Basingstoke Synchronised Skating Club GDPR Statement

Introduction

This statement describes Basingstoke Synchronised Skating Club's (BSSC or 'The Club') responsibilities, processes and procedures under the General Data Protection Regulation (GDPR) of 25th May 2018.

The statement is intended for anyone who has a relationship with the Club, including adult and junior members, club officers, coaches and 3rd parties who interact with the Club.

The statement is not intended to be an introduction or give an overview of the current legislation. The Information Commissioner's Office has a detailed introduction to the General Data Protection Regulation.

BSSC's Responsibilities

In order to support the day-to-day activities of the Club, we collect and maintain a variety of personal data about Club members, parents or guardians and other interested parties.

To comply with the terms of the GDPR, the Club must ensure that this data are:

  • processed securely
  • updated regularly and accurately
  • limited to what the Club needs
  • used only for the purpose for which it is collected and
  • used of marketing purposes only if the individual has given the club consent to do so.

To meet these requirements, the Club considers the following factors when handling personal data:

  • Consent - has the subject agreed that their personal data can be used for the specified purposes
  • Purpose - why is the data collected
  • Limit - are we collecting only what we need
  • Accuracy - is the collected data up-to-date
  • Security - who has access to the data and what mechanisms are in place to prevent unauthorised access
  • Transfer - with whom can we share the data
  • Retention - do we still need the data

Personal Data

This section describes the classes of personal data that the club collects, why it collects the data and how it is secured and used. Unless otherwise stated, the Club acts as a Data Controller for the data as defined by the GDPR.

For Club Members

The Club typically collects and retains five classes of personal information:
  • Contact Information
  • Financial Information
  • Medical Information
  • Permissions and Consent
  • Safeguarding Requirements

By joining the Club, members agree for this information to be collected, retained and updated as required to support the normal operations of the club. Some of this information may also be shared with 3rd parties for non-marketing purposes as detailed below.

Contact Information

What personal data are collected?

For members we collect:

  • Full Name
  • Gender
  • Home or Contact Address
  • Home or Contact Phone Number
  • Mobile Number
  • Email Address
  • NISA Membership Number
In additional, for members under the age of 16, we also collect the contact information for a nominated parent or guardian.

Why is the data required?

Contact information is required by the Club to allow us to communicate with you about your relationship with the club (i.e. membership fee renewals, AGM) and inform you of the Club's activities, such as competitions, social events and practices.

When does the club collect the data?

The Club collects this data when you first join. We may also ask you to check and update any changes to your contact information periodically.

Who has access to this data?

The Club Team Manager holds the source Contact Information list. Other Club officers or coaches may hold copies or subsets of the contact list (i.e. email addresses) if required to support activities directly related to the Club.

How is the data stored?

Full contact information are stored on an encrypted spreadsheet. Email addresses are held by email client applications installed on password protected, non-public computers and secure, cloud-based mail services.

Does the Club share this data?

To support the Club's activities, we may be required to provide Contact Information to:

  • Competition Organisers
  • National Ice Skating Association (NISA)
  • Club Insurance Provider?
    1. Any Others?

Financial Information

What personal data are collected?

  • Club Membership Payments
  • Insurance Payments
  • Payment of Competition and Associated Fees (i.e. travel)
  • Costume and Equipment Payments
  • Social Event and Ad hoc Payments
  • Outstanding, Pending or Late Payments

Why is the data required?

These data are used to make up the Club accounts and ensure that all members contribute fairly to the financial cost of running the club.

When does the club collect the data?

Payment records are created when the Club makes a request to Club members. The record is updated each time payment is made. Club membership is collected monthly by Direct Debit. Insurance payments are typcailly collected annually. All other payments are requested and collected on an ad hoc basis depending on the timing of the competition or event.

Who has access to this data?

The Club Team Manager has day-to-day responsibility for making payment requests and recording payments by members. The Club Finance officer has oversight of payments made directly into the Club bank account by members through either Direct Debit or direct transfers. Payments are identified CHECK THIS the member's bank account number and a payment reference.

How is the data stored?

Membership payments are recorded by the Club Finance officer in a spreadsheet on a password-protected, non-publicly accessible computer. Membership payments are also logged by the Club's bank system and accessible through the bank's secure portal. For all other transactions, members' outstanding and completed payments are recorded in a spreadsheet held by the Team Manager on a password-protected, non-publicly accessible computer.

