This Is a test site please do not take any action on this site

LSSC

London Sports & Social Club for the Visually Impaired

Data Protection Policy

The purpose of this policy is to tell members how their personal data is obtained, used, stored, and deleted. 

9th June 2018 Reviewed August 2020

General policy

London Sports and Social Club (LSSC) is committed to complying with data protection law and to respecting the privacy rights of individuals. LSSC needs to hold and use information about its members. Some of this information is “personal data” as this term is defined in the Data Protection Act 1998 (the “DPA”). Accordingly, we are obliged to comply with the requirements of the DPA  and the GDPR. This policy is to provide you with information regarding those requirements and your responsibilities and rights under the DPA and GDPR.

LSSC holds, uses and otherwise processes information about individuals who are club members, who participate in our events and activities. All club members should bear in mind that, where this information constitutes personal data that relates to a living individual, the club is obliged to comply with the requirements of the DPA and GDPR.

LSSC is required to ensure that personal data it holds is:

– processed fairly and lawfully;

– processed only for specific purposes;

– adequate, relevant and not excessive;

– accurate and kept up to date;

– kept for no longer than is necessary;

– kept in accordance with your rights; and

– kept securely.

In essence, this means that we aim to tell members and any other individuals whose personal information we hold, what information we hold, why and for what purpose we hold it, from whom we have obtained it and to whom we will disclose it. We also aim to ensure that the personal data we hold is up to date and held securely.

The club and the members of the committee hold some or all of the following data about some or all members:

  • Name
  • Postal and email addresses
  • Phone numbers
  • Whether a member is sighted or not.
  • Medical information relevant to the activities that the member may participate in
  • Emergency contact data may also be held 

The data will be held in electronic and paper form, both kept securely.

The data will always be obtained directly from an individual person on becoming a member of the club.

The data is used in order to contact members to advise them about LSSC social events and activities as well as in organising sporting activities. Also for social purposes, including, but not limited to, distribution of magazines and other literature.

Data may be distributed in paper or electronic form between members.

Publication of personal data in paper form may occur in membership and contact lists. Publication on publicly accessible web sites may include a name only. Names with offices and photographs may be published. 

The data will not be available for commercial purposes.

Personal Information of club members

Personal information on club members is primarily held by the membership secretary, on a secure, password protected computer.)

The club committee, and organisers of events, will have access to more complete membership information for the purposes of event organisation and club administration. This is transmitted as either a printed paper document or via e-mail.

Personal information on members who have not renewed their membership is retained by the membership secretary (but not published in membership lists) for a period of one year after the date at which their membership lapses.

Sensitive Personal Information

For participation in certain activities the club may request individuals to disclose relevant medical conditions in order that the members organising the activity are able to respond appropriately in the event of an accident or medical emergency. These details are collected, voluntarily, on the membership form and are kept confidential and only referred to where relevant for the activity for which they were provided.

Members may withdraw consent for the club to hold this information at any time. 

Obligations

Member’s Obligations relating to Personal Data:

In agreeing to your terms and conditions of membership with LSSC, you have consented to LSSC holding, using and otherwise processing personal data and sensitive personal data relating to you for all purposes reasonably arising out of your membership of LSSC.

Personal data relating to you will be held by LSSC both manually and on a computer. Such data shall only be kept in accordance with the records retention policy. Other members of the club may have access to your personal data as may be required to fulfil the purposes specified above.

We are required to ensure that all personal data which we hold is accurate and kept up to date. In order to enable us to comply with this obligation, you are requested to promptly notify LSSC of any changes to your personal details including any changes to your name, address, and contact details.

Obligations relating to the Personal Data of Others

In the course of your duties as member of the club organising events you may be required to process personal data which relates to other individuals. You are required to comply with the data protection principles set out above and with any specific instructions given to you regarding such personal data.

In particular, you must not, save in the proper performance of your duties during your membership, make use of, divulge or communicate to any person or any organisation, company and/or firm, any personal data relating to any third parties.

You should be aware that in certain circumstances by making an unauthorised disclosure of personal data you will be committing a criminal offence.

Rights

Under Data Protection Laws individuals have certain rights (Rights) in relation to their own personal data.  In summary these are:

  • The rights to access their personal data, usually referred to as a subject access request
  • The right to have their personal data rectified;
  • The right to have their personal data erased, usually referred to as the right to be forgotten;
  • The right to restrict processing of their personal data;
  • The right to object to receiving direct marketing materials;
  • The right to portability of their personal data;
  • The right to object to processing of their personal data; and
  • The right to not be subject to a decision made solely by automated data processing.

