Data Protection Policy & Procedures
The Data Protection Act 2002 contains specific requirements for the way in which personal data (i.e. information about living people) must be handled and a subject’s right to inspect and challenge the data.
The UKPA has a policy and administrative procedures the intent of which is to ensure compliance with the requirements of the Act.
Each club affiliated to the UKPA is responsible for administrating its own data protection obligations. They will therefore need to think about the kinds of personal information held about the club’s members (and perhaps others who are on mailing lists but who are not official members) and how this information is used.
1. The Data Protection Act 2002
1.1 The key features of the current Data Protection Act are:
1.1.1 Personal data must not be held without consent or unless absolutely necessary to fulfil a contract with the subject or to meet legal requirements, and then must be processed fairly and lawfully:
It is acceptable to keep members’ names on a written or electronic register and use this for the purposes of administering the Association/Club (collecting subscriptions, sending out information, organising meetings and practice sessions, keeping a record of who is eligible to umpire, supervise children etc) provided individual members agree to this;
1.1.2 Personal data must be obtained for one or more lawful purposes and must not be further processed in any manner incompatible with the purpose(s);
It is not acceptable to use the membership register to generate mailing lists for use by external parties (e.g. sponsors, other Associations and/or Clubs) unless individual members specifically agree to this.
1.1.3 Personal data must be adequate and not excessive for the purpose(s) for which they are processed; so if you are asking members to provide details of home addresses, date of birth, etc you need to consider whether such data are necessary for the purposes of the Association’s/Club’s activities
1.1.4 Personal data must be accurate and where necessary kept up to date;
1.1.5 Personal data must not be kept for longer than necessary for the purpose(s) originally collected.
There is a need to be careful about retaining details of members who have left the Association/Club. The details might be wanted for historical records, but the information must not be used for such purposes as the basis of mailshots (e.g. for fund-raising), unless the subjects consented to that when the data were originally collected.
1.1.6 Personal data must be processed in accordance with subjects’ rights under the Act: these include the subject’s right to inspect the data held about him or her (but not data about other people); to prevent the processing of data; to correct, block or erase data; to sue for damage caused.
It is necessary to bear in mind that the Association/Club collectively, or their individual officers, could be prosecuted for breaches of the Act.
1.1.7 Appropriate technical and organisational measures must be taken to prevent unauthorised/unlawful processing of personal data and against accidental loss, destruction, and damage.
If the Association/Club is holding its data on computer, it needs to be careful about who is able to access and process the data; if records are paper-based, they must be kept secure.
1.1.8 Personal data must not be transferred, without the subject’s consent, outside the European Economic Area unless the country concerned ensures an adequate level of protection for the rights and freedoms of data subjects.
This needs to be borne in mind by the Association/Club with an international focus on officers who may be taking Association/Club records out of the UK (e.g. on a lap-top computer) when travelling to tournaments overseas.
2. The Information Commissioner
2.1 The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to promote access to official information and to protect personal information.
2.2 The Data Protection Act 1998 requires every “Data Controller” who is processing personal data to “notify” the ICO, unless they are exempt. Failure to notify is a criminal offence.
2.3 Notification is the process by which a Data Controller informs the Commissioner of certain details about the processing of personal data carried out by that Data Controller. Those details are used by the Commissioner to make an entry describing the processing in a register, which is available to the public for inspection. Notification is made by following the instructions available on the ICO website at www.ico.gov.uk.
2.4 Generally “not for profit” organisations such as sports clubs are exempt but, exemption is based on the information held and exemption may be applicable to some polocrosse clubs. However organisations which retain data on:
Criminal Record Vetting of Coaches and/or Child Protection Officers,
cannot be exempt and must therefore notify. This requirement applies to the UKPA
2.5 A “Data Controller” is the corporate body, e.g. the UKPA, and its Executive Committee is “jointly and severally” (together and individually) accountable for compliance with the Act. Individuals responsible for processing and the security of data are termed “Data Processors” and are accountable, as individuals, for the maintenance and security of the data, which they retain and control.
2.6 Administratively the UKPA Secretary is responsible for the initial notification to the ICO and thereafter for the annual renewal of notification. The secretary must inform the ICO of changes in the class of data retained by the Association and of significant changes in the procedures by which data is collected, secured or deleted.
3. Data Processors
3.1 The main Data Processors of the UKPA Officers are:
Child Protection Officer
and are the only persons authorised to make and retain electronic or hard copy records of data related to the members of the UKPA for the UKPA.
The Data Processors may disclose their data records to other persons, specifically authorised to receive them, by the UKPA Executive e.g. Tour Managers & Coaches, on a strictly “Need to know” basis associated with the administration of UKPA activities.
Records held by Data Processors must comply with the requirements of Paragraph 1., above.
