership and also used when necessary for the attendance at specific events. No data will be issued to any other organisation or business i.e. for the purposes of direct marketing but will be issued to 3rd party Agents (when organising/attending specific events. Where data is shared with third party suppliers ie Travel Agents, in the processing of booking trips UK Law will apply to those companies.

i. All membership forms are kept until after the yearly validation exercise and then destroyed/deleted, where any changes are made.

ii. Nex Of Kin (NOK) forms are printed for the period of the relevant trip but are securely shredded after the event.

g. Ensure that appropriate security measures are taken to protect all personal data against damage, loss or abuse, where paper copies of documents are stored, they are kept in a locked cabinet either in a members private address or on the secure MoD site.

i. Next of Kin details form - for a specific event, will be printed for the event and held by the organiser and will be securely disposed of after the event. One copy will also be held on the OneDrive and deleted by the organiser after the event.

ii. The master membership database is password protected on a laptop which is also password protected that never leaves the membership secretary’ private home.

iii. Monthly, an updated excel version of the Membership List (ML) is uploaded on to Microsoft One Drive (under the security of the Microsoft One Drive system) and previous versions deleted.

h. Where personal and sensitive data is held electronically, this is within Limited folders with specific permissions. Where it is held off site, it is either in a limited one drive site, on home IT or USB stick – password protected and/or encrypted.

i. Emails containing the application/validation/event forms are sent electronically, by the individual to the membership Secretary or the event organiser. If an individual is concerned about sending this detail electronically, they can send it by post.

j. Ensure that all personal data is processed in accordance with the rights of the individual concerned

k. Personal information must be processed in line with the data subjects’ rights.

l. Any individual can request any data held about them. However, the only data held is that as provided on the application / validation form and is held in the Membership List. The only exception is where a member provides additional information for a specific event, which is securely disposed of by Leaway as per 2.d.

m. Personal information must not be transferred to other countries without adequate protection.

i. Any information for events outside the UK will be dealt with via the relevant UK travel agent and will be dealt with under their UK policies

ii. Any/all emails sent, whatever the event, are not to detail the members that they are being sent to i.e. the email addresses must all be Blind/BCC copies (unless agreed with individuals).

4. Definition of Personal and Sensitive Data

a. The Act makes a distinction between ‘personal data’ and ‘sensitive data’:

Personal data is defined as data relating to a living individual who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller. This will include any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

b. Sensitive Data is defined as data consisting of information as to:

• Racial or ethnic origin

• Political opinion

• Religious or Philosophical beliefs

• Trade union membership

• Genetic Data

• Biometric Data

• Physical or mental health or condition

• Sexual life

• Criminal proceedings or convictions.

5. Roles and Responsibilities

a. Leaway will ensure that:

i. A member of staff is appointed who has specific responsibility for data protection within the Club

ii. Any disclosure of personal data is compliant with the law and with approved procedures

iii. Anyone managing and handling personal information understands that they are legally bound to follow good data protection practice and the Law

iv. Appropriate advice and guidance is available to anyone wanting to make enquiries about personal information held by the Club

v. Enquiries and requests regarding personal information i.e.: Rights of the Data subject are handled courteously and within the time limits set by the Act

vi. Where it is necessary to share data, this is done in accordance to section 3.

vii. Paper files and other records or documents containing personal and or sensitive data are kept securely

viii. Personal data held electronically is protected by the use of secure passwords which are changed regularly

ix. All users must choose passwords which meet the security criteria specified by the Clubs committee. A minimum of 8 characters which include a capital, a number and a special character.

x. Staff working remotely from home or elsewhere must keep any equipment they use secure and prevent systems and data for which the Club is responsible being used or seen by any unauthorised person.

xi. If required by any affiliated body i.e. CSSC, DSRA Leaway will allow the auditing of all data held.

xii. Ensure that all Committee members are aware of this Policy.

xiii. Subject Access Request (Information which relates to a specified individual): - On receipt of a SAR, an email will be sent to the relevant committee members requesting that they supply all relevant data held. This will then be passed to the requestee within 30 days unless an extension has been agreed.

xiv. Data Protection Breaches will be reported to:

a) Army Warning Advice and Reporting Point (WARP).

b) CSSC?

6. Policies / Procedures

a. Membership application (to be completed by the secretary)

i. A membership request is received via email or letter.

ii. Correspondence may occur between Leaway and the requester, clarifying details

iii. If the membership is accepted, your unique Leaway membership number will be issued via email.

iv. Your personal data is inserted into the membership list

v. The membership list is securely stored as per section 3.

vi. The Secretary shall amend or remove the data from the membership list and One Drive version and inform the Vice Treasurer of the data to be removed from their version?

vii. If you request any rectification, your data will be amended accordingly.

b. Adverts for Events

i. When Leaway has an event to advertise to all its members, it shall use the data in the membership list, that the member has given consent to use i.e. work and/or personal email address.

ii. The member will respond to the specific Committee member detailed on the advert, who is running the event.

iii. The advert (containing the specific email addresses) is then deleted and only a blank version is stored for information purposes.

c. Attendance at Events

i. Once a member has requested to attend an event, then all correspondence is kept until the completion of the event, then all personal data is destroyed by the Event Organiser. If it is required for end of year auditing (your name and staff number) of the Clubs accounts, then it will be destroyed after the time required by law.

ii. Any child attending an event, parental or guardian consent for any data processing activity must be provided. The member of Leaway must complete the Events Form with the proviso that parental/guardian consent has been given.

iii. For any guests attending an event, the compleation of the Events Booking form, by the member of Leaway attending with them, will be taken as that the member has confirmed that the guest’s concent has been given.

Disclaimer:

A printed version may not be the current version.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download