General Data Protection Regulation supersedes the Data Protection Act 1998. Forest United. has updated its policies and procedures to reflect the new rights of individuals under GDPR, namely:
● the right to be informed;
● the right of access;
● the right to rectification;
● the right to erasure;
● the right to restrict processing;
● the right to data portability;
● the right to object; and
● the right not to be subject to automated decision-making including profiling.
Forest United keeps information on its staff, members and users, in order to meet our legal obligations and keep individuals safe when they are participating in our activities. Our reasons for keeping this information are covered by the lawful bases allowed in GDPR, namely: (clubs should select which of these bases apply to them, for each element of information held)
(a) Consent: The individual has given clear consent for you to process their personal data for a specific purpose.
(b) Legal obligation: The processing is necessary for you to comply with the law (not including contractual obligations).
(c) Vital interests: The processing is necessary to protect someone’s life.
(d) Public task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(e) Legitimate interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Audit of data held
Forest United has conducted an audit of the personal and sensitive data that we hold in the organisation.
Designated person responsible for GDPR compliance
The designated person responsible for GDPR compliance at Forest United is Scott Wade
Data Collection Procedures
● Forest United explains to people whose personal data we store how we intend to use that data through our privacy statement which is clearly accessible on our website
● Forest United gains active consent from individuals for holding their personal information by:
o Requiring the person (or their parent/carer for those under the age of 13) to sign to say they consent at the point at which data is collected
o We verify that the person giving consent on behalf of a young person under the age of 13 has the right to do so
o Seeking consent on an annual basis for those on mailing lists – and removing people from data bases if they do not respond.
o We keep records that demonstrate that individuals have given active consent for us to store and use their personal data
● Our forms and templates include a standard form of wording to ensure that individuals understand what the purpose of the collection of the data is and what will happen to that data. Importantly, our forms ensure that all individuals give their explicit consent when they supply information regarding medical conditions or are consenting to the use of their data for commercial purposes. Good evidence of explicit consent is a box ticked on a form.
● For people under the age of 13 we ensure that the child’s parent or carer give their consent by completing a paper form. We have a similar process for the carers of vulnerable adults who cannot give an agreement themselves
● Our privacy statement is written in terms which can be easily understood by our members/users and their families/carers
● Our staff and volunteers have been trained in using the personal data we collect only for the purposes that we state we use it for
● We store personal information securely, on password protected devices and/or in locked cabinets in secure premises. Only approved individuals have access to this data
● If someone withdraws consent for us to store and use their personal data, we immediately remove their data from our management information systems and shred any paper documents we hold concerning their personal information.
● We review our data collection and storage systems every 2 years, to ensure that they remain fit for purpose
How we handle personal and sensitive data
Forest United ensures that any confidential information is handled sensitively, stored appropriately and destroyed when no longer used.
1. We ensure that sensitive information, whether on a computer file or paper copies, is kept securely with access strictly controlled and limited to persons who need to have access to this information in the course of their work.
2. Sensitive data which could be a risk to individuals if in the public domain (e.g. health records, employment history) is held on fully secured, encrypted with a password, devices
3. Confidential information will only be used for the specific purpose for which it was requested and with the person’s full consent (although see below for information relating to welfare).
4. Once the information is no longer needed, confidential information will be destroyed by secure means (e.g. shredding, pulping or burning).
Information relating to the welfare of children, young people or vulnerable adults
Forest United works with children, young people or vulnerable adults with respect to their welfare, and we inform people that:
● Information will only be forwarded on ‘a need to know’ basis in order to safeguard the child/young person/vulnerable adult
● Giving such information to others for the protection of the child/young person/vulnerable adult is not a breach of confidentiality if it follows the agreed processes of local safeguarding authorities
● We cannot guarantee total confidentiality where the best interests of the child/young person/vulnerable adult are at risk
● Primary carers, children, young people and vulnerable adults have a right to know if a report is being made to the Health Services or police unless informing them could put the child/young person/vulnerable adult at further risk. If a decision is taken not to inform primary carers of such a report, reasons for that decision will be recorded
● Images of a child/young person under the age of 18/vulnerable adult/ will not be used for any reason without the consent of their parent/carer
● Images of members over 18 will not be used without their consent. We cannot, however, guarantee that cameras/videos will not be used at public events
Procedures are in place for recording and storing data in line with our privacy statement.
Information on employees and volunteers
Forest United holds information on its employees as required by government departments. We also hold data about our volunteers to enable us to respond to their needs and meet the requirements of our funders (where appropriate). We hold information on employees and volunteers for the duration of their employment/volunteering with us, and for 5 years after they have left our organisation.
Employees and volunteers can ask to see any information that we hold about them. Forest United will respond to such requests in a timely manner, within 30 days of receiving the request.
Dealing with a Data Protection Request
● Under GDPR, anyone can ask if an organisation holds personal information about them, through a Subject Access Request (SAR). Forest United will respond to their request within 30 days. This includes written records as well as data held on computer systems.
● The person has the right to know:
o What information is being used
o Why it’s being used
o Where it came from
o Who can see the information?
● Forest United will send them a hard copy, if possible, such as a letter or print out, unless both parties agree otherwise
● Forest United will make sure the recipient can understand the information, i.e. explain what any codes mean
● Forest United follows the advice of the Information Commissioner on what type of personal data must be disclosed if an organisation receives a subject access request. The key steps that must be followed when deciding whether to disclose personal data are that data should be disclosed if:
(i) A living individual can be identified from the data.
(ii) The data relates to the identifiable living individual, whether in personal or family life, business or profession.
(iii) That data is obviously about a particular individual.
(iv) The data linked to the individual provides particular information about that individual.
(v) The data is used to inform or influence actions or decisions affecting an identifiable individual.
(vi) The data had biographical significance in relation to the individual.
(vii) The data focuses or concentrates on the individual as its central theme rather than some other person.
(viii) The data impacts or has the potential to impact on an individual whether in a person, family, business or professional capacity.
● Particular care will be taken when disclosing information if a third party can be identified from the data. Special provisions apply in such circumstances.
Transferring information to third parties:
● Forest United only shares information on our members and users with third parties when a suitable contract is in place with any ‘data processors’ processing personal data on the organisation. This includes funders and sport governing bodies.
● Forest United does not transfer data to third parties unless we have authorisation (usually that the individual has given consent, or the recipient is an authorised ‘data processor’)
● Forest United does not put personal data on the Internet without the individual’s consent.
Significant data breach
In the event of a significant data breach, such as lost or misplaced personal files, computers or memory sticks holding such information Forest United will inform the relevant authorities and the individuals involved within 72 hours. Authorities will be given full details of the breach and actions to be taken to mitigate the impact.