Under the previous data protection regime most organisations were required to register with the ICO as data controllers unless they were exempt. This has been replaced with a register of fee payers. However, some organisations (including not for profit organisations) are exempt from paying a fee. For further information on this please visit the ICO’s website.
FAQ Information Views: 1077 Keywords: Created: 17.06.2019 Updated: 17.06.2019
Be honest – report it to the club secretary or officer that is responsible for club management systems/information. A loss of data is a breach of the GDPR, but not every breach is notifiable to the ICO. For further information on how to decide if a breach has occurred and if it is reportable to the ICO visit their website.
FAQ Information Views: 1042 Keywords: Created: 17.06.2019 Updated: 17.06.2019
Yes, where information about an individual’s health is collected then this should be subject to obtaining explicit consent. Consent needs to cover the processing of any special categories of personal data as well as consent for any sharing. For example consent for being shared for the purpose of performance analysis.
FAQ Information Views: 1064 Keywords: Created: 17.06.2019 Updated: 17.06.2019
Yes, we recommend getting consent for this as the information is going to be shared in the public domain.
FAQ Information Views: 1053 Keywords: Created: 17.06.2019 Updated: 17.06.2019
There will be certain individuals in your club who are designated points of contact, for example the coach or welfare officer. It is acceptable to share their contact details with parents provided that this is explained to such key contacts in advance and confirmed in writing within the clubs privacy notice.
We would recommend that club staff and committee members use an email like email@example.com rather than their personal email address.
FAQ Information Views: 1028 Keywords: Created: 17.06.2019 Updated: 17.06.2019
Yes, clubs should obtain consent for the club's use of any photo of a member. A photograph of an individual does amount to personal data.
Wavepower includes template consent forms for clubs to use for collecting consent on behalf of children. However, we recognise practical difficulties when clubs attend away events. Where an event organiser is capturing images or filming an event it may not be possible to obtain consent from all participants. A good practice approach would be to ensure that invited clubs are advised as early as possible of any filming or photography taking place so that they can then raise any concerns with the home club/event organiser and work together to address any concerns.
As well as official photographers, friends and family of children may wish to take photos to celebrate their sporting achievements. If photography is allowed in venue then those taking photos of children should focus on their own family members and friends and if other individuals are identifiable from those images then they should not be shared on social media without permission of the other identifiable individual(s).
FAQ Information Views: 1038 Keywords: Created: 17.06.2019 Updated: 17.06.2019
The club's privacy notice should explain to members how personal data is stored and used. Most of the processing carried out legitimately by clubs will relate to their normal day to day activities. It would not be in the club's legitimate interests to sell or pass on personal data to a third party marketing agency.
FAQ Information Views: 1016 Keywords: Created: 17.06.2019 Updated: 17.06.2019
Depending on the software management systems used by clubs, access to personal data should be removed or any personal data held deleted and/or returned to the club / their successor on standing down. However, this does not apply to any contact details of friends and colleagues made at the club held in a personal rather than club capacity.
FAQ Information Views: 1070 Keywords: Created: 17.06.2019 Updated: 17.06.2019
Yes, provided the equipment is password protected and access is restricted to those individuals who need it for carrying out club activities. We also recommend that when sharing files containing personal data by email that the files are encrypted.
FAQ Information Views: 1036 Keywords: Created: 17.06.2019 Updated: 17.06.2019
If another member is covering an activity then they may need one off access to personal data in case of emergency. Some clubs may provide that person keys to access a secure filing cabinet or a password to an online management system or provide the contact details of the person that does have the information. Whatever processes clubs put in place, committee members should be discouraged from creating their own contact lists / spreadsheets. Best practice is to keep information central to the clubs online management system.
FAQ Information Views: 975 Keywords: Created: 17.06.2019 Updated: 17.06.2019
Personal data should be kept for as long as it is needed or necessary for and this should be confirmed in your privacy notice. For further guidance see the Sport and Recreation Alliance Toolkit.
FAQ Information Views: 1037 Keywords: Created: 17.06.2019 Updated: 17.06.2019
Limited personal or sensitive data can be sent by post but significant material including Social Care/Health information must be sent using special delivery;
Large parcels of personal and sensitive information such as case files should be double wrapped and sent by tracked special delivery or by bonded courier;
Include a return address on the envelope.
Label the envelopes and packets ‘For Addressee only’.
FAQ Information Views: 928 Keywords: Created: 09.09.2019 Updated: 09.09.2019
There are many instances where sending personal details via fax have proven to be unsecure. All other methods of sending the data should be investigated before the use of fax is considered.
Personal and Sensitive material should not be sent by fax unless absolutely unavoidable, but if this is necessary you should:
- Ensure that a trusted recipient is waiting at the other end of the fax line;
- Send a preliminary test page to check that the fax number is correct;
- On each page use the ‘page X of Y’ function to check that the entire document is sent;
- Check that any fax autocode is correct for the recipient.
