Data Protection Policy – GDPR

The Club, like any other body, is required to deal correctly with any personal information (described as “data”) that we may hold. “Data” includes names, addresses, telephone numbers, e-mail addresses and other information relating to players, members, coaches, officials and any other individual contacts. This policy has been updated to reflect the revised requirements of the 2018 General Data Protection Regulation (GDPR) which supersedes the Data Protection Act and should be read in conjunction with the club’s ‘Privacy Notice’.

EPBC will put in place measures to comply with the six data protection principles laid down by GDPR. These are that personal data must be:

• Processed lawfully, fairly and in a transparent manner
• Collected for specified, explicit and legitimate purposes
• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
• Accurate and kept up to date
• Deleted when no longer required
• Held securely

Some data, known as “sensitive information”, is particularly closely regulated. This includes biometric data, ethnic origin, political opinion, religion, physical or mental health conditions or legal convictions. These details should not normally be needed, except possibly regarding an individual member’s medical condition, if relevant to their participation in club activities.

If so, and if the details are to be recorded, the explicit consent of the person will be obtained. This information may only be shared without waiting for consent if it is in the member’s own interests so to do, e.g. if urgent medical aid is needed.

Specific data protection obligations upon board members and officers of the club, who may be party to a greater level of members’ information, are covered in separate guidelines.

For all members, some implications of the regulations are:

• Personal data must only be held if the legitimate purposes for which it is used are defined.
• Such information may only be passed to others within the Club, as defined by the club privacy notice or to affiliated organizations or others, such as the local council, who have legitimate need of it and for which members’ consent has been given.
• Non-members must not have access to members’ personal information; i.e computers & files should be password protected where practicable and hard copies stored securely.
• Out of date files must be securely deleted & old paper records shredded when superseded by updates, when the data is no longer required or on cessation of club membership.
• Before disposal of computers or other devices, personal data must be properly wiped.
• Members will need to complete a detailed ‘disclosure permission’ form which will be included with membership application and renewal papers.
• The club ‘Privacy Notice’ provided with the former (or to all members when revised) which explains in some detail the requirements and consequences of GDPR should be read.
• Reference is to be made to the club secretary or membership secretary to confirm that express consent has been given before making any contact data public, e.g. in handbooks, social media or websites. Otherwise express permission for any such action is to be sought and documented.
• Personal details must under no circumstances be passed to other organisations for commercial purposes.

2018 gdpr v1