On certain grounds, individuals whose personal information is held by the club are entitled to prevent LSSC from processing information or require that processing is stopped if the processing or the purpose for which the data is processed is causing or is likely to cause substantial damage or distress to the individual, or another, and that damage or stress is, or would be, unwarranted.

If you consider that the processing of your data will cause damage or distress, you should notify the club membership secretary. LSSC will respond to you within 21 days confirming that the data will not be processed, or providing reasons why preventing the processing of personal data would be unjustified.

You are entitled to make a subject access request and (subject to certain legal exemptions) to receive copies of your personal data which we hold.

If you wish to exercise this right, you must make a request in writing to the club membership secretary.

If, on investigation, it is found that personal data is inaccurate, you are entitled to have the inaccurate data removed or corrected. You will receive written confirmation that this has been done where appropriate.

Responsibility

What this all means for you can be summarised as follows:

  • Treat all personal data with respect;
  • Treat all personal data how you would want your own personal data to be treated;
  • Immediately notify the club chairperson if any individual says or does anything which gives the appearance of them wanting to invoke any rights in relation to personal data relating to them;
  • Take care with all personal data and items containing personal data you handle or come across so that it stays secure and is only available to or accessed by authorised individuals; and
  • Immediately notify the club chairperson if you become aware of or suspect the loss of any personal data or any item containing personal data

If you would like more information about this policy please contact the club chairperson.

Appendix A- Useful information

  1. Key words in relation to data protection  
    1. Personal data is data that relates to a living individual who can be identified from that data (or from that data and other information in or likely to come into our possession).  That living individual might be an employee, customer, prospective customer, supplier, contractor or contact, and that personal data might be written, oral or visual (e.g. CCTV).  
    2. Identifiable means that the individual can be distinguished from a group of individuals (although the name of that individual need not be ascertainable).  The data might identify an individual on its own (e.g. if a name or video footage) or might do if taken together with other information available to or obtainable us (e.g. a job title and company name).  
    3. Data subject is the living individual to whom the relevant personal data relates.
    4. Processing is widely defined under data protection law and generally any action taken by us in respect of personal data will fall under the definition, including for example collection, modification, transfer, viewing, deleting, holding, backing up, archiving, retention, disclosure or destruction of personal data, including CCTV images.
    5. Data controller is the person who decides how personal data is used, for example we will always be a data controller in respect of personal data relating to our employees.
    6. Data processor is a person who processes personal data on behalf of a data controller and only processes that personal data in accordance with instructions from the data controller, for example an outsourced payroll provider will be a data processor.
  2. Personal data
    1. Data will relate to an individual and therefore be their personal data if it:
      1. identifies the individual.  For instance, names, addresses, telephone numbers and email addresses;
      2. its content is about the individual personally.  For instance, medical records, credit history, a recording of their actions, or contact details;
      3. relates to property of the individual, for example their home, their car or other possessions;
      4. it could be processed to learn, record or decide something about the individual (or this is a consequence of processing).  For instance, if you are able to link the data to the individual to tell you something about them, this will relate to the individual (e.g. salary details for a post where there is only one named individual in that post, or a telephone bill for the occupier of a property where there is only one occupant); 
      5. is biographical in a significant sense, that is it does more than record the individual’s connection with or involvement in a matter or event which has no personal connotations for them.  For instance, if an individual’s name appears on a list of attendees of an organisation meeting this may not relate to the individual and may be more likely to relate to the company they represent;
      6. has the individual as its focus, that is the information relates to the individual personally rather than to some other person or a transaction or event he was involved in.  For instance, if a work meeting is to discuss the individual’s performance this is likely to relate to the individual;
      7. affects the individual’s privacy, whether in their personal, family, organisation or professional capacity, for instance, email address or location and work email addresses can also be personal data;
      8. is an expression of opinion about the individual; or
      9. is an indication of our (or any other person’s) intentions towards the individual (e.g. how a complaint by that individual will be dealt with). 
    2. Information about companies or other legal persons who are not living individuals is not personal data.  However, information about directors, shareholders, officers and employees, and about sole traders or partners, is often personal data, so business related information can often be personal data.
    3. Examples of information likely to constitute personal data:
      1. Unique names;
      2. Names together with email addresses or other contact details;
      3. Job title and employer (if there is only one person in the position);
      4. Video – and photographic images;
      5. Information about individuals obtained as a result of Safeguarding checks;
      6. Medical and disability information;
      7. CCTV images;
      8. Member profile information (e.g. marketing preferences); and
      9. Financial information and accounts (e.g. information about expenses and benefits entitlements, income and expenditure).
  1. Lawful basis for processing
    1. For personal data to be processed lawfully, we must be processing it on one of the legal grounds set out in the Data Protection Laws. 
    2. For the processing of ordinary personal data in our organisation these may include, among other things:
      1. the data subject has given their consent to the processing (perhaps on their membership application form or when they registered on the club’s website)
      2. the processing is necessary for the performance of a contract with the data subject (for example, for processing membership subscriptions);
      3. the processing is necessary for compliance with a legal obligation to which the data controller is subject (such as reporting employee PAYE deductions to the tax authorities); or
      4. the processing is necessary for the legitimate interest reasons of the data controller or a third party (for example, keeping in touch with members, players, participants about competition dates, upcoming fixtures or access to club facilities).
  2. Special category data 
    1. Special category data under the Data Protection Laws is personal data relating to an individual’s race, political opinions, health, religious or other beliefs, trade union records, sex life, biometric data and genetic data.  
    2. Under Data Protection Laws this type of information is known as special category data and criminal records history becomes its own special category which is treated for some parts the same as special category data.  Previously these types of personal data were referred to as sensitive personal data and some people may continue to use this term.
    3. To lawfully process special categories of personal data we must also ensure that either the individual has given their explicit consent to the processing or that another of the following conditions has been met:
      1. the processing is necessary for the performance of our obligations under employment law;
      2. the processing is necessary to protect the vital interests of the data subject. The ICO has previously indicated that this condition is unlikely to be met other than in a life or death or other extreme situation;
      3. the processing relates to information manifestly made public by the data subject;
      4. the processing is necessary for the purpose of establishing, exercising or defending legal claims; or
      5. the processing is necessary for the purpose of preventative or occupational medicine or for the assessment of the working capacity of the employee.
    4. To lawfully process personal data relating to criminal records and history there are even more limited reasons, and we must either:
      1. ensure that either the individual has given their explicit consent to the processing; or 
      2. ensure that our processing of those criminal records history is necessary under a legal requirement imposed upon us.
  3. Practical matters