Does the Club share this data?

Apart from Club bank account records that may identify payee personal information, the Club does not share this data with other 3rd parties.

Anonymised, aggregated financial information may be shared with members for reporting purposes, for example at the Club AGM.

Medical Information

Members' Medical Information falls within the definition of Special Category Data as defined by Section 9 of the GDPR. This imposes more stringent conditions on how the Club obtains consent, collects, stores and uses this data.

What personal data are collected?

  • Full Name
  • Address
  • Emergency Contact Name
  • Emergency Contact Phone Number
  • Registered Doctor or Surgery Name
  • Registered Doctor or Surgery Address
  • Record of common medial conditions
  • Current medication or treatments, including dosage
  • Tetanus Vaccine status
  • Permission to administer non-prescription painkillers
  • Special dietary requirements
  • Additional medical information

Why is the data required?

In case of an injury or other medical incident, officers of the club or coaches may use this information to determine the appropriate course of action or to assist medical staff in their treatment.

When does the club collect the data?

Medical questionnaires are usually issued to be completed before the first competition of each season. Members are expected to provide additional information at any time if their medical status or associated details change.

Who has access to this data?

The Team Manager holds the medical information records. During competitions or otherwise in loco parentis, the Team Manager, Club coaches and other nominated club members ('chaparones') may access the medical information in order to contact a member's doctor or emergency number, take action for an injury or illness or provide a medical professional with information to support treatment.

How is the data stored?

TO BE DISCUSSED

Does the Club share this data?

Medical information will only be shared with other authorised Club officers, coaches, medical professionals or the emergency services in response to an injury or illness.

As Special Category Data, Club officers, coaches and other members granted access to medical records should ensure that the information is securely stored and not transferred by any means (for example, verbal, written or electronic) to unauthorised recipients.

Permissions and Consent

What personal data are collected?

  • Photography Permission

Why is the data required?

Photography Permission allows the Club to acquire and store still and video images of Club performances, events and other activities. These are used to promote the activities of the Club on the Club website, in the press and on other ad hoc promotional material, for example event flyers.

Note that consent to include personally identifying information alongside a photograph or video is not included in this Permission. In these cases consent from the members being photographed or recorded would have to be sought explicitly.

When does the club collect the data?

A member will be asked to complete a photography permission form on joining the Club. Permission may occasionally be requested again if the conditions of use are deemed to have changed significantly.

Who has access to this data?

Once completed, the Team Manager, coaches and other Club officers will have access to the Photography permission forms.

How is the data stored?

Completed photography permission forms are retained by the Team Manager.

Does the Club share this data?

A Club officer (typically the Team Manager) will only confirm to a 3rd party that consent has been obtained from all members participating in a photograph or video recording.

Safeguarding Requirements

Safeguarding issues can vary considerably in their seriousness and scope. Responsibility for the initial management and reporting of safeguarding issues within the Club lies with the Safeguarding officer.

A safeguarding incident or concern should be reported to the Safeguarding officer as soon as possible. Depending on the severity of the incident, the Safeguarding officer may need to record identifying personal data and share this with other Club officers, coaches and NISA. For very serious incidents, the Safeguarding officer may also be required to share personal data with other external agencies, including government bodies or law-enforcement agencies.

In line with these responsibilities, the Safeguarding officer and any other Club officials directly involved in the safeguarding issue should share information only with other parties that have a legitimate need to know.

For Club officers

In order to carry out their roles, Club officers and other Club members may be granted access to members' personal data in line with this GDPR statement. When storing or handling personal information, you should consider the following practical points:

  • Ensure that all electronic and printed personal data are stored securely, especially when at the rink or away at competitions.
  • Avoid printing out personal information unless absolutely required. Make sure any printed material is stored so that it cannot be read without authorisation.
  • Printed matter should be disposed in a way that renders any personal data illegible, i.e. shredding or burning.
  • Change your password regularly on devices used to store personal data.
  • Avoid transferring electronic records using memory sticks or other mobile sharing devices as these are easily lost or misplaced.
  • Personal data stored on a computer should be password-protected.
  • If your computer uses a local backup disk or a cloud backup service, ensure that these are also secure.
  • If personal data are received by email, either copy the data to a separate file that can be password-protected or password-protect the email.
  • Be careful when forwarding emails. Check that any sensitive or personal data not required by the recipient has been removed.
  • If sending a group email, use the BCC option to prevent recipients from seeing each others email addresses.
  • Take care using cloud-based data storage or email services. Ensure that the service provider is reputable and make sure all personal data are encrypted and password-protected.
  • Take care when disposing of a computer that has been used to store personal data. If in doubt, ask a reputable computer repair service for advice.
  • Do not pass on members' contact details to any third party without the members' permission, even if the request is apparently benign.

