Data Protection Policy
March 2023
1.0 Introduction
A Data Protection Policy has been produced to ensure compliance with the General Data Protection Regulation (GDPR) and associated legislation and incorporates guidance from the Information Commissioner’s Office (ICO).
The Data Protection Policy gives individuals rights over their personal data and protects individuals from the erroneous use of their personal data.
2.0 Purpose
This Data Protection Policy has been produced to ensure its compliance with the GDPR laws brought into place in 2018.
The Policy incorporates guidance from the ICO and outlines overall approach of Backworth Golf Club (BGC) to GDPR including its responsibilities and individuals’ rights.
3.0 Scope
This Policy applies to all BGC officials (including temporary staff and contractors, consultants and suppliers working for, or on behalf of, BGC.
The Policy also covers any staff, who may be involved in research or other activity that requires them to process or have access to personal data, for instance as part of a research project or as part of professional practice activities.
If this occurs, it is the responsibility of BGC to ensure the data is processed in accordance with GDPR officials are advised about their responsibilities.
4.0 Data covered by the Policy
A detailed description of this definition is available from the ICO, however briefly; personal data is information relating to an individual where the structure of the data allows the information to be accessed i.e. as part of a relevant filing system. This includes data held manually and electronically and data compiled, stored or otherwise processed by BGC.
Special category data is personal data consisting of information relating but, not limited to the following:
• postal and email addresses
• financial data (bank accounts, credit or debit card details)
• Correspondence relating to the above
5.0 The Six Data Protection Principles
GDPR requires BGC, its officials and others who process or use any personal information to comply with the six data protection principles.
The principles require that personal data shall be:
1) processed lawfully, fairly and in a transparent manner in relation to individuals;
2) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
3) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4) accurate and, where necessary, kept up to date;
5) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
6) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
6.0 Responsibilities
BGC will appoint a Data Protection Officer to handle day-to- day issues which arise, and to provide members and officials with guidance on Data Protection issues to ensure they are aware of their obligations.
All current and new officials will be required to read this procedure and acknowledge acceptance of compliance.
The BGC hon secretary, handicap secretary and treasurer will be the only club officials with administrative access to any email and handicap system. The majority of roles within BGC involve using these systems.
Members sensitive and financial data and information are controlled by Backworth Miners Welfare Charity as BGC is subsection of the charity and therefore has no involvement in the financial aspects of the charity functionally.
Therefore, BGC officials must ask the Data Protection Officer or any official authorised if they require use of applications or programmes involving BGC information.
All BGC officials are expected to:
• Familiarise themselves and comply with the six data protection principles.
• Ensure any possession of personal data is accurate and up to date.
• Ensure their own personal information is accurate and up to date.
• Keep personal data for no longer than is necessary in line with retention guidelines.
• Ensure that any personal data they possess is secure and in compliance
with any BGC related policies.
• Acknowledge data subjects’ rights (e.g. right of access to all their personal data held by BGC) under GDPR, and comply with access to those records.
• Ensure personal data is only used for those specified purposes and is not unlawfully used for any other business that does not concern BGC.
• Obtain consent when collecting, sharing or disclosing personal data.
• When storing data on any portable computer system, mobile device, memory stick or any other removable media, staff must ensure:
I. The data must password protected.
II. The device must be password protected. (memory sticks / cards and other mobile devices cannot be password protected, officials have the responsibility to check anything they may use)
III. The device must offer approved virus and malware checking software.
IV. The data must be securely deleted inline with current policy (below) once it has been transferred or its use is complete.
V. When sending information to multiple recipients the ‘bcc’ option on e-mails must be selected so as not to make public members e-mail addresses.
VI. Contact the Data Protection Officer for any concerns or doubt relating to data protection to avoid any infringements of GDPR 2018.
8.0 Retention, Security and Disposal
Officials responsible for the processing and management of data need to ensure that the data is accurate and up-to-date. If an official or member is dissatisfied with the accuracy of their personal data, then they must inform the data protection officer.
Personal information held in paper and electronic format shall not be retained for longer than is necessary. In accordance with Article 5 of the General Data Protection Regulations, personal information shall be collected and retained only for business, regulatory or legal purposes.
In accordance with the provisions of the GDPR, all officials whose work involves processing personal data, whether in electronic or paper format, must take personal responsibility for its secure storage and ensure appropriate measures are in place to prevent accidental loss or destruction of, or damage to, personal data.
Officials working from home will be responsible for ensuring that personal data is stored securely and is not accessible to others.
BGC advise no data is stored on any home device, but are expected to follow the guidelines outlined above in Section 6.
Personal data in paper format must be shredded or disposed off in a secure manner.
Personal data held in electronic format should be deleted
9.0 Data Subjects Right of Access (Subject Access Requests)
Under GDPR, individuals have the right of access to their personal data held by BGC. This applies to data held in both paper and electronic format, and within a relevant filing system.
Any individual who wishes to exercise this right should make the request in writing by contacting the Data Protection Officer. BGC will only release information upon receipt of a written request along with proof of identity or proof of authorisation where requests are made on the behalf of a data subject by a third party.
BGC is apart of charitable Trust which may accesses data relating to the membership.
10.0 Reporting a Data Security Breach
It is BGC responds to a data security breach quickly and effectively. A breach may arise from a theft, a deliberate attack on BGC systems, and unauthorised use of personal data, accidental loss or equipment failure.
Any data breach should be reported to the Data Protection Officer (DPO). Any breach will be investigated in line with the procedures within the GDPR. BGC will treat any breach as a serious issue. Each incident will be investigated and judged on its individual circumstances and addressed accordingly with a report filed.
11.0 Risk Assessment Procedures
Following every incident, a risk assessment will be carried out by the DPO. The areas of risks assessed are outlined within the data breach report form. In short these include
• result in discrimination;
• damage to reputation;
• financial loss;
• loss of confidentiality or any other significant economic or social disadvantage;
Any score showing below and up to 25% of the total is deemed as none reportable. Any results above should be referred to the ICO for advice.