Policy statement

Chepstow RFC holds, manages, and uses individual’s data as part of the day to day running of the Club. Chepstow RFC is committed to ensuring that personal data is collected, stored, and used in compliance with the General Data Protection Regulations 2018, commonly referred to as GDPR.  This policy clearly explains the procedures in place at Chepstow RFC in order to comply with GDPR.  This policy does not form part of any contract and Chepstow RFC may update it at any time.

 

Procedure

Legal framework

The General Data Protection Regulations 2018 replace the previous Data Protection Act 1998 and provides individuals with more rights in relation to their personal data, whilst at the same time increasing the responsibility of organisations to keep personal data secure and only use it for its intended purpose.  The legislation uses specific terminology.  This is explained in the Appendix.  In the event of queries on any aspect of GDPR, full information from the ICO is available here .

 

Responsibility

Everyone within Chepstow RFC has a personal responsibility for ensuring compliance with GDPR, but the club Committee has overall responsibility for data protection and adhering to the legislation.

 

Principles under GDPR

Chepstow RFC will adhere to the 7 key principles of the GDPR:

1. Lawfulness, fairness, and transparency: Chepstow RFC will process personal data lawfully, fairly and in a transparent manner.  Specifically, Chepstow RFC will:
   • Carry out and regularly review a Data Audit which identifies the data currently processed, identifies the purpose and appropriate lawful basis (or bases) for the data processing, and any additional conditions required for processing special category data or criminal offence data.
   • Consider how the processing may affect individuals and will justify any adverse impact.
   • Complete a Data Protection Impact Assessment for any type of processing which is likely to be high risk.
   • Only handle personal data in ways that people would reasonably expect or be able to explain why any unexpected processing is justified.

 

1. Purpose limitation: Chepstow RFC will collect data for specified, explicit and legitimate purposes and will not further process it in a manner that is incompatible with those purposes.  Specifically, Chepstow RFC will:
   • Identify its purposes for processing in the Data Audit.
   • Provide details on this in a privacy notice for individuals.
   • Regularly review processing and update documentation as necessary.
   • Check that, if personal data is to be used for a new purpose other than a legal obligation or function set out in law, this is compatible with the original purpose or get specific consent for the new purpose.

 

1. Data minimisation: Chepstow RFC will ensure that data is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.  Specifically, Chepstow RFC will:

• Only collect personal data needed for specified purposes.
• Have sufficient personal data to properly fulfil those purposes.
• Periodically review the data held and delete anything not needed.

 

1. Accuracy: Chepstow RFC will ensure that data is accurate and, where necessary, kept up to date.  Specifically, Chepstow RFC will:

• Have appropriate processes in place to check the accuracy of the data created or collected and record the source of data collected.
• Identify review dates and update data as necessary.
• Take reasonable steps to ensure that inaccurate personal data is erased or corrected without delay. 
• Clearly identify any mistakes as such if a mistake needs to be kept (e.g., as part of an audit trail).
• Clearly identify any matters of opinion, and where appropriate whose opinion it is and any relevant changes to the underlying facts.

 

1. Storage limitation: Chepstow RFC will keep personal data for no longer than is necessary for the purposes for which the personal data are processed.  Specifically, Chepstow RFC will:

• Know what personal data is held and why it is needed via the Data Audit.
• Carefully consider and be able to justify how long personal data is kept.
• Identify standard retention periods where possible.
• Regularly review information and erase or anonymise personal data when it is no longer needed.
• Have appropriate processes in place to comply with individuals’ requests for erasure under ‘the right to be forgotten’.

 

1. Integrity and confidentiality: Chepstow RFC will process personal data securely.  Specifically, Chepstow RFC will:

• Have appropriate security measures in place to protect personal data from unauthorised or unlawful processing, accidental loss, destruction, or damage, e.g., controlled access to data, passwords, lockable cabinets, encryption etc. 

 

1. Accountability: Chepstow RFC will ensure that technical and organisational measures are in place to implement the data protection principles and safeguard individual rights.  Specifically, Chepstow RFC will:

• Regularly review and update this policy, the Data Audit, and any Data Protection Impact Assessments.
• Maintain documentation of processing activities.
• Hold written contracts with organisations that process personal data on its behalf.
• Implement appropriate security measures.
• Provide training to workers, volunteers, and members.
• Record and where necessary report personal data breaches.

