DATA PROTECTION POLICY

FOR THE WIRE GYMNASTICS CLUB

Date21/5/2018

Review Date20/5/2019

DocumentControl

Organisation / The Wire Gymnastics Club
Title / Data ProtectionPolicy
Preparedby / Claire Burnham
Owner / Directors of The Wire Gymnastics Club
Subject / InformationGovernance Protocol
DocumentApprovals
Version / SponsorApproval / DateApproved
1.0 / The Wire Gymnastics Club Directors
2.0 / Name of who approved this latest version
DocumentDistribution
Version / DateDistributed / DistributionMethod
1.0 / 24/5/18 / Email or hard copy to staff
2.0
Revision / ReviewHistory
Revision /ReviewDate / Reviewer / PreviousVersionRef / DescriptionofanyRevisions
Revisions in light of GDPR May 2018.

1.Introduction

The EU General Data Protection Regulation (GDPR) is effective from 25th May 2018. GDPR signals the single biggest change in data protection in decades in that it replaces the Data Protection Act (DPA) 1998.

The main GDPR Principles

The data protection principles, as set out in the DPA, remain but they have been condensed into six as opposed to eight principles. Article 5 of the GDPR states that personal data must be:

1. Processed fairly, lawfully and in a transparent manner in relation to the data subject.

2. Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes.

3. Adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed.

4. Accurate and, where necessary, kept up to date.

5. Kept in a form that permits identification of data subjects (Usually members of the public) for no longer than is necessary for the purposes for which the personal data is processed.

6. Processed in a way that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The Wire Gymnastics Club needs to collect and use certain types of information about the children who come into contact with us in order to carry out our work. This personal information must be collected and dealt with appropriately whether it is collected on paper, stored in a computer database, or recorded on other material.This includes the collection and use of special categories of personal data that are highly sensitive and confidential.

The Wire Gymnastics Clubs policyis to ensure thatallpersonal information itobtains, uses or shares in its work is treatedwith care and respectandis usedlawfullyandfairly.The policyapplies to data aboutour employees aswell as dataabout our clients.

GDPRincludesprinciplesthatexplain howpersonaldatashouldbeused.Theprinciplesareflexible, anddonotpreventeffectiveworking.Personaldatacanbe obtained,used,shared andkepttoprovideservices, look after people’sinterests,andsupportThe Wire Gymnastics Clubobjectives.

This policysetsouthowGDPR and other data protection legislationappliestoThe Wire Gymnastics Club,andsetsoutsomespecificmeasures toassistcompliance.

Summary of Specific Measures

  • We will nominate a senior officer to be accountable for managing information risk and for controlling the use, protection, sharing and timely disposal of personal information.
  • We will ensurethat all our staffattendtrainingondataprotection.
  • All staff will report all losses, suspected losses,theftsor breachesofsecurityinvolvingpersonal datatothe CEO as quickly as possible.
  • We will undertake aData Protection Impact Assessment (DPIA) on existing and new projects andprocesses which involvethe useofpersonaldata,or ofsignificantchangestoexisting ones. In certain cases it may be necessary to undertake for ‘high risk’ data processing.
  • We will take steps (where practical) to anonymize personal data to mitigate against data security breaches.
  • We will undertake dataprotectionaudits and keep an information asset register. This will help us to apply the Data Protection Principles and compliance to our everyday practice.

2.Issues

Individual responsibility

The Wire Gymnastics Club holdsinformationabout our employees and the children and parents/carers that attend our club, we are required to protectthepersonaldatathatweuse,and make everyone aware of their legalobligations.Theuseofpersonaldata mustbefair,legalandproportionate. Staffcannotusepersonaldata obtained atworkfor theirownpurposes. It isa criminaloffencetoknowinglyorrecklesslydisclose personaldata and informationwithoutexplicit and purposeful permission.Anyonewhouses,discussesordisclosespersonaldataheld byThe Wire Gymnastics Clubwithoutlawfulauthority may be committingan offence.

Staffwhoknowinglydisclose ormisusedatafor theirownpurposes,or whoknowinglyignore the requirementsof thispolicymayfacedisciplinaryaction, regardlessofanypossible criminalsanction.This couldleadtodismissal insome cases.

Under GPDR fines can be issued where an organisation cannot demonstrate compliance with any of the principles. Fines could be up to €20million.

  1. Obtaininginformation

The Wire Gymnastics Club will inform our employees and clients whenwe record informationaboutthem,unless there isaspecificlegalreasonfor not doing so.Anyprocessinvolvingthe collectionanduseofpersonaldata mustconformtotheGDPR principles.Staff mustensurethattheuseofpersonaldata meetstheseconditions.

If thirdpartiesprovide personaldatatoThe Wire Gymnastics Club,our staffshouldinformthepersonconcernedunlessthere is avalidlegal or safetyreasonnottodo so.

Consent (of our employees and clients) is fundamental to compliance with GDPR and staff should ensure that consent is “Opt-in” with an option for consent to be withdrawn at any time. One caveat to this however is that where data processing is for a statutory purpose, consent will not be required.

