IOW DFA Data Protection Policy
1.1
The Isle of Wight Divisional Football Association
(the DFA) handles personal data about players, volunteers, council &
committee members, referees, third parties, suppliers, and any other
individual that we communicate with.
1.2
In your official capacity with the DFA you may
process personal data on our behalf and we will process personal
data about you. We recognise the need to treat all personal data in
an appropriate and lawful manner, in accordance with the EU General
Data Protection Regulation 2016/679 (GDPR).
1.3
Correct and lawful treatment of this data will maintain
confidence in the DFA and protect the rights of players and any
other individuals associated with the DFA. This Policy sets out our
data protection responsibilities and highlights the obligations of
the DFA which means the obligations of our Officers, Council
members, and any other contractor or legal or natural individual or
organisation acting for or on behalf of the DFA.
1.4
You are obliged to comply with this policy when
processing personal data on behalf of the DFA, and this policy will
help you to understand how to handle personal data.
1.5
The DFA Officers will be responsible for ensuring
compliance with this Policy. Any questions about this Policy or data
protection concerns should be referred to the secretary of The DFA.
1.6
We process volunteer, member, referee, contractor,
committee, supplier and third party personal data for administrative
and DFA management purposes. Our purpose for holding
this personal data is to be able to contact relevant individuals on
DFA business and our legal basis for processing
your personal data in this way is the contractual relationship we
have with you. We will keep this data for 12 months after the end of
your official relationship with the DFA unless required otherwise by
law and / or regulatory requirements. If you do not provide your
personal data for this purpose, you will not be able to carry out
your role or the obligations of your contract with the DFA.
1.7
All the key definitions under GDPR can be found
here.
2.
What we need from you
2.1
To assist with our compliance with GDPR we will need you to comply
with the terms of this policy. We have set out the key guidance in
this section but please do read the full policy carefully.
2.2
Please help us to comply with the data protection principles (set
out briefly in section 3 of this
policy and in further detail below):
2.2.1
please ensure that you only process data in accordance with our
transparent processing as set out in our Privacy notice;
2.2.2
please only process personal data for the purposes for which we have
collected it (i.e. if you want to do something different with it
then please speak to Geoff Ruck first);
2.2.3
please do not ask for further information about players and
members or volunteers without first checking with Geoff
Ruck.if you are asked to correct an individual’s personal data,
please make sure that you can identify that individual and, where
you have been able to identify them, make the relevant updates on
our records and systems;
2.2.4
please comply with our retention periods listed in our Privacy
Notice and make sure that if you still have information which falls
outside of those dates, that you delete/destroy it securely;
2.2.5
please treat all personal data as confidential. If it is stored in
electronic format then please consider whether the documents
themselves should be password protected or whether your personal
computer is password protected and whether you can limit the number
of people who have access to the information. Please also consider
the security levels of any cloud storage provider (and see below).
If it is stored in hard copy format then please make sure it is
locked away safely and is not kept in a car overnight or disposed of
in a public place;
2.2.6
if you are looking at using a new electronic system for the storage
of information, please talk to Geoff Ruck first so that we can
decide whether such a system is appropriately secure and complies
with GDPR;
2.2.7
if you are planning on sharing personal data with anybody new or
with a party outside the FA structure then please speak to Geoff
Ruck before doing so who will be able to check that the correct
contractual provisions are in place and that we have a lawful basis
to share the information;
2.2.8
if you receive a subject access request (or you think somebody is
making a subject access request for access to the information we
hold on them) then please tell Geoff Ruck as soon as possible
because we have strict timelines in which to comply;
2.2.9
if you think there has been a data breach (for example you have lost
personal data or a personal device which contains personal data or
you have been informed that a coach has done so, or you have sent an
email and open copied all contacts in) then please speak to Geoff
Ruck who will be able to help you to respond.
If you have any questions at any time then please just ask
Geoff Ruck. We are here to help.
