1. About this Policy
1.1 This Policy is to help clubs, County
Football Associations and football leagues deal with data protection matters
internally. This should be kept with other club / County Football Association /
football league policies and a copy should be given (or made available) to all
staff members, volunteers and others who come into contact with personal data
during the course of their involvement with the club / County Football
Association / football league.
1.2 The Northamptonshire Combination
Football League (the League) handle personal data about current, former, and on
occasion prospective players, employees, volunteers, committee members, other
members, referees, coaches, managers, contractors, third parties, suppliers,
and any other individuals that we communicate with.
1.3 In your official capacity within the
League, you may process personal data on our behalf and we will process
personal data about you. We recognise the need to treat all personal data in an
appropriate and lawful manner, in accordance with the EU General Data
Protection Regulation 2016/679 (GDPR).
1.4 Correct and lawful treatment of this
data will maintain confidence in the League, and protect the rights of players
and any other individuals associated with the League. This Policy sets out our
data protection responsibilities and highlights the obligations of the League
which means the obligations of our employees, committee, volunteers, members,
and any other contractor or legal or natural individual or organisation acting
for or on behalf of the League
1.5 You are obliged to comply with this
policy when processing personal data on behalf of the League, and this policy
will help you to understand how to handle personal data.
1.6 The League will be responsible for
ensuring compliance with this Policy. Any questions about this Policy or data
protection concerns should be referred to the Management Board.
1.7 We process volunteer, member,
referee, coach, manager, contractor, committee, supplier and third party
personal data for administrative and League management purposes. Our purpose
for holding this personal data is to be able to contact relevant individuals on
League business and our legal basis for processing your personal data in this
way is the contractual relationship we have with you. We will keep this data
for 12 (twelve) months after the end of your official relationship with the
League, unless required otherwise by law and / or regulatory requirements. If
you do not provide your personal data for this purpose, you will not be able to
carry out your role or the obligations of your contract with the League.
1.8 All the key definitions under GDPR
can be found in the Fact Sheets produced by Muckle LLP.
2. What we need from you
2.1 To assist with our compliance with
GDPR we will need you to comply with the terms of this policy. We have set out
the key guidance in this section but please do read the full policy carefully.
2.2 Please help us to comply with the
data protection principles (set out briefly in section 3 of this policy and in
further detail below):
2.2.1 Please ensure that you only
process data in accordance with our transparent processing as set out in our
Privacy notice;
2.2.2 Please only process personal data
for the purposes for which we have collected it (i.e. if you want to do
something different with it then please speak to the League Secretary first
2.2.3 Please do not ask for further
information about players and / or members and / or staff and / or volunteers
without first checking with the League Secretary
2.2.4 If you are asked to correct an
individual’s personal data, please make sure that you can identify that
individual and, where you have been able to identify them, make the relevant
updates on our records and systems;
2.2.5 Please comply with our retention
periods listed in our Privacy Notice and make sure that if you still have
information which falls outside of those dates, that you delete/destroy it
securely;
2.2.6 Please treat all personal data as
confidential. If it is stored in electronic format then please consider whether
the documents themselves should be password protected or whether your personal
computer is password protected and whether you can limit the number of people
who have access to the information. Please also consider the security levels of
any cloud storage provider (and see below). If it is stored in hard copy format
then please make sure it is locked away safely and is not kept in a car
overnight or disposed of in a public place;
2.2.7 if you are looking at using a new
electronic system for the storage of information, please talk to the League
Secretary first so that we can decide whether such a system is appropriately
secure and complies with GDPR;
2.2.8 if you are planning on sharing
personal data with anybody new or with a party outside the FA structure then
please speak to the League Secretary before doing so who will be able to check
that the correct contractual provisions are in place and that we have a lawful
basis to share the information;
2.2.9 if you receive a subject access
request (or you think somebody is making a subject access request for access to
the information we hold on them) then please tell League Secretary as soon as
possible because we have strict timelines in which to comply;
2.2.10 if you think there has been a
data breach (for example you have lost personal data or a personal device which
contains personal data or you have been informed that a coach has done so, or
you have sent an email and open copied all contacts in) then please speak to
the League Secretary who will be able to help you to respond.
