The club needs to process personal data and private information in order to deliver many of its services. The club’s objective is to use personal data and private information in the most efficient and effective way possible to deliver better services, and to enhance privacy.
The club will strive to:
Adopt the least intrusive approach. Where services can be delivered or improved without affecting personal privacy, they will be.
Process all personal data fairly and lawfully throughout its whole lifecycle.
Ensure that any processing of personal data (particularly special categories of personal data) is justified on one or other of the legal bases set out in the data protection legislation, and ensure that any dealing with private information is compatible with individuals’ rights set out in human rights legislation.
Ensure that personal data or private information is obtained fairly and transparently.
Use personal data and private information throughout its whole lifecycle in a way which is compatible with the purposes which were communicated at the point of collection or before further processing, or for other purposes which are legally permitted.
Only share personal data or private information where the club has the individual’s consent or where this is legally permitted, or where the club is required to do so by law. Where this is done without consent, the club ensures that there is openness and accountability in the process of striking a fair balance between individual rights and the wider public interest. Link to the information sharing policy
Collect and process only the minimum relevant amount of personal data or private information which is required to fulfil the purpose.
Take every reasonable step to ensure that data are accurate and where necessary kept up to date, and to ensure that inaccurate data are erased or rectified without delay.
Ensure that personal data and private information are kept in a form which permits identification for no longer than necessary, and that data and information is no longer retained once the purpose for processing has been fulfilled. Such data and information will be securely destroyed, in line with specific data retention policies. Link to the retention schedule
Process data in a way that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data using appropriate technical and organisational measures Including as appropriate the pseudonymisation and encryption of data, ensuring systems and services are resilient, and availability and access can be restored appropriately, and regularly testing and checking how effective these measures are.
Demonstrate responsibility and accountability for all matters in this Policy Statement, and keep appropriate records of processing activities. Link to the new demonstrating compliance records of processing
Not transfer personal data or private information to any country outside the European Economic Area unless that country ensures an adequate level of privacy protection, or the club has provided appropriate safeguards.
Facilitate the exercise of data subject rights, including the right of access, the right to rectify or complete data, the right to erasure (right to be forgotten), right to restriction of processing, right to data portability, right to object, and right not to be subject to a decision based solely on automated processing. Link to the new policies
Ensure data protection by design, by implementing appropriate technical and organisational measures which are designed to implement the data protection principles above, in an effective manner and to integrate the necessary safeguards into the processing.
Ensure data protection by default, so that by default only data which are necessary for each specific purpose of the processing are processed, and by default data are not made accessible to an indefinite number of people.
Use only data processors who provide sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of data protection legislation and ensure the rights of data subjects are protected.
Notify personal data breaches to the ICO, and communicate personal data breaches to data subjects as required by data protection legislation. and wherever the ICO is notified
Carry out data protection impact assessments as required by data protection legislation. Link to the PIA policy.
Ensure the club’s data protection officer is accessible to data subjects with regard to all issues about the processing of their data, or the exercise of their rights under data protection legislation. Link to the contact details of the DPO.