1. Introduction
- 1.1. The General Data Protection Regulation (GDPR) formally comes in o action on the 25th of May 2018. It expands on the existing Data Protection Act 1998. The legislation places a number of obligations on organisations in the way in which they handle personal information and making organisations accountable towards the use, gathering and storing of personal data. In recognition of the importance of the legislation, Level Playing Field (LPF) has adopted a GDPR and Data Protection Policy to provide a consistent framework for the effective and complaint use of the personal data which it holds and uses.
- 1.2. GDPR and The Data Protection Act 1998 affects the way in which personal data is collected, stored, processed and disclosed. It applies to both electronically stored and manual records.
2. About this Policy
- 2.1. LPF gathers data as a part of its charitable objectives. To ensure that this data is lawfully used and protected, this policy outlines the actions that LPF will carry out to safeguard from any improper use and data breaches along with stating how data will be used. The policy also outlines the rights of individuals and organisation in obtaining data that LPF hold.
- 2.2. The policy will be reviewed annually to ensure that LPF are compliant with GDPR and the subsequent legal obligations.
3. Organisational awareness
- 3.1. The board of trustees and staff across LPF are aware of their lawful obligations towards data protection and the recent changes bestowed on LPF through GDPR.
- 3.2. Staff and trustees will annually refresh their knowledge on GDPR to ensure they carry out their legal obligations relating to data protection.
- 3.3. New staff and trustees will go through an induction and training programme upon starting with LPF.
4. Privacy Notices
- 4.1. LPF will provide clear and compliant privacy notice accessible to all. The notice will be stored on our website and can be requested in an alternative form.
- 4.2. Privacy notices will be shared annually across LPF data base through newsletters and emails.
5. Data Protection Principles
- 5.1. Stakeholder data, which may be provided electronically or manually, is processed by LPF and stored on a Customer Relationship Management System (CRM). Once personal data is received or sourced by LPF, it becomes subject to the DPA 98 and GDPR and thereafter will be processed (handled and protected) accordingly.
- 5.2. The Data Protection Principles form the backbone of the legislation and lay out the obligations with which data controllers must comply when processing personal data. The Society will comply with the Act and all personal data will be processed in accordance with 8 principles, which are:
- 5.2.1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
- 5.2.1.1. (a) at least one of the conditions in Schedule 2 is met, and
- 5.2.1.2. (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
- *See Appendix 1 for Schedule 2 & 3
- 5.2.2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- 5.2.3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- 5.2.4. Personal data shall be accurate and, where necessary, kept up to date.
- 5.2.5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- 5.2.6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
- 5.2.7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- 5.2.8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
- 5.2.1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
6. Lawful basis for processing and using data
- 6.1. LPF will only use data when prior consent has been obtained by the data subject or when there is a lawful basis for which there is a need to process the personal data to comply with a common law or statutory obligation. At times data will be processed when there is a legitimate interest identified.
