Data Protection Policy
1.0 Policy aims
This policy is designed to:
a. Ensure that Oundle Rugby Football Club Ltd, complies with its legal obligations under the data protection legislation (e.g. GDPR).
b. Set out standards with which Oundle Rugby Football Club Ltd, must comply when collecting, handling, disclosing or otherwise using data about individuals.
c. Ensure information about individuals is treated with appropriate care.
d. Compliance with this policy is mandatory:
e. By any member, where failure to comply may lead to disciplinary action being taken that may ultimately result in termination of membership.
f. By the club, where failure to comply may result in substantial fines and other sanctions.
2.0 Scope of policy
This policy applies to all members of the Oundle Rugby Football Club Ltd, including guests and volunteers.
It is our responsibility to ensure that suppliers and other third parties who store, access or otherwise use personal data on our behalf also comply with the requirements of this policy.
All members are expected to read and comply with functional guidance relating to their status within the club
3.0 Data Protection Coordinator
The club has assigned a Data Protection Coordinator, who has day-to-day responsibility for
overseeing this policy. Please refer all queries on this policy to firstname.lastname@example.org
4.0 Personal data
The legislation applies to ‘personal data’, which includes any information about a living person from which they can be identified. It includes both information about them (e.g. name, age, email, address, job title, gender) as well as opinions about them. ORFC typically holds personal data about potential, current and former employees, members and suppliers.
Special precautions will be taken when dealing with sensitive personal data. ‘Sensitive personal data’ includes information about someone’s physical or mental health (including that someone is in good health), political or religious beliefs, racial or ethnic origin, trade union membership, sexual orientation as well as genetic and biometric information. No one will have access to or deal with this data unless their role requires this.
5.0 Key requirements
Oundle Rugby Football Club Ltd, takes the following approach to dealing with personal data:
We will only collect or use personal data if we do so for a legitimate reason and tell the individual concerned what we are doing with their data (e.g. by privacy notices on membership and registration forms, club websites).
Legitimate reasons include where we:
# have the consent of the individual concerned;
# are doing so for legitimate club interests (having balanced these against any detriment to the individual); or
# need to do so to comply with laws (e.g. employment laws) or a contract with that individual.
# Personal data will be used only for the purposes for which it was collected. This means that we will not use data for any purpose about which we have not informed the individual or which would not be obvious to that individual.
# Don’t collect more than is required
# The personal data we collect will be adequate, relevant and limited to what is necessary in relation to the purposes for which it was collected. We will not ask for more personal data than we need for the legitimate purpose for which we are collecting it.
# Keep up-to-date
# The personal data must be accurate and kept up-to-date. We will encourage individuals to inform us of any changes to their information (and update our records accordingly). We will not use personal data we suspect might be out-of-date without confirming its accuracy.
# Don’t keep for too long
Personal data will not be kept for longer than is required in order to meet the legitimate purpose for which it was collected. This requirement is subject to other laws and obligations that oblige us to retain information for certain periods (e.g. retention of finance or tax records). Data will be retained for the period defined in the Retention Schedule and ultimately in departmental Data Asset Registers.
Respect individuals rights
Individuals have a number of rights under data protection legislation (e.g. GDPR) which we will respect. These include the right to:
[*]request copies of their personal data held by us;
[*]ask us to refrain from sending them direct marketing materials;
[*]ask us to correct any inaccurate data;
[*]receive copies of personal data originally provided by them in a commonly used open format;
[*]ask us to delete or restrict our use of their personal data; and
[*]object to the use of their data.
Personal data will be kept and used securely. This applies to our information systems, and our day-to-day handling of personal data.
Assess and monitor third parties
Before appointing a third party to collect, store or process personal data for us we will satisfy ourselves that they will act in accordance with the requirements of this policy. As part of this we will put in place a written contract that specifies this.
Check before transferring outside of Europe
We will only give someone outside the European Economic Area access to, or a copy of, personal data if we follow certain precautions. Any member must speak to the Data Protection Coordinator before allowing any transfers of data outside the UK.
Oundle Rugby Football Club Ltd, recognises the importance of training its members who regularly use personal data on our behalf. Mandatory training will be provided but employees should contact the Data Protection Coordinator if they require further guidance.
7.0 Breach Notification
In the event of a data breach we will conform to the statutory reporting obligations under the data protection legislation (e.g. GDPR).