Data Management Policy
Introduction
ART Football needs to gather and use certain information about individuals. This can include clients, contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the organisation’s data protection standards and to comply with the law.
This data management policy ensures ART Football
- complies with data protection law and follows good practice
- protects the rights of clients, staff and partners
- is transparent about how it stores and processes individuals’ data
- protects itself from the risks of a data breach
Data protection law
The UK General Data Protection Regulation (GDPR) applies in the UK. It outlines that personal data must be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals.
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes.
- Adequate, relevant and limited to what’s necessary in relation to the purposes for which they’re processed.
- Accurate and, where necessary, kept up to date.
- Protected – every reasonable step must be taken to ensure that personal data that’s inaccurate, having regard to the purposes for which they’re processed, is erased or rectified without delay.
- Kept in a form that permits identification of data subjects for no longer than is necessary, and for the purposes for which the personal data is processed (personal).
- Stored for longer periods. For example, the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. This will also be subject to implementation of the appropriate technical and organisational measures required by UK GDPR in order to safeguard the rights and freedoms of individuals.
- Processed in a manner that ensures appropriate security of personal data. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Managed by a controller responsible for, and be able to demonstrate, compliance with the principles.
People and responsibilities
Everyone at ART Football contributes to compliance with UK GDPR. Key decision-makers must understand the requirements and accountability of the organisation to prioritise and support the implementation of compliance. The Director is responsible for:
- Keeping senior management and the board updated about data protection issues, risks and responsibilities.
- Documenting, maintaining and developing the organisation’s data protection policy and related procedures, in line with agreed schedule.
- Embedding ongoing privacy measures into policies and day-to-day activities, throughout the organisation. The policies themselves will stand as proof of compliance.
- Sharing the policy across the organisation, and arranging training and advice for staff.
- Dealing with subject access requests, deletion requests and queries from clients, stakeholders and data subjects about data protection related matters.
- Checking and approving contracts or agreements with third parties that may handle the organisation’s sensitive data.
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software are functioning properly.
- Evaluating any third party services the company is considering using to store or process data, to ensure their compliance with obligations under the regulations.
- Developing privacy notices to reflect a lawful basis for fair processing, ensuring that intended uses are clearly articulated. This will also ensure that data subjects understand how they can give or withdraw consent, or exercise their rights in relation to the company’s use of their data.
- Ensuring that audience development, marketing, fundraising and all other initiatives involving processing personal information and/or contacting individuals abide by the UK GDPR principles.
Data Protection Officer (DPO), the person responsible for fulfilling the tasks of the DPO in respect of ART Football is Miguel De’Souza, Director.
Under UK GDPR organisations in certain circumstances are required to appoint a DPO. However, regardless of whether the UK GDPR requires a DPO, you must ensure that your organisation has sufficient staff and skills to carry out your requirements under the UK GDPR.
Best practice dictates that, regardless of individual circumstances, organisations should appoint a named individual as DPO to lead on ensuring that data protection requirements are met. The minimum tasks of the DPO are to:
- inform and advise the organisation and its employees about their obligations to comply with UK GDPR and other data protection laws
- monitor compliance with UK GDPR and other data protection laws – including managing internal data protection activities, advising on data protection impact assessments, training staff and conducting internal audits
- be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, clients)
Scope of personal information to be processed
The scope of the data we process:
- names of individuals
- postal addresses of individuals
- email addresses
- telephone numbers
- online identifiers
- Relevant health information relating to individuals
- Info as to football teams, or other sports teams, previously played for
- The Data is secured electronically by ART Football.
- We review data to ensure the data is relevant to the purpose, not excessive, up-to-date and not kept for longer than is necessary.
Annually relevant data will be checked against industry suppression files, such as the:
- telephone preference service
- mailing preference service
Details of any sensitive special categories of personal information that it’s necessary for ART Football to process:
- Info regarding health and fitness. We respect the rights and freedoms of the individuals to whom it relates and will delete this info immediately upon request.
- Info will be deleted 1 year after your relationship with ART Football ends.
Uses and conditions for processing
Processing your data allows us to contact you and liaise with you for purposes of providing information as to teaching or coaching.
Processing your data allows us to provide teaching or coaching services.
Data to be processed Conditions for processing Evidence for lawful basis
Consent
We review our processes and systems to make sure that consent is freely and unambiguously given for specific purposes.
Privacy Impact Assessments
Privacy Impact Assessments (PIAs) or also known as Data Protection Impact Assessments (DPIAs) form an integral part of taking a privacy by design and best practice approach.
There are certain circumstances where organisations must conduct PIAs. They are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy, and protect against the risk of harm through use or misuse of personal information.
An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.
PIAs undertaken by your company may be detailed here, or else referenced here and presented as an appendix to this data management policy document. The DPIA should
Contain:
- a description of the processing operations and the purposes – including, where applicable, the legitimate interests pursued by the controller
- an assessment of the necessity and proportionality of the processing in relation to the purpose
- an assessment of the risks to individuals
- the measures in place to address risk, including security and to demonstrate that you comply
- a DPIA can address more than one project
Data Sharing
We do not share your data with third parties without your express permission.
Security measures
Information is secured on our electronic system to protect the personal information, any breaches of security would be reported to you and to the ICO.
Subject access requests
All individuals who are the subject of data held by us are entitled to:
- ask what information the company holds about them and why
- ask how to gain access to it
- be informed how to keep it up to date
- be informed how the company is meeting its data protection obligations
Simply contact us in writing to begin the request process.
The right to be forgotten
In certain circumstances, subjects have the right to be deleted from your database. We do so after 1 yea and would do so sooner upon written request.
ART Football aims to ensure that individuals are aware that their data is being processed, and that they understand:
- who is processing their data
- what data is involved
- the purpose for processing that data
- the outcomes of data processing
- how to exercise their rights
The company has a privacy statement, setting out how data relating to these individuals is used by the company. This can be viewed on our website.
Ongoing documentation of measures to ensure compliance
Meeting the obligations of the UK GDPR to ensure compliance will be an ongoing process. ART Football details here the ongoing measures implemented to:
- maintain documentation/evidence of the privacy measures implemented and records of compliance
- regularly test the privacy measures implemented and maintain records of the testing and outcomes
- use the results of testing, other audits, or metrics to demonstrate both existing and continuous compliance improvement efforts
keep records showing training of employees on privacy and data protection matters
