ALEXANDRA PARK JUNIOR BADMINTON CLUB DATA PROTECTION POLICY
Alexandra Park Junior Badminton Club (“we“, “our” and “us“) is a company limited by guarantee and is a Junior Club for the sport of badminton in Haringey. In order to provide our services, we are required to collect, process, use and retain certain personal data for a variety of business purposes.
The majority of the personal data we process relates to our staff, volunteers, members and fans. We also process the personal data of visitors to our website and representatives of our suppliers and partners in connection with the provision of our services.
This data protection policy (“Policy“) applies to all of our employees and contractors whose work involves processing personal data, and our suppliers and other individuals working or providing services on behalf of Alexandra Park Junior Badminton Club who have access to the data included, but not limited to, in Clause 1.2 (“you, “your“). You must read, understand and comply with this Policy when processing personal data on our behalf and attend training on its requirements. You must protect the data you handle in accordance with this Policy and any applicable data security procedures at all times.
This Policy sets out what we expect from you in order for us to comply with applicable Data Protection Laws (as defined below). Your compliance with this Policy and all related policies and guidelines is mandatory. Any breach of this Policy may result in disciplinary action.
2. About the Policy
This Policy describes how personal data must be collected, handled and stored to meet the company’s data protection standards and to comply with all applicable laws and regulations relating to processing of personal data and privacy, including without limitation the General Data Protection Regulation (“GDPR“) and any other data protection legislation in force from time to time (as applicable) and including where applicable the guidance and codes of practice issued by the Information Commissioner or any other relevant regulator (“Data Protection Laws“).
This Policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
This Policy does not form part of any employee’s contract of employment and may be amended at any time.
The Data Protection Officer is responsible for ensuring compliance with applicable Data Protection Laws and with this Policy. Any questions about the operation of this Policy or any concerns that the Policy has not been followed should be referred in the first instance to The Data Protection Officer, Judith Pedersen.
3. Definitions of Data Protection Terms
“data controller” means the organisations that determines the purposes and means of the processing of personal data. We are the data controller of all personal data used in our business for our own commercial purposes.
“data breach” or “breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“data processor” means an organisation or individual which processes personal data on behalf of Alexandra Park Junior Badminton Club. Employees of data controllers are excluded from this definition but it could include suppliers which handle personal data on Alexandra Park Junior Badminton Club’s behalf.
“data subjects” for the purpose of this Policy means all living individuals about whom Alexandra Park Junior Badminton Club holds personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.
“personal data” means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number (NI number), location data, online identifier (IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
“processing” means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“sensitive personal data” are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data (e.g. DNA, finger prints etc.).
“the consent of the data subject” means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.
4. Scope and Objectives of Policy
The Policy applies to personal data in all its forms whether on paper or stored electronically. It applies throughout the lifecycle of the information from creation through storage and utilisation to disposal. Appropriate protection is required for all forms of information to ensure business continuity and to avoid breaches of applicable Data Protection Laws or our contractual obligations.
With regard to electronic systems, the Policy applies to use of Alexandra Park Junior Badminton Club equipment and privately/externally owned systems when connected to our network. This Policy applies to all company owned/licensed data and software.
The Policy will ensure that Alexandra Park Junior Badminton Club:
4.3.1 – Complies with applicable Data Protection Laws and follows good practice;
4.3.2 – Protects the rights of its staff, customers, members, coaches, fans, partners and suppliers;
4.3.3 – Is transparent about how it stores and processes personal data; and
4.3.4 – Protects itself from the risks of a data breach or other unlawful processing of personal data.
5. Data Protection Laws
The Data Protection Laws describe how we must collect, handle and store personal data and these rules apply regardless of whether data is stored electronically or in paper format.
