Data Protection Policy
Armagh Swimming Club
Data Protection Policy (GDPR)
Policy Prepared by;
Ryan McVeigh (Treasurer)
Introduction
Armagh Swimming Club needs to gather and use certain information about individuals.
These include swimming members, coaches, committee members, business contacts and other people the Club has a relationship with or may need to contact. This policy describes how this personal data must be collected, handled and stored to meet the club’s data protection standards — and to comply with the law.
Why this policy exists
This data protection policy ensures Armagh Swimming Club:
- Complies with data protection law and follow good practice
- Protects the rights of its members, coaches and others
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
Data protection law
The Data Protection Act 1998 and, from May 2018, the General Data Protection Regulation (GDPR) describes how organisations — including Armagh Swimming Club— must collect, handle and store personal information.
The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act and GDPR are underpinned by eight important principles. These say that personal data must:
- Be processed fairly and lawfully
- Be obtained only for specific, lawful purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not be held for any longer than necessary
- Processed in accordance with the rights of data subjects
- Be protected in appropriate ways
- Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection
The GDPR details the following rights:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object;
- the right not to be subject to automated decision-making including profiling.
People, risks and responsibilities
Policy scope
This policy applies to:
- Members of the Committee and coaching staff
- All Employees and volunteers of Armagh Swimming Club
- All contractors, suppliers and other people working on behalf of Armagh Swimming Club
It applies to all data that the club holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This includes:
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- Date of birth
Legal basis for holding and using data
The GDPR requires each organisation that holds personal data on individuals to define the legal basis on which they hold and use this data.
Armagh Swimming is a membership non profit making club. The Club primarily holds data for Club members and coaches and will only use this data for legitimate purposes. The legal activities of the Club are defined in the Club’s Memorandum and Articles of Association and our membership rules and bye laws. These are publically available on our website or available by direct request to the Club.
The Club will only hold and use data for the purposes detailed in these documents. Hence the Club’s legal basis as allowed by the GDPR is “Legitimate Interest”.
The absolute minimum data required for the Club to carry out its membership activities are member names, dates of birth and postal addresses. Email addresses and telephone numbers assist the Club to carry out its membership activities efficiently and economically. Accordingly, members are asked to provide their email addresses and telephone numbers if they are happy for the Club to use them in line with the membership privacy notice.
Data protection risks
This policy helps to protect Armagh Swimming Club from some very real data security risks, including:
- Breaches of confidentiality. For instance, information being given out inappropriately.
- Failing to offer choice. For instance, all individuals should be free to choose how the club contacts them for legitimate reasons i.e. membership renewal, club AGM notification etc.
- Reputational damage. For instance, the club could suffer if hackers successfully gained access to sensitive data.
Responsibilities
Everyone who voluntarily helps with Armagh Swimming Club has some responsibility for ensuring data is collected, stored and handled appropriately. Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, these people have key areas of responsibility:
- The Committee is ultimately responsible for ensuring that Armagh Swimming Club meets its legal obligations.
General employee and volunteer guidelines
- The only people able to access data covered by this policy are those who need it for their work in relation to the club.
- Data must not be shared informally. When access to personal data is required employees can request it from the committee.
- Armagh Swimming Club will provide training to all volunteers, when applicable, and help them understand their responsibilities when handling data.
- Volunteers must keep all data secure, by taking sensible precautions and following the guidelines below.
- In particular, strong passwords must be used and they must never be shared.
- Personal data must not be disclosed to unauthorised people, either within the club or externally.
- Data must be regularly reviewed and updated if it is found to be out of date. If no longer required, it must be deleted and disposed of.
- Volunteers must request help from the committee if they are unsure about any aspect of data protection
Data storage
This section describes how and where data must be safely stored.
When data is stored on paper, it must be kept in a secure place where unauthorised people cannot see it.
This includes data that is usually stored electronically but has been printed out:
- When not required, the paper or files must be kept in a locked drawer or filing cabinet.
- Employees/volunteers must make sure paper and printouts are not left where unauthorised people could see them.
- Data on paper must be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:.
Data must be protected by strong passwords that are changed regularly and never shared.
- If data is stored on removable media (like a CD or DVD), these must be kept locked away securely when not being used.