If you have any questions at any time
then please just ask the League Secretary. We are here to help.
3. Data protection principles
3.1 Anyone processing personal data must
comply with the enforceable principles of data protection. Personal data must
be:
3.1.1 processed lawfully, fairly and in
a transparent manner;
3.1.2 collected for only specified,
explicit and legitimate purposes;
3.1.3 adequate, relevant and limited to
what is necessary for the purpose(s) for which it is processed;
3.1.4 accurate and, where necessary,
kept up to date;
3.1.5 kept in a form which permits
identification of individuals for no longer than is necessary for the
purpose(s) for which it is processed;
3.1.6 processed in a manner that ensures
its security by appropriate technical and organisational measures to protect
against unauthorised or unlawful processing and against accidental loss,
destruction or damage;
3.2 We are responsible for and must be
able to demonstrate compliance with the data protection principles listed
above.
4. Fair and lawful processing
4.1 This Policy aims to ensure that our
data processing is done fairly and without adversely affecting the rights of
the individual.
4.2 Lawful processing means data must be
processed on one of the legal bases set out in the GDPR. When special category
personal data is being processed, additional conditions must be met.
5. Processing for limited purposes
5.1 The League collects and processes
personal data. This is data we receive directly from an individual and data we
may receive from other sources.
5.2 We will only process personal data
for the purposes of the League as instructed by the Management Board, the
County FA or The FA, or as specifically permitted by the GDPR. We will let
individuals know what those purposes are when we first collect the data or as
soon as possible thereafter.
6. Consent
6.1 One of the lawful bases on which we
may be processing data is the individual’s consent.
6.2 An individual consents to us
processing their personal data if they clearly indicate specific and informed
agreement, either by a statement or positive action.
6.3 Individuals must be easily able to
withdraw their consent at any time and withdrawal must be promptly honoured.
Consents should be refreshed every season.
6.4 Explicit consent is usually required
for automated decision-making and for cross-border data transfers, and for
processing special category personal data. Where children are involved then the
consent must be in writing from parent/guardian
6.5 Where consent is our legal basis for
processing, we will need to keep records of when and how this consent was
captured.
6.6 Our Privacy Notice sets out the
lawful bases on which we process data of our players and members.
7. Notifying individuals
7.1 Where we collect personal data
directly from individuals, we will inform them about:
7.1.1 the purpose(s) for which we intend
to process that personal data;
7.1.2 the legal basis on which we are
processing that personal data;
7.1.3 where that legal basis is a
legitimate interest, what that legitimate interest is;
7.1.4 where that legal basis is
statutory or contractual, any possible consequences of failing to provide that
personal data;
7.1.5 the types of third parties, if
any, with which we will share that personal data, including any international
data transfers;
7.1.6 their rights as data subjects, and
how they can limit our use of their personal data;
7.1.7 the period for which data will be
stored and how that period is determined;
7.1.8 any automated decision-making
processing of that data and whether the data may be used for any further
processing, and what that further processing is.
7.2 If we receive personal data about an
individual from other sources, we will provide the above information as soon as
possible and let them know the source we received their personal data from;
7.3 We will also inform those whose
personal data we process that we, the League, are the data controller in regard
to that data, and which individual(s) in the League are responsible for data
protection.
8. Adequate, relevant and non-excessive
processing
8.1 We will only collect personal data
that is required for the specific purpose notified to the individual.
8.2 You may only process personal data
if required to do so in your official capacity with the League You cannot
process personal data for any reason unrelated to your duties.
8.3 The League must ensure that when
personal data is no longer needed for specified purposes, it is deleted or
anonymised.
9. Accurate data
We will ensure that personal data we
hold is accurate and kept up to date. We will check the accuracy of any
personal data at the point of collection and at the start of each season. We
will take all reasonable steps to destroy or amend inaccurate or out-of-date
data.
10. Timely processing
We will not keep personal data longer
than is necessary for the purpose(s) for which they were collected. We will
take all reasonable steps to destroy or delete data which is no longer
required, as per our Privacy Notice.