Anyone processing personal data must comply with the enforceable principles of good practice. These include, but are not limited to, that personal data must:
5.2.1 – Be processed fairly and lawfully (lawfulness, fairness and transparency);
5.2.2 – Be collected only for specific and lawful purposes and not processed in a manner that is incompatible with those purposes (purpose limitation);
5.2.3 – Be adequate, relevant and limited to what is necessary for the purposes it is collected (data minimisation);
5.2.4 – Be accurate and kept up to date (accuracy);
5.2.5 – Not be held for longer than is necessary for the purposes it is collected (storage limitation);
5.2.6 – Be processed in accordance with the data subject’s rights;
5.2.7 – Be processed in a manner that ensures appropriate security (integrity and confidentiality); and
5.2.8 – Not be transferred to a country or a territory outside the European Economic Area (“EEA”) unless that country or territory ensures an adequate level of protection.
Where we process personal data we are responsible for demonstrating compliance (accountability) with the principles set out in section 5.2 above.
Whilst the Data Protection Officer is ultimately responsible for ensuring that Alexandra Park Junior Badminton Club meets its legal obligations under applicable Data Protection Laws, you are responsible for compliance with applicable Data Protection Laws.
The IT team is responsible for ensuring the security and integrity of our systems, services and equipment, and for monitoring staff compliance with IT policies and procedures.
All Alexandra Park Junior Badminton Club staff are responsible for:
6.3.1 – Keeping all personal as well as business critical and potentially sensitive data secure by taking sensible precautions and following the guidelines in this Policy;
6.3.2 – Compliance with the Data Breach Policy;
6.3.3 – Requesting guidance from the Data Protection Officer if unsure of any aspect of data protection;
6.3.4 – Keeping updated about data protection risks and issues;
6.3.5 – Reviewing and updating all data protection procedures and related policies, in line with legal requirements;
6.3.6 – Attending regular data protection training;
6.3.7 – Referring requests received from data subjects exercising their rights under applicable Data Protection Laws (see section 11 ‘Processing in line with Data Subject’s Rights’ below) to the Data Protection Officer immediately;
6.3.8 – Checking any contracts or agreements with third parties that may handle the company’s sensitive or personal data and if necessary referring them to the Data Protection Officer; and
6.3.9 – Complying with Alexandra Park Junior Badminton Club IT Policy.
7. Fair and Lawful Processing
Data Protection Laws are not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.
For personal data to be processed lawfully, they must be processed on the basis of one of the legal grounds set out under applicable Data Protection Laws. These include, among other things, the data subject’s consent to the processing, or that the processing is necessary for the performance of a contract with the data subject, for the compliance with a legal obligation to which the data controller is subject, or for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, additional conditions must be met.
We generally process personal data during the course of our business on the basis that the processing is necessary for the performance of a contract with the data subject (whether this be our employee or one of our members). To the extent the processing of personal data is necessary for staff administration and efficiency purposes, provided that such processing is not to the detriment of our employees, we process personal data on the basis that is it is in our legitimate interests. Any personal data we process in the course of our business marketing is also on the basis of our legitimate interests, provided it is not to the detriment of the data subject.
Our privacy notices explain the legal basis on which we process personal data; these are available on request. A version of our privacy notice is available on our website. A privacy notice explaining what Alexandra Park Junior Badminton Club does with employee personal data will be included in the Staff Handbook.
8. Processing for Limited Purposes
We will only process personal data for specified, explicit and legitimate purposes, or for any other purposes specifically permitted by applicable Data Protection Laws. We will not undertake further processing in any manner incompatible with those purposes, and will not use it for new, different or incompatible purposes from that disclosed when it was first obtained, unless you have informed the data subject of the new purposes, and they have consented (if necessary).
We will notify those purposes to the data subject when we first collect the data or as soon as possible thereafter, and such purposes may include (amongst others):
8.2.1 – Providing our services to our members, fans, customers;
8.2.2 – Fulfilling our contractual obligations to our employees, partners and suppliers;
8.2.3 – Compliance with our legal, regulatory and corporate governance obligations and good practice;
8.2.4 – Marketing our business and promoting our events; and
8.2.5 – Improving our services.
9. Providing information
In the course of our business, we may collect and process personal data. This may include data we receive directly from a data subject (for example, when a customer becomes a member, or by an employee providing bank details for remuneration purposes) and data we receive from other sources (for example, sub-contractors providing us with technical website services).