 

Lawful basis for processing

Chepstow RFC will identify and document a lawful basis for different processing activities in order to process personal data, special category data and criminal offence data. The lawful basis for processing will be one or more of the following:

1. Legitimate interests: the processing is necessary for the Club’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. This will include processes such as registering players, maintaining lists of players, members, parents of children at a Club, providing player information to insurers and providing an individual’s details to the WRU for regulatory or disciplinary purposes.
2. Contract: the processing is necessary for a contract that the Club has with the individual (such as using someone’s contact and payment details to pay an employee) or because they have asked the Club to take specific steps before entering a contract.
3. Legal obligation: the processing is necessary for the Club to comply with the law (not including contractual obligations), such as processing personal data by order of a court.
4. Vital interests: the processing is necessary to protect someone’s life.
5. Public task: the processing is necessary for the Club to perform a task in the public interest or the Club’s official functions, and the task or function has a clear basis in law.
6. Consent: the individual has given clear consent for the Club to process their personal data for a specific purpose. Consent will be given through freely “opting in” with a positive action such as ticking a box.

 

Information about the purposes and the lawful basis for processing will be included in Chepstow RFC’s privacy notice.

 

Individual rights

Chepstow RFC will comply with the rights of individuals:

1. Right to be informed: The Club will provide individuals with privacy information via a privacy notice.  This will be available as part of membership documentation, the Club website or by contacting Club Secretary.
2. Right of access: The Club will respond to subject access requests within one month* of the request unless an exemption applies, or the request is manifestly unfounded or excessive. 
3. Right to rectification: The Club will respond to requests to rectify inaccurate personal data, or to complete incomplete data within one month*, unless an exemption applies, or the request is manifestly unfounded or excessive. 
4. Right to erasure: The Club will respond to requests to erase personal data within one month* unless an exemption applies, or the request is manifestly unfounded or excessive. 
5. Right to restrict processing: The Club will respond to requests to store personal data but not use it within one month* unless an exemption applies, or the request is manifestly unfounded or excessive. 
6. Right to data portability: The Club will respond to requests to access data provided in a structured, commonly used, and machine-readable format (e.g., CSV, XML and JSON) and transfer that to another controller within one month* unless an exemption applies, or the request is manifestly unfounded or excessive. 
7. Right to object: The Club will respond to requests to stop processing personal data within one month* unless an exemption applies, or the request is manifestly unfounded or excessive.  The Club will always respond to requests to opt out of direct marketing.
8. Rights related to automated decision-making including profiling: The Club does not make decisions solely by automated means and does not use automated processing of personal data to evaluate things about an individual.

 

*The timescale may be extended when circumstances permit this under the ICO guidance.

 

Chepstow RFC will make a record of all requests or challenges made by individuals and the responses to these in a log.  The log will be stored securely.  The Committee will review the log regularly.

 

Personal data breaches

Where a personal data breach is identified, Chepstow RFC will assess the risk to the individual e.g., of emotional distress, physical or material damage.  If a risk is likely, Chepstow RFC will notify the ICO.  If a breach is likely to result in a high risk to the rights and freedoms of individuals, Chepstow RFC will also notify the individual directly and as soon as possible, so that they can take steps to protect themselves from the effects of the breach.  All personal data breaches will be recorded in a log. The log will be stored securely.  The Committee will review the log regularly.

 

Availability and Review

Chepstow RFC will keep this policy available in the Club and on the Chepstow RFC website.  Anyone who needs to read it (such as any workers, volunteers, contractors, members of the public etc) can do so. 

The Committee will review this policy annually, or earlier if necessary, such as in the event of a data breach.

 

 

Appendix: Terminology

Data Subject: the individual whose data is held by an organisation

 

Data Controller: a data controller is the main decision-maker when it comes to how people’s personal information is handled and how it is kept safe.  The Club is a data controller. Chepstow RFC

Joint Controllers: joint controllers decide together why and how personal data will be processed and will have the same or similar reasons for using the data. 

 

Data Processor: a data processor acts on behalf of the instructions of a controller and wouldn’t do anything with the data if the controller hadn’t requested it.  Data Processors are still obliged to protect the personal data that they have, and to use it appropriately in line with the contract with the data controller. 

 

Processing: Processing data means doing something with the data whilst operating within the UK – for example, using it to contact someone. It also includes storing it.

 

Personal data: data which relates to an identified or identifiable living individual.  This could be as simple as a name or identification number, email address or telephone number. Information which is truly anonymous is not personal data. It can be held in physical or electronic format.

 

Special category data: Sensitive data listed below.  Processing it requires both a lawful basis and a separate condition:

• personal data revealing racial or ethnic origin
• personal data revealing political opinions
• personal data revealing religious or philosophical beliefs
• personal data revealing trade union membership
• genetic data
• biometric data (where used for identification purposes)
• data concerning health
• data concerning a person’s sexual orientation.