Data Protection
Titans Community Foundation
Data Protection Policy
Legislation/Guidance
Complies with Data Protection Act 2018
The General Data Protection Regulation Protection of Freedoms Act 2012ICO CCTV Code of Practice
This Policy will be reviewed and revised annually BY RRUFC and TCF to ensure it meets business and legal requirements.
Reviewed & Revised
September 2024
THE POLICY
The Titans Community Foundation will comply to the law relating to the privacy of individual or personal information as contained in the Data Protection Act 2018, the General DataProtection Regulation Protection of Freedoms Act 2012 and the ICO CCTV Code of Practice
Compliance will be against the 7 core principles contained within the GDPR namely; - Lawfulness, fairness and transparency
- Purpose limitation
-Data minimisation
-Accuracy
-Storage limitation
-Integrity and confidentiality(security)
-Accountability
RRUFC and the Titans Community Foundation aims to ensure that all personal data collected about staff, players, volunteers, schools and group, and other individuals, is collected, stored and processed in accordance with the General Data Protection Regulation (GDPR) and theData Protection Act 2018 (DPA 2018)
This policy applies to all personal data, regardless of whether it is in paper or electronic format.
Legislation and guidance
This policy meets the requirements of the GDPR and the provisions of the DPA 2018. It is based on guidance published by the Information Commissioner’s Office (ICO) on the GDPRand the ICO’s code of practice for subject access requests.
It meets the requirements of the Protection of Freedoms Act 2012 when referring to the use of biometric data.
It also reflects the ICO’s code of practice for the use of surveillance cameras and personalinformation. In addition, this policy complies with our funding agreement and articles ofassociation.
The Policy will be reviewed annually and updated in light of any further legislation.
Terms & Definitions
Personal data
Any information relating to an identified, or identifiable, individual. This may include the individual’s:
• Name (including initials)
• Identification number
• Location data
• Online identifier, such as a username
It may also include factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
Special categories of personal data
Personal data which is more sensitive and so needs more protection, including information about an individual’s:
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs• Trade union membership
• Genetics
• Biometrics (such as fingerprints, retina and iris patterns), where used for identification purposes
• Health – physical or mental
• Sex life or sexual orientation
Processing
Anything done to personal data, such as collecting, recording, organising, structuring,storing, adapting, altering, retrieving, using, disseminating, erasing or destroying. Processing can be automated or manual.
Data Subject
The identified or identifiable individual whose personal data is held or processed.
Data Controller
A person or organisation that determines the purposes and the means of processing ofpersonal data.
Data Processor
A person or other body, who processes personal data on behalf of the data controller.
Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
Data protection principles
The GDPR is based on data protection principles that we must comply with.
The principles say that personal data must be: - Processed lawfully, fairly and in a transparent manner - Collected for specified, explicit and legitimate purposes - Adequate, relevant and limited to what is necessary to fulfil the purposes for which it is processed. - Accurate and, where necessary, kept up to date - Kept for no longer than is necessary for the purposes for which it is processed - Processed in a way that ensures it is appropriately secure
Limitation, minimisation and accuracy - We will only collect personal data for specified, explicit and legitimate reasons. - We will explain these reasons to the individuals when we first collect their data. - If we want to use personal data for reasons other than those given when we first obtained it, we will inform the individuals concerned before we do so, and seek consent where necessary. - Staff must only process personal data where it is necessary in order to do their jobs.
When staff no longer need the personal data they hold, they must ensure it is deleted or anonymised.
Sharing personal data
We will not normally share personal data with anyone else, but may do so where: - There is an issue with a member of staff/volunteer/club member that puts the safety of our staff at risk - We need to liaise with other agencies – we will seek consent as necessary before doing this - Our suppliers or contractors need data to enable us to provide services to our staff and players – for example, official bodies.
When doing this, we will: - Only appoint suppliers or contractors which can provide sufficient guarantees that they comply with data protection law - Establish a data sharing agreement with the supplier or contractor, either in the contract or as a standalone agreement, to ensure the fair and lawful processing of any personal data we share. - Only share data that the supplier or contractor needs to carry out their service, and information necessary to keep them safe while working with us
We will also share personal data with law enforcement and government bodies where weare legally required to do so, including for:
- The prevention or detection of crime and/or fraud - The apprehension or prosecution of offenders -The assessment or collection of tax owed to HMRC - In connection with legal proceedings
- Where the disclosure is required to satisfy our safeguarding obligations - Research and statistical purposes, as long as personal data is sufficiently anonymised or consent has been provided.
Where we transfer personal data to a country or territory outside the European Economic area, we will do so in accordance with data protection law.
CCTV
- We use CCTV in various locations around the Club site to ensure it remains safe. - We will adhere to the ICO’s code of practice for the use of CCTV. - We do not need to ask individuals’ permission to use CCTV.
- Security cameras are clearly visible and accompanied by prominent signs explaining that CCTV is in use.
Any enquiries about the CCTV system should be directed to the General Manager.
Photographs and videos
As part of our school and playing activities, we may take photographs and record images of individuals.
We will obtain consent from parents/carers, and/or schools, for photographs and videos tobe taken of any children for communication, marketing and promotional materials. We will clearly explain how the photograph and/or video will be used to both the schools involved.Uses may include: - Within the club on notice boards and in brochures, newsletters, etc. - Outside of school by external agencies such as newspapers, marketing campaigns - Online on our Club website or social media pages
- Consent can be refused or withdrawn at any time. If consent is withdrawn, we will deletethe photograph or video and not distribute it further. When using photographs and videos inthis way we will not accompany them with any other personal information about thechild/individual, to ensure they cannot be identified. Staff and volunteers must ensure thatappropriate consent has been obtained before utilising any image or recording.
Data security and storage of records
We will protect personal data and keep it safe from unauthorised or unlawful access,alteration, processing or disclosure, and against accidental or unlawful loss, destruction ordamage.
In particular:
- Paper-based records and encrypted portable electronic devices, that containpersonal data are kept under lock and key when not in use
- Papers containing confidential personal data must not be left on office desks, onstaffroom tables, pinned to notice/display boards, or left anywhere else where thereis general access - Hard copy personal information should not be taken off site, unless required for theproper performance of an employee’s duties - Where we need to share personal data with a third party, we carry out due diligenceand take reasonable steps to ensure it is stored securely and adequately protected
- Data breaches will be detected and reported to the Trustees
Disposal of records
Personal data that is no longer needed will be disposed of securely.
Personal data that has become inaccurate or out of date will also be disposed of securely,where we cannot or do not need to rectify or update it.