Warminster & District Amateur Swimming Club Data Protection Policy

Purpose

Warminster & District Amateur Swimming Club needs to gather and use certain information about individuals. These include Parent members, swimmers and committee members. This policy describes how this personal data must be collected, handled and stored to meet the club’s data protection standards — and to comply with the law.

This data protection policy ensures Warminster & District Amateur Swimming Club:

▪ Complies with data protection law and follows good practice

▪ Protects the rights of parents, members and others

▪ Is open about how it stores and processes individuals’ data

▪ Protects itself from the risks of a data breach

Data protection law

The Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) 2018, describes how organisations — including Warminster & District Amateur Swimming Club— must collect, handle and store personal information.

The Privacy and Electronic Communications Regulations (PECR) 2018 sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Data Protection Act and UK GDPR are underpinned by eight important principles. These say that personal data must:

1. Be processed fairly and lawfully

2. Be obtained only for specific, lawful purposes

3. Be adequate, relevant and not excessive

4. Be accurate and kept up to date

5. Not be held for any longer than necessary

6. Processed in accordance with the rights of data subjects

7. Be protected in appropriate ways

8. Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection

 

THE UK GDPR details the following rights:

▪ the right to be informed;

▪ the right of access;

▪ the right to rectification;

▪ the right to erasure;

▪ the right to restrict processing;

▪ the right to data portability;

▪ the right to object;

▪ the right not to be subject to automated decision-making including profiling.

People, risks and responsibilities

Policy scope

This policy applies to:

▪ Members of the committee

▪ All volunteers of Warminster & District Amateur Swimming Club

▪ All contractors, suppliers and other people working on behalf of Warminster & District Amateur Swimming Club

It applies to all data that the club holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 2018. This includes:

▪ Names of individuals

▪ Postal addresses

▪ Email addresses

▪ Telephone numbers

▪ Date of birth

▪ Committee minutes and papers 

▪ Member consultations and surveys 

Legal basis for holding and using data

The UK GDPR requires each organisation that holds personal data on individuals to define the legal basis on which they hold and use this data.

Warminster & District Amateur Swimming Club Swimming is a membership club. The Club primarily holds data for Club members, and will only use this data for legitimate purposes.

The Club may also carry out member and associated member consultations, surveys and votes from time to time.

The Club will only hold and use data for the purposes detailed in these documents. Hence the Club’s legal basis as allowed by the UK GDPR is “Legitimate Interest”.

The absolute minimum data required for the Club to carry out its membership activities are member names, dates of birth and postal addresses. Email addresses and telephone numbers assist the Club to carry out its membership activities efficiently and economically. Accordingly, members are asked to provide their email addresses and telephone numbers if they are willing for the Club to use them in line with the membership privacy notice.

The Club also holds other personal data on swimming guests, prospective members,  member volunteers and EC minutes and papers. This data is held for either legal, insurance or for the legitimate activities of the Club as laid out in the Club’s Constitution and our membership rules and bye laws. The Club’s legal basis as allowed by the UK GDPR is again “Legitimate Interest”.

Data Retention Period

Member and associated member personal data is held while a person is a member of the club and for a period of 6 years after their membership has lapsed. This allows the Club to answer membership enquires effectively or for insurance reasons: experience has shown that the data is required for this period. Once a person’s membership has lapsed, they can request that all their personal data is removed from the Club’s records before this time period.

All Club email correspondence will be retained for a period of 6 years and then deleted.

 All other data is only held as legally required.

Data protection risks

This policy helps to protect Warminster & District Amateur Swimming Club from some very real data security risks, including:

▪ Breaches of confidentiality. For instance, information being given out inappropriately.

▪ Failing to offer choice. For instance, all individuals should be free to choose how the club contacts them for legitimate reasons i.e. membership renewal, club AGM notification etc.

▪ Reputational damage. For instance, the club could suffer if hackers successfully gained access to sensitive data.

Responsibilities

Everyone who works for or with Warminster & District Amateur Swimming Club has some responsibility for ensuring data is collected, stored and handled appropriately.

Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

However, these people have key areas of responsibility:

▪ The Committee is ultimately responsible for ensuring that Warminster & District Amateur Swimming Club meets its legal obligations. Committee members must ensure that they only use the personal data held by the Club for legitimate Club reasons. If in doubt the Chairperson should be consulted.

▪ The Chair (and deputy chair if applicable) person, are responsible for:

o Ensure all personal data held by the Club is only used in accordance with this policy.

o Keeping the committee members updated about data protection responsibilities, risks and issues.

o Reviewing all data protection procedures and related policies, in line with an agreed schedule.

o Arranging data protection training and advice for the people covered by this policy.

o Handling data protection questions from the committee, members and anyone else covered by this policy.

o Dealing with requests from individuals to see the data Warminster & District Amateur Swimming Club holds about them (also called ‘subject access requests’).

o Incident Management including responding to Data Events / Cuber Security issues

o Managing and maintaining backups of key systems and data

o Access control to systems and data including documented approvals

General employee and volunteer guidelines

▪ The only people able to access data covered by this policy are those who need it for their work

▪ Data must not be shared informally. When access to personal data is required, members can request it from the Chairperson

▪ Committee and volunteers must keep all data secure, by taking sensible precautions and following the guidelines below

▪ In particular, strong passwords must be used and they must never be shared.

