Data Protection Policy
Purpose and Background
Wilmslow Riding Club holds information about riders, volunteers and other people involved with our activities. The Club has a responsibility to look after this information properly, and to comply with the Data Protection Act. The UK Act will be replaced by the EU General Data Protection Regulation (GDPR) from 25th May 2018. It is likely that the GDPR will continue to form the basis of our Data Protection legislation, even once the UK has left the EU, so it is fully taken into account in this policy.
Good Data Protection practice is not just a matter of legal compliance and ticking the boxes. Data Protection is about taking care of people and respecting their privacy. Poor practice or a serious breach could not only harm individuals but would also have a serious effect on the reputation of our Club and BRC as a whole.
This policy applies to information relating to identifiable individuals which is held by Wilmslow Riding Club.
Our legal basis for using people’s data
Everything we do with records about individuals – obtaining the information, storing it, using it, sharing it, even deleting it – will have an acceptable legal basis. There are four of these:
- Consent from the individual (or someone authorised to consent on their behalf).
- Where it is necessary in connection with a contract between our club and the individual.
- Where it is necessary because of a legal obligation – if the law says you must, you must.
- Where it is necessary in an emergency, to protect an individual’s ‘vital interests’.
Where we are basing our processing on consent we will be able to ‘demonstrate’ that we hold consent. This means having a record of who gave consent, when they gave it, how they gave it (e.g. on the website, on a form, verbally) and what they actually consented to.
Data Protection Principles
Data Protection compliance is based largely on a set of Principles.
The six GDPR Principles say that:
- Whatever you do with people’s information has to be fair and legal. This includes making sure that they know what you are doing with the information about them.
- When you obtain information you must be clear why you are obtaining it, and must then use it only for the original purpose(s).
- You must hold the right information for your purposes: it must be adequate, relevant and limited to what is necessary.
- Your information must be accurate and, where necessary, up to date.
- You must not hold information longer than necessary.
- You must have appropriate security to prevent your information being lost, damaged, or getting into the wrong hands.
Our policy sections below reflect each of these principles in a bit more detail.
Transparency & purposes (first and second Principles)
We will make key information available to people at the time we collect information from them. This includes:
- the identity and contact details of our club and the person who is responsible for Data Protection;
- the purposes we intend to use the data for and our ‘legal basis’ for this (see above);
- what we regard as our ‘legitimate interests’, if this is our basis for processing;
- any specific recipients of the data (e.g. BRC) or categories of recipients.
Other information will be made available where relevant. This includes:
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- details of the individual’s rights, such as to request a copy of all the data held;
- the right to withdraw consent if that is the legal basis for processing (but not retrospectively);
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
In both cases, we will only tell people things they won’t already know. When a rider joins our club they know that we will keep a record about them and their activities with us. We will therefore tell them anything that may not be entirely obvious to them. This could include things like:
- The fact that BRC nationally is a separate organisation and that membership data will be passed to BRC.
Data quality, record keeping and retention (third, fourth and fifth principles)
Our activities will be more effective and appropriate if we have good quality records about the people we are working for and with. GDPR insists on this. We will ensure we have the information we need, but no more (it must be adequate, relevant and limited to what is necessary) and it will be as accurate as we can make it and – where necessary – kept as up to date as possible. We will not keep it longer than necessary.
We will remind our committee that the individual concerned has the right to see all the information recorded about them by the group.
Our club will also have a clear policy on how long to keep information. We will draw up a retention schedule, taking each type of record we hold and specifying how long we normally keep it, and our justification for this. We will set up a process for ensuring that data is deleted or destroyed routinely at the appropriate time.
Security (sixth principle)
We will take good care of the information we hold, whether on computer or on paper, and make sure that we have provided guidance and training to our committee so that they treat the information appropriately.
In particular we will think about the risks when data is ‘in transit’ – either on portable devices or when it is being sent out. For example:
- If people are using their personal phone, laptop, camera or other device for our group’s purposes there will be clear expectations of how they should be secured.
- When sending information, particularly by email, we will take steps to prevent confidential information being sent to the wrong person. For example, by using password-protected documents and sending the password in a separate email.
- We will also take care not to disclose people’s email addresses or other information inappropriately by carelessly copying in a large number of people or forwarding an email that has been copied widely.
- Information on paper will not be left lying around, and will only be taken out of a secure location when this is really necessary.
- Where information is processed for us externally (for example by BRC) we will expect the external organisation to be able to give us satisfactory guarantees about the security measures they take.
Responsibility for compliance with Data Protection lies with the organisation, not with any specific individual. The Club as a whole body will be responsible to keep up to date with any developments, to check that we are complying and have the evidence to prove it, to give advice to our committee and to handle any issues such as a data breach or a Subject Access Request. The Club may designate someone to be the lead person.
We will notify BRC National Office in the event of a serious issue eg a data breach.