Privacy : Data Protection Policy
Policy Statement
Data Protection - TO TAKE EFFECT FROM 25.05.18
We are committed ensuring the responsible, safe and legitimate collection, retention and usage of information about individuals in order to protect their privacy whilst providing controlled access to that information by those with a legitimate and permitted interest.
This policy outlines the arrangements for collecting, using, storing, retaining and sharing personal information.
Employer Responsibilities
We shall:
- Register with the Office of the Information Commissioner;
- Identify an accountable data controller;
- Identify the lawful basis for collecting each data set held;
- Ensure that personal information is processed fairly, lawfully and in a transparent manner;
- Only collect and use that information for specified, explicit and legitimate purposes, or for purposes which are compatible with the stated purpose;
- Process only information which is adequate and relevant to the purpose, and which is limited to what is necessary for that purpose;
- Strive to maintain accurate, up to date information and make any notified changes within one month;
- Not retain personal information for longer than is absolutely necessary to fulfil its stated purpose;
- Keep all personal information safe and secure and protected from unauthorised access, accidental loss or destruction/damage;
- Not transfer any information to a country outside the European Economic Area;
- Share with data subjects the rationale for seeking their data and explain how it will be processed, including how data subjects must consent to the use of their data, and how that consent can be withdrawn;
- Cease to process any data on request of the data subject
- Train staff in data protection;
- Share that data with relevant third parties either for statutory purposes or for other legislative purposes (eg criminal investigation);
- Share information with other third parties only when data sharing protocols or contracts, in line with this policy, have been approved by Trustees, ensuring individuals have actively consented to that sharing;
- Provide any individual with copies of all personal data held about them as soon as possible, and in any event no later than one month from the request date, unless the request is unduly complex and requires an extended period of two further months to complete, unless that information relates to criminal proceedings, matters of national security, tax matters or appointments to the judiciary;
- Provide information held at no cost to the applicant, unless the request is manifestly unfounded or excessive, in which case an appropriate fee to cover the cost of administration may be levied.
- Give due regard to the additional sensitivity in handling data about any criminal record and about individual's protected characteristics as defined by the Equality Act;
- Conduct DBS checks only where necessary and in line with the ESFA's safeguarding policy;
Employee Responsibilities
Employees shall:
- Actively participate in data protection training and apply that learning in the workplace;
- Ensure that data protection protocols are applied to relationships with membership;
- Ensure that data protection protocols are applied to relationships with sponsors, funders and any other third parties;
- Provide personal information to the employer so that the employer can discharge its responsibilities under employment law, equalities law, health and safety laws and safeguarding legislation;
- Take responsibility for updating the employer when any of those personal details change;
- Comply with reasonable requests to review their personal information for the purposes of checking currency and accuracy;
- Put in writing any request for copies of their personal information and ensure that this request is dated;
- Comply with the FA's IT acceptable use policy;
- Comply with the ESFA's safeguarding policy and guidance;
- Raise any concerns about the handing of their personal data with their line manager in the first instance.
References and tools to support the Policy
- The FA IT acceptable use policy
- Safeguarding policy and guidance
- Contract of employment
- The Office of the Information Commissioner - www.ico.gov.uk
Policy Review Arrangements
This policy will be reviewed at least annually.