▪ Personal data must not be disclosed to unauthorised people, either within the club or externally

▪ Data must be regularly reviewed and updated if it is found to be out of date. If no longer required, it must be deleted and disposed of

▪ volunteers must request help from the Chairperson if they are unsure about any aspect of data protection

Data storage

This section describes how and where data must be safely stored. Questions about storing data safely can be directed to the Chairperson.

When data is stored on paper, it must be kept in a secure place where unauthorised people cannot see it.

This includes data that is usually stored electronically but has been printed out:

▪ When not required, the paper or files must be kept in a locked drawer or filing cabinet.

▪ volunteers must make sure paper and printouts are not left where unauthorised people could see them.

▪ Data on paper must be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

▪ Data must be protected by strong passwords that are changed regularly and never shared.

▪ If data is stored on removable media (like a CD or DVD), these must be kept locked away securely when not being used.

▪ Data must only be stored on designated Club laptops, and must only be uploaded to approved cloud computing services.

▪ Club laptops containing personal data must be kept locked away securely when not being used.

▪ Data must be backed up frequently. Those backups must be tested regularly, in line with the club’s standard backup procedures.

▪ Data must never be saved directly to laptops or other mobile devices like tablets or smart phones not belonging to the Club. 

Data use

Personal data is of no value to Warminster & District Amateur Swimming Club unless the Club can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

▪ When working with personal data committee and volunteers must ensure the screens of their computers are always locked when left unattended.

▪ Personal data must not be shared informally. In particular, it must never be sent by email, as this form of communication is not secure.

▪ Data must be encrypted before being transferred electronically. The Chairperson can explain how to do this.

▪ Personal data must never be transferred outside of the European Economic Area.

▪ Personal data must always be accessed and update using the central copy of any data.

▪ Personal data must not be saved on any device other than those owned by the Club.

Data accuracy

The law requires Warminster & District Amateur Swimming Club to take reasonable steps to ensure data is kept accurate and up to date.

The more important it is that the personal data is accurate, the greater the effort Warminster & District Amateur Swimming Club must put into ensuring its accuracy.

It is the responsibility of all volunteers who work with personal data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

▪ Data will be held in as few places as necessary. volunteers must not create any unnecessary additional data sets.

▪ Volunteers must take every opportunity to ensure data is updated. For instance, by confirming a member’s details when they contact the Club.

▪ Warminster & District Amateur Swimming Club will make it easy for data subjects to update the information Warminster & District Amateur Swimming Club holds about them. For instance, via the membership renewal process.

▪ Data must be updated as inaccuracies are discovered. For instance, if a member can no longer be reached on their stored telephone number or email address, it must be removed from the database.

▪ Members who unsubscribe from email communication must never be contacted by this method and any email information must be removed from Club records.

Subject access requests

All individuals who are the subject of personal data held by Warminster & District Amateur Swimming Club are entitled to:

▪ Know what information the club holds about them and why.

▪ Know how to gain access to it.

▪ Be informed how to keep it up to date.

▪ Be informed how the club is meeting its data protection obligations

If an individual contacts the club requesting this information, this is called a subject access request.

Subject access requests from individuals should be made by email or letter, addressed to the Chairperson.

The Club will respond to subject access requests free of charge. However, the Club reserves the right to charge a reasonable fee when a request is manifestly unfounded or excessive, particularly if it is repetitive. The fee charged will be based on the administrative cost of providing the information.

The Chairperson will always verify the identity of anyone making a subject access request before handing over any information.

Disclosing data for other reasons

In certain circumstances, the data protection legislation allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, Warminster & District Amateur Swimming Club will disclose requested data. However, the Chairperson will ensure the request is legitimate, seeking assistance from the Executive committee , and from the club’s legal advisers where necessary.

 

Personal data breach

If there is an actual or suspected personal data breach this must be reported to the Chairperson without delay. The Chairperson will investigate and determine what action is necessary.

If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, Warminster & District Amateur Swimming Club will:

• Take action to prevent any further data breaches

• Inform those people adversely effected without delay

• Document the data breach and actions taken

• If appropriate, inform the Information Commissioner’s Office within 72hours.

• If relevant, instigate disciplinary proceedings.

Providing information

Warminster & District Amateur Swimming Club aims to ensure that individuals are aware that their data is being processed, and that they understand:

▪ How the data is being used

▪ How to exercise their rights

To these ends, the club has a privacy statement setting out how data relating to individuals is used by the club. This is available on request. A version of this statement is also available on the website (https://uk.gomotionapp.com/team/wasc/page/home) and is included in any membership applications/renewals.

Electronic Communication

• Email communications will only be used where a person has provided the Club with their email address.

• Having provided an email address and/or telephone number, a member can have those details removed from the Club's records at any time. Individuals are prompted to correct and add or remove details when they join the Club and when they renew their membership.

• Blind copy must be used for member, employee, volunteer group and event participant emails unless the participants have given permission to share their emails.

 

 

Appendix A - Member privacy statement, Warminster & District Amateur Swimming Club takes your privacy seriously and we will only use your personal information for legitimate Club purposes, which may include some or all of the following: administer your membership, keep you informed about Club news, events and fund raising, projects and activities, member consultations, surveys and votes, employment and volunteering opportunities. We will not pass your personal information to third parties except when legally required to do so. We will keep your personal information for 6 years after your membership has lapsed unless requested not to. It is efficient and Economical for the Club to contact you by email or telephone. However, we will only contact you by email or telephone if you have provided the Club with those details. Further information regarding our data protection policy can be obtained by contacting the Club directly or from our website (https://uk.gomotionapp.com/team/wasc/page/about