If we collect personal data directly from data subjects, we shall ensure that data subjects are aware that their data is being processed, and that they understand the purposes and lawful basis for which it is processed, the legitimate interests of Alexandra Park Junior Badminton Club or third party (if applicable), any recipients or transfers of their data, the retention periods for their data and the existence of each of their rights in respect of such data.
If we collect personal data from a third party about a data subject, we will provide the data subject with the above information as soon as possible, and provide any additional information as prescribed by applicable Data Protection Laws.
To assist with our compliance of the above requirements, we have privacy statements setting out how we use personal data relating to data subjects (see section 7.4 above).
10. Adequate, Relevant and Non-Excessive Processing
We will only collect personal data to the extent that it is required for the specific purpose notified to the data subject. As such, we will not process personal data obtained for one purpose for any unconnected purpose unless the data subject concerned has agreed to this or would otherwise reasonably expect this.
11. Data Accuracy
If we receive a request to update or correct any personal data we hold, and provided we have authenticated the identity of the data subject in question, we will take all reasonable steps to ensure that personal data we hold is accurate and kept up to date. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.
You must take reasonable steps to ensure that personal data is kept as accurate and up to date as possible and personal data should be updated as inaccuracies are discovered. For example, if an e-mail address is no longer in service, it should be removed from the database.
Data subjects may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the Data Protection Officer promptly.
12. Processing in line with Data Subject’s Rights
We will process all personal data in line with data subjects’ rights to and in connection with their personal data in accordance with the Data Protection Laws.
If a data subject makes a request (written or otherwise) to exercise any right (or purported right) in respect of their personal data, you should immediately forward it to the Data Protection Officer. Employees should not in any circumstances be bullied into disclosing personal information.
The Data Protection Officer will handle the response to the request and ensure that the identity of anyone making a request has been adequately verified before handing over any information.
Any complaints received from a data subject should be escalated to the Data Protection Officer immediately.
13. Data Retention
We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected, and all personal data will be held in accordance with our data retention policy.
14. Data Security
We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. We have put in place procedures and technologies appropriate to our size, scope and business, our available resources and the amount of personal data that we process. These measures will maintain the security of all personal data from the point of collection to the point of destruction. We will regularly evaluate and test the effectiveness of these measures to ensure security of our processing of personal data in accordance with our IT Policy.
We will only use data processors that agree to comply with these procedures and policies, or if it puts in place adequate measures itself. We will conduct adequate due diligence on all data processors and take all steps required by any applicable Data Protection Laws where we appoint a data processor, including ensuring such data processor:
14.2.1 – enters a written agreement with Alexandra Park Junior Badminton Club that includes sufficient guarantees as to the security measures the data processor has in place;
14.2.2 – imposes confidentiality obligations on all personnel who process the relevant data;
14.2.3 – ensures the security of the personal data that it processes;
14.2.4 – provides Alexandra Park Junior Badminton Club with all information necessary to demonstrate compliance with applicable Data Protection Laws;
14.2.5 – either returns or destroys the personal data at the end of the relationship;
14.2.6 – implements measures to assist Alexandra Park Junior Badminton Club in complying with the rights of data subjects;
14.2.7 – continues to comply with its data protection obligations when processing personal data (i.e. by monitoring its compliance); and
14.2.8 – implement additional specific data security arrangements where necessary to ensure such arrangements are of an equivalent standard to Alexandra Park Junior Badminton Club’s.
We will regularly review the activities and processes of each data processor we use to check that it is processing personal data in line with our requirements and the requirements of the Data Protection Laws, and that such data processor is regularly testing its security measures to ensure they meet the applicable standards.
We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
14.4.1 – Confidentiality means that only people who are authorised to use the data can access it.
14.4.2 – Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
14.4.3 – Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on Alexandra Park Junior Badminton Club’s central computer system instead of individual PCs.
Security procedures include (but are not limited to):
14.5.1 – Entry controls. Any stranger seen in entry-controlled areas should be reported.
14.5.2 – Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information may be considered confidential and sensitive). Where personal data is stored in desks and cupboards, these should only be accessible by individuals whom are authorised to access such personal data (e.g. personal data should not be stored in communal cupboards / drawers that are accessible by all staff).