3.1
Anyone processing personal data must comply with
the enforceable principles of data protection. Personal data must
be:
3.1.1
processed lawfully, fairly and in a transparent
manner;
3.1.2
collected for only specified, explicit and
legitimate purposes;
3.1.3
adequate, relevant and limited to what is necessary
for the purpose(s) for which it is processed;
3.1.4
accurate and, where necessary, kept up to date;
3.1.5
kept in a form which permits identification of
individuals for no longer than is necessary for the purpose(s) for
which it is processed;
3.1.6
processed in a manner that ensures its security by
appropriate technical and organisational measures to protect against
unauthorised or unlawful processing and against accidental loss,
destruction or damage;
3.2
We are responsible for and must be able to
demonstrate compliance with the data protection principles listed
above.
4.1
This Policy aims to ensure that our data processing
is done fairly and without adversely affecting the rights of the
individual.
4.2
Lawful processing means data must be processed on
one of the legal bases set out in the GDPR. When special category
personal data is being processed, additional conditions must be met.
5.
Processing for limited purposes
5.1
The DFA collects and processes personal data. This
is data we receive directly from an individual and data we may
receive from other sources.
5.2
We will only process personal data for the purposes
of the DFA as instructed by Council, the
6.
Consent
6.1
One of the lawful bases on which we may be
processing data is the individual’s consent.
6.2
An individual consents to us processing their
personal data if they clearly indicate specific and informed
agreement, either by a statement or positive action.
6.3
Individuals must be easily able to withdraw their
consent at any time and withdrawal must be promptly honoured.
Consents should be refreshed every season.
6.4
Explicit consent is usually required for automated
decision-making and for cross-border data transfers, and for
processing special category personal data. Where children are
involved then the consent must be in writing from parent/guardian
6.5
Where consent is our legal basis for processing, we
will need to keep records of when and how this consent was captured.
6.6
Our Privacy Notice sets out the lawful bases on
which we process data of our players and members.
7.
Notifying individuals
7.1
Where we collect personal data directly from
individuals, we will inform them about:
7.1.1
the purpose(s) for which we intend to process that
personal data;
7.1.2
the legal basis on which we are processing that
personal data;
7.1.3
where that legal basis is a legitimate interest,
what that legitimate interest is;
7.1.4
where that legal basis is statutory or contractual,
any possible consequences of failing to provide that personal data;
7.1.5
the types of third parties, if any, with which we
will share that personal data, including any international data
transfers;
7.1.6
their rights as data subjects, and how they can
limit our use of their personal data;
7.1.7
the period for which data will be stored and how
that period is determined;
7.1.8
any automated decision-making processing of that
data and whether the data may be used for any further processing,
and what that further processing is.
7.2
If we receive personal data about an individual
from other sources, we will provide the above information as soon as
possible and let them know the source we received their personal
data from;
7.3
We will also inform those whose personal data we
process that we, the DFA are the data controller in regard to that
data, and which individual(s) in the DFA are responsible for data
protection.
8.
Adequate, relevant and non-excessive processing
8.1
We will only collect personal data that is required
for the specific purpose notified to the individual.
8.2
You may only process personal data if required to
do so in your official capacity with the DFA. You cannot process
personal data for any reason unrelated to your duties.
8.3
The DFA must ensure that when personal data is no
longer needed for specified purposes, it is deleted or anonymised.
We will ensure that personal data we hold is accurate and kept up to
date. We will check the accuracy of any personal data at the point
of collection and at the start of each season. We will take
all reasonable steps to destroy or amend inaccurate or out-of-date
data.
We will not keep personal data longer than is
necessary for the purpose(s) for which they were collected. We will
take all reasonable steps to destroy or delete data which is no
longer required, as per our Privacy Notice.
11.
Processing in line with data subjects’ rights
11.1
As data subjects, all individuals have the right
to:
11.1.1
be informed of what personal data is being processed;
11.1.2
request access to any data held about them by a data controller;
11.1.3
object to processing of their data for direct-marketing purposes
(including profiling);
11.1.4
ask to have inaccurate or incomplete data rectified;
11.1.5
be forgotten (deletion or removal of personal data);
11.1.6
restrict processing;
11.1.7
data portability; and
11.1.8
not be subject to a decision which is based on automated processing.