The Data Protection Act 2018 lowers the age at which a child can provide consent (To data processing) from 16 to 13 years. It is essential that staff ensure that any necessary parental consent is obtained where appropriate.

Data collection Informed consent is when

  • A client clearly understands why their information is needed, who it will be shared with, the

possible consequences of them agreeing or refusing the proposed use of the data and then gives their consent.

  • The Wire Gymnastics Club will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form.

When collecting data, The Wire Gymnastics Club will ensure that the client:

  • Clearly understands why the information is needed
  • Understands what it will be used for and what the consequences are should the client decide not to give consent to processing
  • As far as reasonably possible, grants explicit consent, either written or verbal for data to be processed
  • Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress
  • Has received sufficient information on why their data is needed and how it will be used

Data Controller

The Wire Gymnastics Club is the Data Controller under the Act, which means that it determines what purposes personal information held, will be used for.

  1. Disclosure

The Wire Gymnastics Club may share data with other agencies such as the British Gymnastics, funding bodies and other voluntary agencies.Clients will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows The Wire Gymnastics Club to disclose data without the data subject’s consent.

These are:

a)Carrying out a legal duty

b)Protecting vital interests of a client or other person

c)Client has already made the information public

d)Conducting any legal proceedings, obtaining legal advice or defending any legal rights

e)Monitoring for equal opportunities purposes – i.e. race, disability or religion

f)Providing a confidential service where the clients consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing stressed or ill clients to provide consent signatures.

The Wire Gymnastics Club regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.

The Wire Gymnastics Club intends to ensure that personal information is treated lawfully and correctly.

The Wire Gymnastics Club will, through appropriate management and strict application of criteria and controls:

•Observe fully conditions regarding the fair collection and use of information

•Meet its legal obligations to specify the purposes for which information is used

•Collect and process appropriate information, and only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements

•Ensure the quality of information used

•Ensure that the rights of people about whom information is held, can be fully exercised under the Act. These include:

The right to be informed that processing is being undertaken,

The right of access to one’s personal information

The right to prevent processing in certain circumstances and

The right to correct, rectify, block or erase information which is regarded as wrong
information
•Take appropriate technical and organisational security measures to safeguard personal
information
•Treat people justly and fairly whatever their age, religion, disability, gender, sexual

orientation or ethnicity when dealing with requests for information
•Set out clear procedures for responding to requests for information

5.Client forms and tools to gatherinformation

The Wire Gymnastics Club will ensure that anyformorprocess we use togather informationwillinclude a simpleexplanationabout why thatpersonal datais needed,and what wewill do with it.Our Privacy Notice explains where datawill be shared outside the organisation and the purpose for this.

6.RecordKeeping & Storage

The Wire Gymnastics Club will ensure that it has adequaterecordsmanagementprocedures,includingmeasurestoensurethatrecords aboutour employees and clients arefair,accurate, up-to-date andnotexcessive. These mustbesecure,traceableandaccountedfor atalltimes. We will maintainandoperate aretentionanddisposal scheduleaspart ofour Records Management.Our records will be disposedofsecurelyin accordancewith thedisposal schedule.Recordsmanagementappliesequallyto paperandelectronic recordsincluding emails.

It is The Wire Gymnastics Club responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.

Data access and accuracy

All clients have the right to access the informationThe Wire Gymnastics Club holds about them. The Wire Gymnastics Club will also take reasonable steps ensure that this information is kept up to date by asking data subjects whether there have been any changes.

  1. Need to know

The Wire Gymnastics Clubwill ensure that access to personaldata must onlybe available tothose who need it.Ifaccess todataisneededonlysome of the time, itshouldonlybe available some of the time. Datashouldbe used whennecessary, and notpurelybecause it is convenienttodo so.This appliestoall of our staff.

  1. Physical security

The Wire Gymnastics Club will:

  • Safeguard allpremises andelectronic systemswhere personaldata isheld.
  • Access to areas where information isheldshould be controlled,paper files should be lockedaway when not inuseandcomputer data mustbe protectedbyadequatesecuritymeasures.
  • Safeguard all valuablefiles anddocuments.
  • Ensure that client datais not on displayexcept where necessary(i.e. for operational reasons or for safetyreasons).
  • Use encryption technologies to protect the security of data including emails.
  • Ensure that Personal Data is never bestored onmobile devices.
  • Ensure that all data, physical or electronic,will be disposedofsecurely.
  1. Complaintsaboutpersonal data

If anyemployee or clientidentifieserrors or inaccuraciesin thedatawe holdaboutthem,or pointsoutunfairusesoftheirdatathesewill berectifiedimmediately.Wewill immediatelyimplementrecommendationsorinstructions receivedas aresultof anassessment ordecisionmadebythe InformationCommissionerunless the CEObelieves the assessment tobe incorrect.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Legislation.

In case of any queries or questions in relation to this policy please contact the Wire Gymnastic Club Data Protection Lead: The Directors of the Wire Gymnastics Club.

1