Confidentiality and Data Protection Policy
Aim of this Policy
Gloucester Rowing Club (GRC) is aware of its responsibilities to comply with the Data Protection Act (DPA) 1998 (and subsequent amendment of 2003) with regards to collecting, handling and processing personal data about its members.
This policy defines data in accordance with the DPA, outlines the data protection principles and roles of members within the club who handle data and must adhere to those principles.
- Data – information about an individual recorded on paper that is intended to go on a computer and electronic records stored on a computer.
- Personal data – data from which a living individual can be identified, eg. name, address, driving licence number, date of birth, NI number and passport number.
- Confidential data – data given in confidence and not in the public domain, to be maintained within an agreed timescale, eg. medical or financial information.
- Sensitive personal data – data relating to a person’s opinions, eg. political or religious beliefs and sexual preferences, or medical information.
- Data Controller – this applies to the Club Committee who determine the purpose, use and processing procedure of the data.
- Data Subject – the individual who is the subject of the data.
- Data Subject Rights – an individual has the right of access to data held about them.
- Processing of data – the definition is broad and covers most aspects of data handling:
I. organisation, adaptation or alteration of the information or data,
II. retrieval, consultation or use of the information or data,
III. disclosure of the information or data by transmission, dissemination or otherwise making available, or
IV. alignment, combination, blocking, erasure or destruction of the information or data.
GRC duties under the Data Protection Act
In accordance with the DPA, the Club is satisfied that it qualifies as a not-for-profit organisation and is therefore exempt from registering with the Information Commissioner’s Office (ICO) to process data, but acknowledges that it still has a responsibility to comply with the eight Data Protection Principles set out in the DPA. The club’s duties under the DPA apply from the moment a member’s data is obtained until such data has been returned, securely deleted or destroyed.
The club shall ensure that standard forms shall be used to collect data and they shall make the purpose for collection clear, set out what will happen to that data and how long it shall be kept. Forms shall also indicate where consent is required, and in the case of children below the age of 18, parent/carer consent shall be obtained as good practice and as a precautionary measure (not strictly required for children over the age of 12 years) as shall a carer’s consent for an Adult at Risk.
The data protection principles are as follows:
1. Personal data shall be processed fairly and lawfully.
i. In order to process sensitive data eg. information on health, the Data Controller must have the consent of the Data Subject.
ii. If personal data is to be published on the website then the Data Subject’s consent must be sought.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Roles and responsibilities for data processing
The Membership Secretary shall be responsible for collecting personal data for all members, recording this on standardised paper forms and transferring details electronically to a personal computer with password access. Data shall include: email addresses, contact details, date of birth, relevant health details, parent/carer contact details and their consent for photographs and videos to being taken of their child and used for training purposes, or posted on the club website page or the club Twitter page. These details shall not be given to anyone from outside of GRC or for non-club related purposes, without the individual’s or parent/carer’s consent. Membership details shall only be shared internally within GRC when members who hold a ‘position of trust’ request them for a specific purpose, either in the running of the club or running the rowing programme. Members shall be required to keep their details up-to-date and notify the Membership Secretary of any changes.
The Membership Secretary shall also be responsible for maintaining electronic membership lists. These lists shall be used to track the ‘paid up’ status of members following information received from the Treasurer. The Membership Secretary shall contact members as appropriate to inform them if their monthly membership fee has lapsed or if their annual fee is due for renewal, and to enquire if they wish to continue with their membership.
The Membership Secretary shall follow the procedures below:
- If the member does not wish to continue, that shall be taken as confirmation that they have left the club and after 6 months any records containing their details shall be destroyed securely.
- If the member wishes to suspend their membership, their name shall be entered onto a list of suspended members. Those members shall be contacted every 6 months to review their status and their name shall remain on the list or be transferred to another list as appropriate.
- If the Membership Secretary does not receive a reply from the member, their name shall be entered onto the list of suspended members. The Membership Secretary shall inform the appropriate Squad Leader of the name of member and that they are unable to use the club facilities without payment. The member shall be contacted after 6 months and their status reviewed. If there is no response, the Membership Secretary shall deem that to be confirmation that the member has decided to leave the club and their details shall be securely erased from the records.