11. Processing in line with data
subjects’ rights
11.1 As data subjects, all individuals
have the right to:
11.1.1 be informed of what personal data
is being processed;
11.1.2 request access to any data held
about them by a data controller;
11.1.3 object to processing of their
data for direct marketing purposes (including profiling);
11.1.4 ask to have inaccurate or
incomplete data rectified;
11.1.5 be forgotten (deletion or removal
of personal data);
11.1.6 restrict processing;
11.1.7 data portability; and
11.1.8 not be subject to a decision
which is based on automated processing.
11.2 The League is aware that not all
individuals’ rights are absolute, and any requests regarding the above should
be immediately reported to the Management Board, and if applicable escalated to
the appropriate County Football Association for guidance.
12. Data security
12.1 We will take appropriate security
measures against unlawful or unauthorised processing of personal data, and
against the accidental loss of, or damage to, personal data.
12.2 We have proportionate procedures
and technology to maintain the security of all personal data.
12.3 Personal data will only be
transferred to another party to process on our behalf (a data processor) where
we have GDPR-compliant written contract in place with that data processor.
12.4 We will maintain data security by
protecting the confidentiality, integrity and availability of the personal
data.
12.5 Our security procedures include:
12.5.1 Entry controls. Any stranger seen
in entry-controlled areas should be reported.
12.5.2 Secure desks, cabinets and
cupboards. Desks and cupboards should be locked if they hold personal data.
12.5.3 Methods of disposal. Paper
documents should be shredded. Digital storage devices should be physically
destroyed.
12.5.4 Equipment. Screens and monitors
must not show personal data to passers-by, and should be locked when unattended
.Excel spreadsheets will be password protected.
12.5.5 Personal Devices. Anyone
accessing or processing the League’s personal data on their own device, must
have and operate a password only access or similar lock function, and should
have appropriate anti-virus protection. These devices must have the League’s
personal data removed prior to being replaced by a new device or prior to such
individual ceasing to work with or support the League.
13. Disclosure and sharing of personal
information
13.1 We share personal data with
appropriate County FAs and The FA, and with applicable leagues using Whole Game
System.
13.2 We may share personal data with
third parties or suppliers for the services they provide, and instruct them to
process our personal data on our behalf as data processors. Where we share data
with third parties, we will ensure we have a compliant written contract in
place incorporating the minimum data processer terms as set out in the GDPR,
which may be in the form of a supplier’s terms of service.
13.3 We may share personal data we hold
if we are under a duty to disclose or share an individual’s personal data in
order to comply with any legal obligation, or in order to enforce or apply any
contract with the individual or other agreements; or to protect our rights,
property, or safety of our employees, players, other individuals associated
with the League or others.
14. Transferring personal data to a
country outside the EEA
We may transfer any personal data we
hold to a country outside the European Economic Area (EEA), provided that one
of the appropriate safeguards applies.
15. Reporting a personal data breach
15.1 In the case of a breach of personal
data, we may need to notify the applicable regulatory body and the individual.
15.2 If you know or suspect that a
personal data breach has occurred, inform a member of the Management Board
immediately, who may need to escalate to the appropriate County FA as
appropriate. You should preserve all evidence relating to a potential personal
data breach.
16. Dealing with subject access requests
16.1 Individuals may make a formal
request for information we hold about them. Anyone who receives such a request
should forward it to the League Secretary immediately, and where necessary
escalated to the appropriate County FA for guidance. Nobody should feel bullied
or pressured into disclosing personal information.
16.2 When receiving telephone enquiries,
we will only disclose personal data if we have checked the caller’s identity to
make sure they are entitled to it.
17. Accountability
17.1 The League must implement appropriate
technical and organisational measures to look after personal data, and is
responsible for, and must be able to demonstrate compliance with the data
protection principles.
17.2 The League must have adequate
resources and controls in place to ensure and to document GDPR compliance, such
as:
17.2.1 providing fair processing notice
to individuals at all points of data capture;
17.2.2 training committee and volunteers
on the GDPR, and this Data Protection Policy; and
17.2.3 reviewing the privacy measures
implemented by the League.
18. Changes to this policy
We reserve the right to change this
policy at any time. Where appropriate, we will notify you by email.