14.5.3 – Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required.
14.5.4 – IT Security. You must comply with our IT Policy at all times when handling personal data.
14.5.5 – Privacy by design and default. Privacy by design is an approach to future Alexandra Park Junior Badminton Club projects that promotes privacy and data protection compliance from the start. This may involve the person responsible for the project conducting a data protection impact assessment (also known as data privacy impact assessments or “DPIAs”) prior to the start of any project that involves the processing of personal data. DPIAs are a tool which can help us identify the most effective way to comply with our data protection obligations and meet data subjects’ expectations of privacy. An effective DPIA will allow us to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. DPIAs are required when we are using new technologies, and when the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals (such as the processing of sensitive personal data or systematic monitoring of public areas (e.g. CCTV)).
It is your responsibility to ensure that you keep personal data secure against loss or misuse in accordance with this Policy.
15. Sharing personal data
If we share personal data with third parties, we will do so in line with applicable Data Protection Laws. We may have to share personal data with government bodies, such as HMRC.
You may only share the personal data we hold with another employee, agent or contractor if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions (see section 17 below).
You may only share the personal data we hold with third parties if:
15.3.1 – sharing the personal data complies with the privacy notice provided to the data subject, and, if required, the data subject’s consent has been obtained;
15.3.2 – the transfer complies with any applicable cross-border transfer restrictions.
16. Data Storage
16.1 Personal data should be stored only electronically whenever possible and the recording of personal data in paper format should be kept to a minimum. In exceptional circumstances where personal data is recorded in paper format, it should be kept in a secure place to prevent unauthorised access to such personal data by unauthorised personnel.
When you store personal data, whether electronically or in paper form, you must protect it in accordance with our IT Policy.
17. Transferring Personal Data to a Country Outside the EEA
We may transfer personal data we hold to a country outside the EEA, provided that one of the following conditions applies:
17.1.1 – The country to which the personal data are transferred ensures an adequate level of protection for the data subjects’ rights and freedoms.
17.1.2 – The data subject has given his/her explicit consent (having been properly informed (i.e. of the risks etc.)).
17.1.3 – The transfer is necessary for one of the reasons set out in any applicable Data Protection Laws, including: the performance of a contract between us and the data subject (or a third party (provided it is in the interests of the data subject)); or to protect the vital interests of the data subject.
17.1.4 – The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
17.1.5 – The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects’ privacy, their fundamental rights and freedoms, and the exercise of their rights.
You should not transfer personal data outside the EEA without first discussing it with Data Protection Officer.
We are subject to certain rules and privacy laws when marketing to our customers. When we use personal data for these marketing purposes, we do so on the basis that it is in our legitimate business interests to do so. Data subjects may unsubscribe from any direct marketing communications by clicking on the relevant link in the email or by contacting us in accordance with our privacy notice.
You must comply with Alexandra Park Junior Badminton Club’s guidelines on direct marketing to customers.
19. Data Breaches
You must comply with Alexandra Park Junior Badminton Club ‘s Data Breach Policy.
20. Disclosing data for other reasons
In certain circumstances, the applicable Data Protection Laws allow personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances Alexandra Park Junior Badminton Club will disclose requested data. However the Data Protection Officer will check that the request is legitimate seeking assistance from the company’s legal advisers where necessary.
21. Policy Awareness
The Policy will be made available to all staff. Staff and authorised third parties given access to Alexandra Park Junior Badminton Club personal data will be advised of the existence of Alexandra Park Junior Badminton Club’s relevant policies, codes of conduct and guidelines that relate to the processing of personal data.
Training will be provided to staff on a periodic basis as necessary to refresh their knowledge or where there has been a substantial change in the Data Protection Laws or this Policy, to ensure all staff are aware of their obligations under this Policy and applicable Data Protection Laws. It is compulsory that staff complete this training.
You are obliged to comply with this Policy when processing personal data on behalf of us. Any breach of this Policy may result in disciplinary action.
22. Changes to this Policy
We reserve the right to change this Policy at any time. Where appropriate, we will notify you of those changes by mail or email.
Please refer questions to the Data Protection Officer – Alistair Ferguson