OLDHAM ROCHDALE BADMINTON LEAGUE (ORBL) DATA PROTECTION POLICY
- ORBL (“we“, “our” and “us“) is a voluntary umbrella member organisation for the sport of badminton in Oldham and Rochdale. In order to provide our services, we are required to collect, process, use and retain certain personal data for a variety of business purposes.
- All of the personal data we process relates to our members of the league.
- This data protection policy (“Policy“) applies to all of our volunteers whose work involves processing personal data. They must read, understand and comply with this Policy when processing personal data on members behalf. They must protect the data handled in accordance with this Policy and any applicable data security procedures at all times.
- This Policy sets out what is expect from volunteers in order for us to comply with applicable Data Protection Laws (as defined below). Compliance with this Policy and all related policies and guidelines is mandatory. Any breach of this Policy may result in actions by the general committee.
- About the Policy
- This Policy describes how personal data must be collected, handled and stored to meet the leagues data protection standards and to comply with all applicable laws and regulations relating to processing of personal data and privacy, including without limitation the General Data Protection Regulation (“GDPR“) and any other data protection legislation in force from time to time (as applicable) and including where applicable the guidance and codes of practice issued by the Information Commissioner or any other relevant regulator (“Data Protection Laws“).
- This Policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
- The league comittee is responsible for ensuring compliance with applicable Data Protection Laws and with this Policy. Any questions about the operation of this Policy or any concerns that the Policy has not been followed should be referred in the first instance to league secretary or any member of the league committee.
- Definitions of Data Protection Terms
“data controller” means the organisations that determines the purposes and means of the processing of personal data. We are the data controller of all personal data used in our league for the purposes of managing the league.
“data breach” or “breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“data processor” means an organisation or individual which processes personal data on behalf of the league.
“data subjects” for the purpose of this Policy means all living individuals about whom ORBL holds personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.
“personal data” means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number (NI number), location data, online identifier (IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
“processing” means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“sensitive personal data” are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data (e.g. DNA, finger prints etc.).
“the consent of the data subject” means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.
- Scope and Objectives of Policy
- The Policy applies to personal data in all its forms whether on paper or stored electronically. It applies throughout the lifecycle of the information from creation through storage and utilisation to disposal. Appropriate protection is required for all forms of information to ensure business continuity and to avoid breaches of applicable Data Protection Laws or our contractual obligations.
- The Policy will ensure that ORBL:
- Complies with applicable Data Protection Laws and follows good practice;
- Protects the rights of its members;
- Is transparent about how it stores and processes personal data; and
- Protects itself from the risks of a data breach or other unlawful processing of personal data.
- Data Protection Laws
- The Data Protection Laws describe how we must collect, handle and store personal data and these rules apply regardless of whether data is stored electronically or in paper format.
- Anyone processing personal data must comply with the enforceable principles of good practice. These include, but are not limited to, that personal data must:
- Be processed fairly and lawfully (lawfulness, fairness and transparency);
- Be collected only for specific and lawful purposes and not processed in a manner that is incompatible with those purposes (purpose limitation);
- Be adequate, relevant and limited to what is necessary for the purposes it is collected (data minimisation);
- Be accurate and kept up to date (accuracy);
- Not be held for longer than is necessary for the purposes it is collected (storage limitation);
- Be processed in accordance with the data subject’s rights;
- Be processed in a manner that ensures appropriate security (integrity and confidentiality); and
- Not be transferred to a country or a territory outside the European Economic Area (“EEA“) unless that country or territory ensures an adequate level of protection.
- Where we process personal data we are responsible for demonstrating compliance (accountability) with the principles set out in section 5.2 above.
- Whilst the League Committee is ultimately responsible for ensuring that ORBL meets its legal obligations under applicable Data Protection Laws, individual volunteers are responsible for compliance with applicable Data Protection Laws.
- Harry Buckley is responsible for ensuring the security and integrity of our web site.
- All ORBL officers are responsible for:
- Keeping all personal as well as business critical and potentially sensitive data secure by taking sensible precautions and following the guidelines in this Policy;
- Compliance with the Data Breach Policy;
- Requesting guidance from the Data Protection Officer if unsure of any aspect of data protection;
- Keeping updated about data protection risks and issues;
- Reviewing and updating all data protection procedures and related policies, in line with legal requirements;
- Referring requests received from data subjects exercising their rights under applicable Data Protection Laws (see section 11 ‘Processing in line with Data Subject’s Rights’ below) to the Data Protection Officer immediately;
- Fair and Lawful Processing
- Data Protection Laws are not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.