Whilst you should always apply a common sense approach to how you use and safeguard personal data, and treat personal data with care and respect, set out below are some examples of dos and don’ts:

  • Do not take personal data out of the organisation’s premises (unless absolutely necessary).
  • Only disclose your unique logins and passwords for any of our IT systems to authorised personnel (e.g. IT) and not to anyone else.
  • Never leave any items containing personal data unattended in a public place, e.g. on a train, in a café, etc and this would include paper files, mobile phone, laptops, tablets, memory sticks etc.
  • Never leave any items containing personal data in unsecure locations, e.g. in car on your drive overnight and this would include paper files, mobile phone, laptops, tablets, memory sticks etc.
  • Do encrypt laptops, mobile devices and removable storage devices containing personal data.
  • Do lock laptops, files, mobile devices and removable storage devices containing personal data away and out of sight when not in use. 
  • Do password protect documents and databases containing personal data.
  • Never use removable storage media to store personal data unless the personal data on the media is encrypted.
  • When picking up printing from any shared printer always check to make sure you only have the printed matter that you expect, and no third party’s printing appears in the printing.
  • Use confidential waste disposal for any papers containing personal data, do not place these into the ordinary waste, place them in a bin or skip etc, and either use a confidential waste service or have them shredded before placing them in the ordinary waste disposal.
  • Do dispose of any materials containing personal data securely, whether the materials are paper based or electronic.
  • When in public place, e.g. a train or café, be careful as to who might be able to see the information on the screen of any device you are using when you have personal information on display.  If necessary move location or change to a different task.
  • Do ensure that your screen faces away from prying eyes if you are processing personal data. Personal data should only be accessed and seen by those who need to see it.
  • Do not leave personal data lying around, store it securely.  
  • When speaking on the phone in a public place, take care not to use the full names of individuals or other identifying information, as you do not know who may overhear the conversation.  Instead use initials or just first names to preserve confidentiality.
  • Never act on instructions from someone unless you are absolutely sure of their identity and if you are unsure then take steps to determine their identity.  This is particularly so where the instructions relate to information which may be sensitive or damaging if it got into the hands of a third party or where the instructions involve money, valuable goods or items or cannot easily be reversed.
  • Do not transfer personal data to any third party without prior written consent 
  • Do notify the Chairperson immediately of any suspected security breaches or loss of personal data.  
  • If any personal data is lost, or any devices or materials containing any personal data are lost, report it immediately to the Chairperson.