The Treasurer shall be responsible for keeping electronic records of money that has been paid into the club by members, to include: membership fees, race fees and boat racking fees. In most cases the Treasurer shall only require a member’s name, or a parent/carer’s name to match with the club bank statement details. The rates and classes of membership shall be set at each club AGM and the club offers members a choice of whether to pay their subscriptions annually or monthly. The Treasurer shall notify the Membership Secretary of any member whose monthly or annual membership fee is overdue.
The Treasurer shall notify the Captain, or other designated member of the Committee, of any members whose race fee account is lacking in sufficient funds to cover any future competition entries.
Names and addresses shall be kept for those paying by Gift Aid so that they can be sent to HMRC.
All accounting records shall be maintained securely away from the club for 6 years and then securely destroyed.
To allow authorised members to make regular sundry purchases on behalf of the club, the Treasurer shall keep banking details of those members so that they may be reimbursed. Those details shall be erased from the Treasurer’s records as soon as that member ceases to purchase items regularly on behalf of the club.
The Chairman, and if appropriate the Secretary, shall be responsible for receiving formal complaints submitted by members and non-members. Some complaints may contain sensitive personal data or confidential data. Notes of the formal meetings shall be recorded either as paper copies or electronically on personal computers with password access, and shall be maintained away from the club for 5 years and then securely destroyed. Members shall refer to the club’s Complaints and Disciplinary Procedures Policy’.
The Secretary shall be responsible for recording minutes of Committee meetings and processing those electronically so that they can be posted for all members to see. The Secretary shall take care to anonymise reports containing sensitive personal data or confidential data to avoid identification of individual members.
The Captain, or other designated Committee member, shall be responsible for entering all members into race events by the British Rowing Online Entry system. The only information that the Captain shall be required to enter is the name of the member and the age category that they are entering, as all other details identifying that individual are held by British Rowing on their system.
The Junior Coordinator shall be responsible for maintaining records of personal data for all junior participants, including their date of birth, contact details and health details. The Junior Coordinator shall only pass on details of data to other club members in a ‘position of trust’ on a need to know basis and for a specific purpose, for example to a coach running a single session, or a coach running sessions on a regular basis. Occasionally the Junior Coordinator shall be required to pass on personal data for certain categories of competition, and in the event of this a parent/carer’s consent shall be sought in advance. The personal data is stored electronically on a personal computer with password access. Personal data for junior members shall be erased securely when they are 18 years of age or within a year of confirmation that they have left the club permanently.
The Safety Advisor shall be responsible for reporting incidents that occur at the club to British Rowing via the British Rowing Incident Reporting system. Those reports shall be treated as confidential data and the names of juniors below the age of 18 years shall be withheld. Where those reports are used by British Rowing to provide the basis for general safety advice to their members, the information shall be anonymised by them.
Club Welfare Officer
The Club Welfare Officer (CWO) may receive confidential or sensitive personal data about an individual member relating to safeguarding concerns. The CWO shall use standard paper record templates advised by British Rowing to capture relevant data. These shall be stored away from the club in unmarked files. Sensitive personal data held on children shall be retained until the child reaches the age of 18, or sooner if there is confirmation that the child has left the club permanently. Sensitive personal data held on adults at risk shall be retained for one year. Personal data captured for the purpose of DBS clearance procedures shall only be retained until the online application is successfully completed. All information in paper form shall be destroyed securely.
Any correspondence received via email and containing personal, confidential or sensitive personal data will be maintained on a personal computer (with password access) until a concern is resolved. At this point the email shall be deleted securely, or in the case of child or adult at risk information, the email shall be printed off and filed securely. The CWO shall only pass on data details to other club members in a ‘position of trust’ on a need to know basis, or to British Rowing as necessary to protect the interests of the individual, and where appropriate with the individual’s or guardian/carer’s consent. The CWO shall only pass on details to other statutory bodies if advised by British Rowing and with guardian/carer’s consent, unless it is inappropriate to do so, or if there is an emergency and the individual is at risk.
Senior squad captains, the Learn2Row Coordinator and the Junior Coordinator shall be responsible for organising training sessions and sharing information with the rowing members in their groups. They shall maintain electronic records of names and email addresses on personal computers which have password access. The Junior Coordinator, or other authorised member, shall create group emails as the preferred method of communication within each squad. Names and email addresses shall be securely erased within one year of confirmation that the member has left the club permanently. Member shall refer to the club’s ‘Email Communication and Use of Social Media Policy’.