FAQ Information Views: 1000 Keywords: Created: 09.09.2019 Updated: 09.09.2019
Under Article 39 of the GDPR, it is a statutory responsibility of the DPO to monitor the compliance of the organisation they are acting for.
See the ICO’s tasks for Data Protection Officers.
FAQ Information Views: 953 Keywords: Created: 09.09.2019 Updated: 09.09.2019
Senders and intended recipients of personal / sensitive information must make sure that data is transferred by appropriate Security measures. These measures must agree to comply with the Data Protection legislation regarding security and to ensure that adequate security arrangements are in place, to protect the integrity and confidentiality of the information held.
If you do not have access to secure email protected by secure sending technology, when sending sensitive data to unknown email accounts (or as a new email), put the personal data in a document that is password protected. Send the document in an email and the password in a separate email.
FAQ Information Views: 962 Keywords: Created: 09.09.2019 Updated: 09.09.2019
To Password protect an Office document
1. Open the document
2. Click on the File menu
3. Click on Protect Document
4. Click on Encrypt with Password
5. Think of a password and write this down in a secure place.
6. Type it onto the next two boxes
7. Tell the person the password preferably using a different system than email e.g. phoning them, or triple check the email address but do not send the password in the same email!
8. Send the document in a different email
9. You can use the same password for several documents shared with the same person, if this is a person whose identity you have verified.
FAQ Information Views: 957 Keywords: Created: 09.09.2019 Updated: 09.09.2019
Encryption – also known as end-to-end encryption – protects the email while it is passing from your email system to the recipient email system.
In other words, if someone tries to intercept it, they cannot read the contents.
What encryption doesn’t do is protect the contents of the email if you send it to the wrong recipient. That’s where password protection comes in. Password protection is a simple security measure that does what is says on the tin – it password protects the contents.
So instead of putting confidential information in the body of the email, you put it in a word document or PDF, password protect that document and then attach it to an email. That way, if you send it to the wrong person, they don’t have the password to open it.
FAQ Information Views: 960 Keywords: Created: 09.09.2019 Updated: 09.09.2019
You provide them with the honest answer: ‘We only hold data for X years in accordance with our retention and destruction policy’.
As long as your retention and destruction policy makes sense and you follow it, you cannot be criticised.
FAQ Information Views: 965 Keywords: Created: 09.09.2019 Updated: 09.09.2019
There is no problem with doing so, as long as you destroy them once receipt has been acknowledged. After all, what is your lawful basis of processing the data of children that are no longer members of your Club?
There may well be the occasional exceptions, such as an ongoing complaint, that means you have a lawful basis for processing those documents for a further period of time. If so, it is important to remember that when that purpose has ended, so has your lawful basis for processing.
FAQ Information Views: 943 Keywords: Created: 09.09.2019 Updated: 09.09.2019
This depends partly on whether the basis upon which you secured consent complied with the requirements of the GDPR.
If it did, then you can still rely on it.
If it did not then you do need to give consideration to whether those members and parents whom you can identify in the photos need to be approached for fresh, GDPR-compliant consent.
FAQ Information Views: 946 Keywords: Created: 09.09.2019 Updated: 09.09.2019
The ICO has updated its guidance on response times to Subject Access Requests. The 30 day deadline for responding is now calculated from the day of receipt, not the day after receipt.
"Following a Court of Justice of the European Union (CJEU) ruling, the ICO has updated its guidance around how long an organisation has to respond to a subject access request (SAR).
The guidance stated that SARs must be responded to within one calendar month, with the day after receipt counting as 'day one'. This has now changed.
'Day one' is now the day of receipt - for example, a SAR received on 3 September should now be responded to by 3 October."
FAQ Information Views: 945 Keywords: Created: 09.09.2019 Updated: 09.09.2019
The main actions to take are:
Evaluate where you send data in / out of the EU for processing e.g. identify where online providers are storing your personal data by looking at the terms and conditions of your contracts. Is it in the UK or EU?
Check that your contracts with these providers, which include the processing of personal data in the EU, “provide the additional safeguards required” – in most cases, you will be sharing some information with providers that counts as a ‘restricted transfer’ under GDPR and in the event of a no-deal Brexit, you should check whether there are standard contractual clauses which apply See here.
Review your privacy notices and data protection privacy impact assessments (PIAs) to ensure they are up to date and reflect any changes made to the way you work In the event of a no-deal Brexit, GDPR will be incorporated into UK law and the Data Protection Act 2018 will continue to apply to data transferred within or from the UK. The UK will become a ‘third country’ outside the scope of the EU GDPR rules, so data coming in to the UK from the EU will not be allowed unless safeguards such as standard contractual clauses are in place.
In all cases, we advise Clubs prepare by assessing risk – what services do you use where data comes in from the EU? How sensitive is the data that is being processed by this service? Prioritise the most sensitive services first and examine the contract you hold with them.
FAQ Information Views: 983 Keywords: Created: 09.09.2019 Updated: 09.09.2019