- Data must only be stored on designated Club laptops, and must only be uploaded to approved cloud computing services.
- Club laptops containing personal data must be kept locked away securely when not being used,
- Data must be backed up frequently. Those backups must be tested regularly, in line with the club’s standard backup procedures.
- Data must never be saved directly to laptops or other mobile devices like tablets or smart phones not belonging to the Club.
Data use
Personal data is of no value to Armagh Swimming Club unless the Club can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
- When working with personal data, employees and volunteers must ensure the screens of their computers are always locked when left unattended.
- Personal data must not be shared informally. In particular, it must never be sent by email, as this form of communication is not secure.
- Data must be encrypted before being transferred electronically. The general manager can explain how to do this.
- Personal data must never be transferred outside of the European Economic Area.
- Personal data must always be accessed and updated using the central copy of any data.
- Personal data must not be saved on any device other than those owned by the Club.
Data Accuracy
The law requires Armagh Swimming Club to take reasonable steps to ensure data is kept accurate and up to date.
The more important it is that the personal data is accurate, the greater the effort Armagh Swimming Club must put into ensuring its accuracy.
It is the responsibility of all employees and volunteers who work with personal data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data will be held in as few places as necessary. Employees and volunteers must not create any unnecessary additional data sets.
- Employees and volunteers must take every opportunity to ensure data is updated. For instance, by confirming a member’s details when they contact the Club.
- Armagh Swimming Club will make it easy for data subjects to update the information Armagh Swimming Club holds about them. For instance, via the membership renewal process.
- Data must be updated as inaccuracies when discovered. For instance, if a member can no longer be reached on their stored telephone number or email address, it must be removed from the database.
- Members who unsubscribe from email communication must never be contacted by this method and any email information must be removed from Club records.
Subject access requests
All individuals who are the subject of personal data held by Armagh Swimming Club are entitled to:
- Know what information the club holds about them and why.
- Know how to gain access to it.
- Be informed on how to keep it up to date.
- Be informed how the club is meeting its data protection obligations
If an individual contacts the club requesting this information, this is called a subject access request.
Disclosing data for other reasons
In certain circumstances, the data protection legislation allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, Armagh Swimming Club will disclose the requested data. However, the committee will ensure the request is legitimate, seeking assistance from the club’s legal advisers where necessary.
Personal data breach
If there is an actual or suspected personal data breach this must be reported to the committee without delay. The committee will investigate and determine what action is necessary.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, Armagh Swimming Club will:
- Take action to prevent any further data breaches
- Inform those people adversely affected without delay
- Document the data breach and actions taken
- If appropriate, inform the Information Commissioner’s Office within 72 hours.
- If relevant, instigate disciplinary proceedings.
Providing information
Armagh Swimming Club aims to ensure that individuals are aware that their data is being processed and that they understand:
- How the data is being used
- How to exercise their rights
To these ends, the club has a privacy statement setting out how data relating to individuals is used by the club. This is available on request. A version of this statement is also available on the website (armaghswimmingclub.co.uk).
Electronic Communication
- Email communications will only be used where a person has provided the Club with their email address.
- Having provided an email address and/or telephone number, a member can have those details removed from the Club’s records at any time. Individuals are prompted to correct and add or remove details when they join the Club and when they renew their membership.
- For those choosing not to receive emails from the Club, information will be provided on the Club’s website and notices at the Lake. Membership applications will be sent by post to these individuals.
- Emails to members from the Club will include an ‘unsubscribe’ option.
- Blind copy must be used for member, employee, volunteer group and event participant emails.
- Employees and volunteers must always use a Club email address when communicating on behalf of the Club with external organisations
- All Club emails must include information about the Club’s privacy policy
Member privacy statement
Armagh Swimming Club takes your privacy seriously and we will only use your personal information for legitimate Club purposes, which may include some or all of the following: administer your membership, keep you informed about Club news, events and fundraising, projects and activities, employment and volunteering opportunities. We will not pass your personal information to third parties except when legally required to do so. We will keep your personal information for 2 years after your membership has lapsed. It is efficient and economical for the Club to contact you by email or telephone. However, we will only contact you by email or telephone if you have provided the Club with those details. Further information regarding our data protection policy can be obtained by contacting the Club directly or from our website ( armaghswimmingclub.co.uk).