- For personal data to be processed lawfully, they must be processed on the basis of one of the legal grounds set out under applicable Data Protection Laws. These include, among other things, the data subject’s consent to the processing, or that the processing is necessary for the performance of a contract with the data subject, for the compliance with a legal obligation to which the data controller is subject, or for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, additional conditions must be met.
- We only process personal data during the course of our business on the basis that the processing is necessary for the efficient operation of the badminton league.
- Our privacy notices explain the legal basis on which we process personal data. A version of our privacy notice is available on our website.
- Processing for Limited Purposes
- We will only process personal data for specified, explicit and legitimate purposes, or for any other purposes specifically permitted by applicable Data Protection Laws. We will not undertake further processing in any manner incompatible with those purposes, and will not use it for new, different or incompatible purposes from that disclosed when it was first obtained, unless you have informed the data subject of the new purposes, and they have consented (if necessary).
- We will notify those purposes to the data subject when we first collect the data or as soon as possible thereafter, and such purposes may include (amongst others):
- Ensuring only registered players take part in league matches
- Ensuring that team score cards comply with the league rules in relation to registered players and teams
- Providing contact details on the ORBL web site to enable teams to efficiently communicate with each other
- Efficiently communicating by e-mail to members of the league
- Compliance with our legal, regulatory and corporate governance obligations and good practice;
- Providing information
- In the course of our business, we may collect and process personal data. This may include data we receive directly from a data subject (for example, when a team or individual becomes a registered player.)
- If we collect personal data directly from data subjects, we shall ensure that data subjects are aware that their data is being processed, and that they understand the purposes and lawful basis for which it is processed, the legitimate interests of ORBL, any recipients or transfers of their data, the retention periods for their data and the existence of each of their rights in respect of such data.
- If we collect personal data from a third party about a data subject, we will provide the data subject with the above information as soon as possible, and provide any additional information as prescribed by applicable Data Protection Laws.
- To assist with our compliance of the above requirements, we have privacy statements setting out how we use personal data relating to data subjects (see section 7.4 above).
- Adequate, Relevant and Non-Excessive Processing
We will only collect personal data to the extent that it is required for the specific purpose notified to the data subject. As such, we will not process personal data obtained for one purpose for any unconnected purpose unless the data subject concerned has agreed to this or would otherwise reasonably expect this.
- Data Accuracy
- If we receive a request to update or correct any personal data we hold, and provided we have authenticated the identity of the data subject in question, we will take all reasonable steps to ensure that personal data we hold is accurate and kept up to date. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.
- We will take reasonable steps to ensure that personal data is kept as accurate and up to date as possible and personal data should be updated as inaccuracies are discovered. For example, if an e-mail address is no longer in service, it should be removed from the database.
- Data subjects may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the league secretary promptly.
- Processing in line with Data Subject’s Rights
- We will process all personal data in line with data subjects’ rights to and in connection with their personal data in accordance with the Data Protection Laws.
- If a data subject makes a request (written or otherwise) to exercise any right (or purported right) in respect of their personal data, you should immediately forward it to the league secretary. Committee members should not in any circumstances be bullied into disclosing personal information.
- The league secretary will handle the response to the request and ensure that the identity of anyone making a request has been adequately verified before handing over any information.
- Any complaints received from a data subject should be escalated to the league secretary immediately.
- Data Retention
We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected, and all personal data will be held in accordance with our data retention policy.
- Data Security
- We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. We have put in place procedures and technologies appropriate to our size, scope and business, our available resources and the amount of personal data that we process. These measures will maintain the security of all personal data from the point of collection to the point of destruction.
- Sharing personal data
- If we share personal data with third parties, we will do so in line with applicable Data Protection Laws.
- Data Storage
- Personal data should be stored electronically whenever possible and the recording of personal data in paper format should be kept to a minimum. In circumstances where personal data is recorded in paper format eg scorecards and registration forms, it will be kept in a secure place to prevent unauthorised access to such personal data by unauthorised persons.
- Changes to this Policy
We reserve the right to change this Policy at any time. Where appropriate, we will notify you of those changes by mail or email.
Please refer questions to the league secretary