- 6.2. Level Playing Field (LPF) processes and use personal data (and occasionally sensitive personal data) for the purposes of:
- 6.2.1. Administration of Membership Records
- 6.2.2. Addressing and supporting with enquiries and complaints
- 6.2.3. Sharing best practices and news stories (via newsletters and other means)
- 6.2.4. General business contacts and legitimate interests
- 6.2.5. Fundraising in Support of the Objectives of the Society
- 6.2.6. Staff Administration and other Human Resources Factors
7. Data Held
- 7.1. The personal data held by LPF vary on the different relationships and communication stake holders have with the charity. These are detailed below:
- 7.1.1. Members /Partners/ National Governing Bodies (NGO)
- 7.1.1.1. Your Title
- 7.1.1.2. Your Position (where employed by club or NGO)
- 7.1.1.3. Your First Name and Surname
- 7.1.1.4. Your Email
- 7.1.1.5. Your Address
- 7.1.1.6. Your Club or NGO you support/work for
- 7.1.2. Enquiry/Complaint Clients
- 7.1.2.1. Your Title
- 7.1.2.2. Your Position (where employed by club or NGO)
- 7.1.2.3. Your First Name and Surname
- 7.1.2.4. Your Email
- 7.1.2.5. Your Address
- 7.1.2.6. Your Club or NGO you support/work for
- 7.1.2.7. Emails relating to the case, which may hold additional personal information such as disability
- 7.1.3. Staff Administration
- 7.1.3.1. Your Title
- 7.1.3.2. Your Position (where employed by club or NGO)
- 7.1.3.3. Your First Name and Surname
- 7.1.3.4. Your Email
- 7.1.3.5. Your Address
- 7.1.3.6. Next of Kin details
- 7.1.3.7. HR Details
- 7.1.3.8. Payroll details
- 7.1.1. Members /Partners/ National Governing Bodies (NGO)
- 7.2. Data LPF retain is sourced in a number of ways, primarily through:
- 7.2.1. Newsletter sign up
- 7.2.1.1. LPF’s Website
- 7.2.1.2. Manual update at LPF events with consent
- 7.2.1. Newsletter sign up
- 7.2.2. Email enquiry and complaint procedures
- 7.2.3. Online (website) enquiry and complaint procedures
- 7.2.4 Telephone enquiry and complaint procedures
8. Data Subject/Individual rights
- 8.1. As a part of GDPR data subjects have a number of rights which are:
- 8.1.1. The right to be informed
- 8.1.2. The right of access
- 8.1.3. The right to rectification
- 8.1.4. The right to erasure
- 8.1.5. The right to restrict processing
- 8.1.6. The right to data portability
- 8.1.7. The right to object
- 8.1.8. Rights in relation to automated decision making and profiling.
9. Subject Access Request
- 9.1. GDPR and the DPA allows individuals to find out what information is held about them on computer and paper records. This is known as the ‘right of subject access’. Data subjects may ask for a copy of the information held about them.
- 9.2. All requests from data subjects for access to their personal data processed by LPF must be passed to the Data Protection Officer (DPO) who will coordinate data collection and respond to the request. The DPO should provide a copy of the information held in both manual and computerised systems; a description of why the information is processed; and whom the information may be passed to or seen by. The information provided should be easy to understand and any codes should be explained.
- 9.3. The DPO will reply within 40 calendar days after verifying the data subject’s identification and receiving the request. Where there is a danger that the DPO may not be able to respond within 40 days, the Board is to be advised immediately and wherever possible no later than the 20th day of processing the request.
- 9.4. A record of each request is to be maintained using the format at Appendix 2. The DPO is to ensure that the record is stored and available for inspection.
- 9.5. No attempt is to be made by LPF to subvert, destroy or deny personal data, which is the subject of an access request.
- 9.6. If, in the course of normal business, it is necessary to amend personal data (by addition or deletion) whilst a subject access request is being processed, it is permissible to provide the data subject with the amended data but only where the amendment would have been made regardless of the subject access request. In other words, data cannot be altered after a request has been received in order to obfuscate the objectives of the request.
- 9.7. LPF recognises that it does not have to comply with a subject access request where the disclosure of such information is likely to result in another data subject being identified. In such cases LPF will refuse access unless:
- 9.7.1. The third party has consented to the disclosure of the information to the person making the request, or
- 9.7.2. It is reasonable and lawful to comply with the request without the consent of the third party
- 9.8. Where the DPO considers that provision of the data would result in effort that was disproportionate to the benefit to be derived by the data subject, the Board is to be notified immediately so that an assessment can be made. The onus is on the Data Controllers to be able to show that the effort was disproportionate.
10. Data Protection Officer and other roles
- 10.1. The Chief Executive at LPF is the nominated Data Protection Officer and all formal request and enquiries should be made direct via info@levelplayingfield.org.uk.
- 10.2. The LPF ‘office administrator’ will hold the position of data processor and under guidance from the DPO will carry our clerical and administrative duties inline with key legal duties.
Appendix 1
What are the lawful bases for processing? Schedule 2 & 3
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
- (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- (d) Vital interests: the processing is necessary to protect someone’s life.
- (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Schedule 2 :- https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/?q=best+practice
Schedule 3 :- https://www.legislation.gov.uk/ukpga/1998/29/schedule/3