Data Breaches

This section is an abridged and adapted copy of the ICO Guidance on Data Breaches.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

Personal data breaches can include:

  • access by an unauthorised third party;
  • deliberate or accidental action (or inaction) by a controller or processor;
  • sending personal data to an incorrect recipient;
  • computing devices containing personal data being lost or stolen;
  • alteration of personal data without permission; and
  • loss of availability of personal data.

If any coach, Club officer, member or other party becomes aware or suspects a data breach, they should notify one of the members of the Club Data Protection Team listed below.

On receipt of a data breach notification, the Club Data Protection Team will:

  • Assess the whether a personal data breach has occurred;
  • If possible, take action to contain the scope and spread of the data breach by;
  • Assess the severity of the breach against the 'rights and freedoms' of the affected individuals.
  • If the Data Protection Team determine that the data breach poses a risk to the affected individuals' rights and freedoms, then they must notify the ICO through their reporting portal . The ICO must be notified within 72 hours of the first breach report.
  • If the breach is assessed as 'high risk', notify individuals that may be affected by the breach;

If there is any doubt that the data breach meets the ICO reporting threshold, the Data Protection Team should seek advice from the ICO.

In this context, the 'rights and freedoms' of an individual is the requirement to be protected from the consequences of a personal data breach that

"[...] results in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned."

If Data Protection Team determine that the breach meets the threshold for notifying the ICO, they will provide the following information, where known:

  • a non-technical description of the nature of the data breach;
  • a Club contact point. This will typically be a member of the Data Protection Team;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.
  • Subject Access Requests

    How to Make a Request

    Any individual has the right to access their personal information.

    The Club only holds personal data for members and, in the case of junior members, information about their parents or guardians.

    Members, or their parents or guardians, may request a copy of their personal data held by the Club. Note that parents or guardians do not have an automatic right to see their child's data; GDPR grants the right of access only to the child.

    The request can be made either verbally or in writing (hardcopy or electronic). The request can be made to any Club officer, but it would help us if the request is made to a member of the Club Data Protection Team. We may ask for identification to confirm your identity and right to see the requsted data before we begin acting on the request. You are entitled to make a request via a third party, but we will take reasonable steps to ensure that the third party is acting on your behalf. We will not normally charge a fee to process the request, but may be entitled to recover reasonable costs if the request is subsequently deemed to be unfounded or you make multiple requests, as allowed by the GDPR.

    How We Will Process Your Request

    Once the Club receives the request, by law we must respond within a calendar month, although the Club is allowed to extend the response time by a further 2 months if the requesting individual has made multiple requests, or the request is complex.

    If the request has been made to a Club officer who is not part of the Data Protection Team, the officer should seek to inform the Team as soon as possible.

    The Data Protection Team will keep a record of all Subject Access Requests and the responses.

    Under certain circumstances we may legally refuse to process the request, for example if it would reveal another individual's personal data. If this is the case, we will:

    • record the reason for refusal must be recorded as part of the request history;
    • inform you why the request has been refused;
    • inform you of your right to make a complaint to the ICO or another supervisory authority;
    • inform you of your ability to seek to enforce this right through a judicial remedy.

    Responses will be provided in electronic format (typically email) unless a request is made for a hard copy. Electronic responses containing your personal data will be password-protected and the individual will be notified of the password in a separate communication.

    What You are Entitled to See

    You are entitled to see:

    • Any personal data that relates directly to you;
    • An brief explanation of the meaning of the personal data if that meaning is not clear, for example if the data includes coded or abbreviated information;
    • Supplimentary information about how your personal data is stored, secured, transfered and shared. In most circumstances, this will be in line with the personal data category descriptions listed above.

    Club Data Protection Team

    Ailsa Wiggans, Paul McNeil email: This email address is being protected from spambots. You need JavaScript enabled to view it.

    Club Safeguarding

    Ailsa Wiggans email: This email address is being protected from spambots. You need JavaScript enabled to view it.