Persons organising official club activities (“organisers”) are responsible for compliance with the Data Protection Act. Club activities include, but are not limited to, activities approved by the committee such as races; events; coaching and training; managing membership and other club organised activities.
The Information Commissioner can impose fines on organisations for breaching the Act and serious breaches may also see individuals involved being prosecuted.
Managing data in compliance with the Act
There are three broad stages of processing data to be aware of to ensure compliance with the Six Principles of the Act:
- gathering data
- keeping data
- disclosing data.
Keeping data secure is essential to complying with the Data Protection Act. This applies equally to working on club and personal devices.
Responding to requests for information
Organisers should be mindful of GDPR when sharing information and if unsure, they should check with the club honorary secretary prior to sharing.
Photography and filming
At the point of joining the club, members will be asked to give general consent to being photographed and or filmed and for their images to be used to report on and or publicise the club, either by organisers directly or through a third party such as the press. We cannot accept members who do not consent to this general consent, due to our limitations as an organisation run by volunteers.
It is essential that a parent or guardian gives consent for this general use on behalf of junior members.
Organisers must always consider whether non-members are also likely to be photographed or filmed. Where this is likely, the organiser should include disclaimers in event booking forms or display notices as appropriate. The organiser must speak to the club safeguarding officer if unsure how to manage the presence of U18s or vulnerable persons.
All photos or recordings which contain personal data will need to be treated in the same way as personal data held in other formats. They need to be kept securely and disposed of securely when no longer required, in accordance with our guidance on Data Security.
In the event of an individual wanting a specific image removed, they should email the club data protection contact: email@example.com The club must process their email per the Act. This protocol also applies to the club’s social media platforms, where images may be recorded by third parties and shared on a club forum.
Specific use of an individual requires their written consent. This can be done by email. In the case of U18s or vulnerable people, the responsible adult must give consent. Consent must be obtained before use.
You must comply with the Data Protection Act whenever you gather or collect personal data for club purposes. There are three general rules of compliance that you should follow when collecting data:
- Obtain consent
- Limit the Personal Data you collect
- Keep data secure
Data subjects should be told in clear terms, preferably in writing, exactly what information is being collected, what it will be used for and to whom it may be released. A record should be kept to show that the individuals have consented to their data being processed under the Data Protection Act.
All club members and participants in AVR organised activities provide their general consent to their personal data being processed for certain, limited, necessary purposes.
If the data is going to include any sensitive personal data – such as medical information - specific consent in writing is needed. This should be clearly stated on event entry forms. Care must be taken when sharing medical data at events – for example the race director must ensure any hand outs are disposed as confidential waste once the event finishes.
Limit the personal data you collect
Ensure you only collect personal data that is strictly necessary, especially sensitive personal data. Any irrelevant or excessive information should not be retained.
Keep data secure
All personal data gathered must be held securely. Don't put the data onto a mobile device unless it is secure - password protected and, where appropriate, encrypted.
Restrict access to data and maintain confidentiality by:
- only allowing others to access the data if necessary (check with the honorary secretary or chairman if unsure)
- not transferring data to a third party unless you have consent from the data owner taking care not to lose data
- ensuring data is kept securely
The Honorary Secretary acts as the club’s data controller. They are responsible for investigating any breaches of data protection and taking any necessary action.
If you have access to existing files or data you must follow the rules on keeping data to ensure that requirements of the Data Protection Act are met.
There are four general rules of compliance that you should follow when keeping data:
- review the content of files and records
- fairness and access rights
Only use data for the original purpose. For example, if a race entrant supplies medical details for a race, these must not be kept for use at future events. Entrants must be asked to provide such details at each event. Record any notified data changes promptly and delete any obsolete information. When a member leaves, delete their data. When personal data is to be deleted or disposed of, ensure that confidentiality is maintained. Paper files should be shredded.
Individuals have the right to see their personal data, including any comments about them. Do not record, however informally, comments you would not be happy for the Data Subject to see. Wherever possible, be open with individuals in relation to information held about them. If an individual wants to make a formal Subject Access Request under the Data Protection Act, they should be referred to the Honorary Secretary.
Disclosing information to a third party
Personal information can be disclosed in an emergency. In such a situation, if necessary, personal information can be disclosed without consent. For example, if someone collapses and is unconscious, it would be permissible to inform medical staff that the individual suffers from diabetes.
Personal data should only be disclosed over the telephone in emergencies. When personal data is included in an email, the email should be password protected and where appropriate encrypted.
When dealing with routine type queries from third parties, you need to be convinced that:
- the person is who he/she says he/she is
- the enquiry is genuine
- the persons in question are clearly identified.
Requests in writing should be on official headed paper. Keep a record of all telephone calls with any other correspondence and a copy of the outgoing letter. Once the legitimacy of the request is established the requested information should be made available.
Policy review and compliance
The Honorary Secretary is responsible for reviewing this policy and compliance as appropriate. This includes making sure organisers and committee members are aware of the policy.