11.2
The DFA is aware that not all individuals’ rights
are absolute, and any requests regarding the above should be
immediately reported to Geoff Ruck, and if applicable escalated to
the Hampshire FA for guidance.
12.1
We will take appropriate security measures against
unlawful or unauthorised processing of personal data, and against
the accidental loss of, or damage to, personal data.
12.2
We have proportionate procedures and technology to
maintain the security of all personal data.
12.3
Personal data will only be transferred to another
party to process on our behalf (a
data processor) where we
have a GDPR-compliant written contract in place with that data
processor.
12.4
We will maintain data security by protecting the
confidentiality, integrity and availability of the personal data.
12.5
Our security procedures include:
12.5.1
Entry controls. Any
stranger seen in entry-controlled areas should be reported. Not
applicable to our DFA.
12.5.2
Secure desks, cabinets and
cupboards. Desks and cupboards should be locked if they hold
personal data.
12.5.3
Methods of disposal.
Paper documents should be shredded. Digital storage devices should
be physically destroyed.
12.5.4
Equipment. Screens and
monitors must not show personal data to passers-by, and should be
locked when unattended. Excel spreadsheets will be password
protected.
12.5.5
Personal Devices. Anyone
accessing or processing the DFA’s personal data on their own device,
must have and operate a password only access or similar lock
function, and should have appropriate anti-virus protection. These
devices must have the DFA ’s personal data removed prior to being
replaced by a new device or prior to such individual ceasing to work
with or support the DFA.
13.
Disclosure and sharing of personal information
13.1
We share personal data with the Hampshire FA and
The FA, and with applicable leagues using Whole Game System.
13.2
We may share personal data with third parties or
suppliers for the services they provide, and instruct them to
process our personal data on our behalf as data processors. Where we
share data with third parties, we will ensure we have a compliant
written contract in place incorporating the minimum data processer
terms as set out in the GDPR, which may be in the form of a
supplier’s terms of service.
13.3
We may share personal data we hold if we are under
a duty to disclose or share an individual’s personal data in order
to comply with any legal obligation, or in order to enforce or apply
any contract with the individual or other agreements; or to protect
our rights, property, or safety of our employees, players, other
individuals associated with the DFA or others.
14. Transferring
personal data to a country outside the EEA
We may transfer any personal data we hold to a
country outside the European Economic Area (EEA), provided that one of the appropriate safeguards applies.
15.
Reporting a personal data breach
15.1
In the case of a breach of personal data, we may need to notify the
applicable regulatory body and the individual.
15.2
If you know or suspect that a personal data breach has occurred,
inform Geoff Ruck who may need to escalate to the
Hampshire FC as appropriate. You should preserve all evidence
relating to a potential personal data breach.
16.
Dealing with subject access requests
16.1
Individuals may make a formal request for information we hold about
them. Anyone who receives such a request should forward it to Geoff
Ruck immediately, and where necessary escalated to the Hampshire FA
for guidance. Nobody should feel bullied or pressured into
disclosing personal information.
16.2
When receiving telephone enquiries, we will only disclose personal
data if we have checked the caller's identity to make sure they are
entitled to it.
17.
Accountability
17.1
The DFA must implement appropriate technical and organisational
measures to look after personal data, and is responsible for, and
must be able to demonstrate compliance with the data protection
principles.
17.2
The DFA must have adequate resources and controls
in place to ensure and to document GDPR compliance, such as:
17.2.1
providing fair processing notice to individuals at all points of
data capture;
17.2.2
training council and volunteers on the GDPR, and this Data
Protection Policy; and
17.2.3
reviewing the privacy measures implemented by the DFA.
We reserve the right to change this policy at any time. Where
appropriate, we will notify you by email.
Mark Powell
Chairman
.