4. Data Security
4.1 All personal data held by Data Processors must be stored securely. For electronic data stored on a computer this will be satisfied by a password to access the data, known only to the particular Data Processor. For hard copy data a lockable metal filing case or cabinet should be used and the keys should be available only to the particular Data Processor.
5. Data Protection Audit
5.1 To protect the Association and it’s Executive Committee from prosecution for non-compliance with the Act; the UKPA Secretary will make an annual audit of the system and the data maintained by individual Data Processors. The audit will be in the form of a self-assessment checklist incorporating the criteria of Paragraphs 1.1.1 thro 1.1.8 above, sent to each authorised Data Processor and requiring them to define their procedures for ensuring compliance, and the data which they record, and to return the completed checklist to the UKPA Secretary within a specified time. The UKPA Secretary will analyse the completed checklists and any failure of compliance will be recorded. The particular Data Controller will be advised, by the UKPA Secretary, of action required to rectify the non-compliance. The UKPA Secretary will retain completed checklists.
6. Requests for Information
6.1 Individual UKPA Members have a right under the Act to make a request, in writing, for information of the data held by the UKPA about them, on computer and in manual filing systems. This is called a “Subject Access Request”. They are also entitled to obtain a description of the information, what it is used for, whom it might be passed on to, and any information held about the source of the information. A Member may only obtain access to their individual records and not data pertaining to any other individual. Requests should be sent, in writing, to the UKPA Secretary. The UKPA is entitled to charge a fee of up to £10 for this service.
6.2 The Act requires a Data Controller to comply with a Subject Access Request within 40 calendar days, starting from when all the information necessary to deal with the request, and any fee that is required, has been received by the Data Controller. Individuals can complain to the ICO or apply to a court if the Data Controller does not comply within this time limit.
6.3 A copy of the information should be supplied in a permanent form except where the individual agrees otherwise or where it is impossible or would involve undue effort.
6.4 On receipt of a request the UKPA Secretary acknowledges the request, in writing, and if applicable, advises the applicant if further information is required to comply, and if a fee is to be charged.
6.5 Following the receipt of all information necessary to process the request e.g. the preferred format of the response, hard copy or electronic storage, and if applicable the required fee, the UKPA Secretary sends a form to all UKPA Data Processors.
6.6 The form requests them to complete a description of the data held of the subject of the request, what it is used for, whom it might be passed on to, and any information held about the source of the information, which is held as records. A “nil return” is required
6.7 On return of the completed forms the UKPA Secretary consolidates the information, transmits it to the subject of the request and files all correspondence for future reference.
7. Transfer of Records
7.1 As appointment of persons to the positions within the Association classed as Data Processors change periodically it is important to have a procedure for the transfer of confidential data records from an outgoing to an incoming appointee.
7.2 The transfer of data is overseen by the UKPA Secretary and the outgoing appointee is requested to sign a statement confirming that all data records, pertaining to the appointment, have been transferred to the incoming appointee and that no copies have been retained.
UKPA Data Protection Policy
The Data Protection Act 2002 contains specific requirements about the way in which personal data (i.e. information about living people) must be handled and a subject’s right to inspect and challenge the data.
The UKPA has a policy and administrative procedures the intent of which is to ensure compliance with the requirements of the Act.
It is required under the legislation to advise individuals, on request, about the processing of personal information i.e. what information is held, why it is being collected, how it will be used and the circumstances in which it will be disclosed.
UKPA Membership details including name, address and date of birth are held for each Member, additionally relevant details such as player grading, medical records and disciplinary issues may be recorded. For members involved in child welfare and protection Criminal Bureau Records may be accessed. Where permission is required from a parent or guardian, their name and address details will also be recorded.
Independently of the UKPA, affiliated Polocrosse Clubs may also maintain data records of its Members.
Designated UKPA personnel will have access to Membership records on a “need to know” basis.
The UKPA requires Membership data to assist in the effective administration of UKPA activities and the application of UKPA Rules & Procedures. Confirmation of Membership details may be required by the UKPA insurers in the event of potential claims arising from the actions of UKPA Members, or from activities organised under the auspices of the UKPA.
The UKPA may share Membership data with third parties in order to secure commercial sponsorship or grant funding. No third party will be permitted by the UKPA to contact Members directly without prior permission being obtained from the Members concerned. No third party will be permitted to use Membership data for any purpose, which may impact on the legal rights or welfare of the Members, without the express permission of the individuals concerned.
Membership details may be transferred to third party organisations outside the European Economic Area (EEA) in the administration of international events. Members should be aware that areas outside the EEA may not have data protection laws as comprehensive as those that exist in the EEA.
Membership of the UKPA constitutes a member’s consent for the UKPA to process his / her information for the purposes set out in this Data Protection Policy.
All UKPA members may request details of their membership data records held by the UKPA, unless restricted by law, in writing, from the UKPA Secretary. The UKPA is entitled to charge a fee of up to £10 for this service.
A Member may only obtain access to their personal data records, and not data pertaining to other individuals.