DATA PROTECTION POLICY

AFC Darwen is fully committed to protecting the rights and privacy of individuals, in accordance with the Data Protection Act 1998 and the GDPR (effective from 25th May 2018). Information about our committee, coaches, managers, assistants, administrators, players, parents and other individuals will only be processed in line with established regulations. Personal data will be collected, recorded and used fairly, stored safely and securely and not disclosed to any third party unlawfully. As the lawful and correct treatment of personal information is critical to our successful operations and to maintaining confidence, AFC Darwen is committed to:

  • protecting members’ personal details and records

  • keeping candidates’ and other individuals’ personal data up to date and confidential

  • maintaining personal data only for the time period required

  • releasing personal data only to authorised individuals/parties such as leagues for registration purposes

  • collecting accurate and relevant data only for specified lawful purposes

  • adhering to regulations and related procedures to ensure that all committee members who have access to any personal data held by or on behalf of AFC Darwen are fully aware of and abide by their duties under the Data Protection Act 1998.

Members are required to report any allegation in relation to the unlawful treatment of personal data by contacting the Chairman. A concern should be raised in the event that members feel that records of their personal data have been:

  • lost

  • obtained through unlawful disclosure or unauthorised access

  • recorded inaccurately and/or in a misleading manner

  • provided to a third party without permission.

  • Where required, AFC Darwen will take appropriate action/corrective measures against unauthorised/unlawful processing, loss, destruction or damage to personal data.

REGISTRATION SYSTEM

When you or your child registers the data held by AFC Darwen is kept securely on a membership system and will be used only for the purposes of the club and league registrations. When authorisiong your/your child(s) registration you are requested to consent by ticking to tick box relating to Data protection on iTeammate which is the club’s new membership system from 2018/2019.

  • Register the player(s) with the relevant leagues which includes passing on the players and parents personal data (including name, email, gender, photo, DOB, phone number) and for football related communications (non-commercial).

  • This data is also shared with authorised club officials who need it to communicate information about training and fixtures and for them to be able to contact parents/emergency contacts in the case of an emergency. Medical details (if provided) are also shared with team officials for awareness and in case of an emergency where this information may need to be passed on to medical staff.

  • Any additional information, such as proof of data of birth documents, when received, is attached securely to your/your child’s (s) membership record

Once a player registration expires they are retained for 12 months and it is then automatically archived securely for 3 years.

Only the club Secretary will have full access to this data. The manager/administrator of your team will have limited access to information required for matches such as contact info, medical details etc. Managers gain access by submitting a data protection statement to the system administrator.

YOUR RIGHTS & OPTING OUT

You may opt out of information about you or your child being shared, and your record deleted at any point by emailing elaine.littler@afc-darwen.com.

You have the right to request what information is stored about you or your child by emailing elaine.littler@afc-darwen.com.

CONTACT

Questions, comments and requests regarding this Policy should be addressed to;

elaine.littler@afc-darwen.com.

  1. What we need from you
    1. To assist with our compliance with GDPR we will need you to comply with the terms of this policy. We have set out the key guidance in this section but please do read the full policy carefully.
    2. Please help us to comply with the data protection principles (set out briefly in section 3 of this policy and in further detail below):
      1. please ensure that you only process data in accordance with our transparent processing as set out in our Privacy notice;
      2. please only process personal data for the purposes for which we have collected it (i.e. if you want to do something different with it then please speak to Elaine Littler, Club Secretary first;
      3. please do not ask for further information about players and / or members and / or staff and / or volunteers without first checking with Elaine Littler, Club Secretary.
      4. if you are asked to correct an individual’s personal data, please make sure that you can identify that individual and, where you have been able to identify them, make the relevant updates on our records and systems;
      5. please comply with our retention periods listed in our Privacy Notice and make sure that if you still have information which falls outside of those dates, that you delete/destroy it securely;
      6. please treat all personal data as confidential. If it is stored in electronic format, then please consider whether the documents themselves should be password protected or whether your personal computer is password protected and whether you can limit the number of people who have access to the information. Please also consider the security levels of any cloud storage provider (and see below). If it is stored in hard copy format then please make sure it is locked away safely and is not kept in a car overnight or disposed of in a public place;
      7. if you are looking at using a new electronic system for the storage of information, please talk to Elaine Littler first so that we can decide whether such a system is appropriately secure and complies with GDPR;
      8. if you are planning on sharing personal data with anybody new or with a party outside the FA structure then please speak to Elaine Littler,
      9. Club Secretary before doing so who will be able to check that the correct contractual provisions are in place and that we have a lawful basis to share the information;
      10. if you receive a subject access request (or you think somebody is making a subject access request for access to the information we hold on them) then please tell [insert name] as soon as possible because we have strict timelines in which to comply;
      11. if you think there has been a data breach (for example you have lost personal data or a personal device which contains personal data, or you have been informed that a coach has done so, or you have sent an email and open copied all contacts in) then please speak to Elaine Littler, Club Secretary who will be able to help you to respond.

If you have any questions at any time then please just ask Elaine Littler, Club Secretary.

We are here to help.

  1. Data protection principles
    1. Anyone processing personal data must comply with the enforceable principles of data protection. Personal data must be:
      1. processed lawfully, fairly and in a transparent manner;
      2. collected for only specified, explicit and legitimate purposes;
      3. adequate, relevant and limited to what is necessary for the purpose(s) for which it is processed;
      4. accurate and, where necessary, kept up to date;
      5. kept in a form which permits identification of individuals for no longer than is necessary for the purpose(s) for which it is processed;
      6. processed in a manner that ensures its security by appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage;
    2. We are responsible for and must be able to demonstrate compliance with the data protection principles listed above.
  2. Fair and lawful processing
    1. This Policy aims to ensure that our data processing is done fairly and without adversely affecting the rights of the individual.
    1. Lawful processing means data must be processed on one of the legal bases set out in the GDPR. When special category personal data is being processed, additional conditions must be met.
  1. Processing for limited purposes
    1. AFC Darwen collects and processes personal data. This is data we receive directly from an individual and data we may receive from other sources.
    2. We will only process personal data for the purposes of AFC Darwen as instructed by the committee, the County FA or The FA, or as specifically permitted by the GDPR. We will let individuals know what those purposes are when we first collect the data or as soon as possible thereafter.
  1. Consent
    1. One of the lawful bases on which we may be processing data is the individual’s consent.
    2. An individual consent to us processing their personal data if they clearly indicate specific and informed agreement, either by a statement or positive action.
    3. Individuals must be easily able to withdraw their consent at any time and withdrawal must be promptly honoured. Consents should be refreshed every season.
    4. Explicit consent is usually required for automated decision-making and for cross-border data transfers, and for processing special category personal data. Where children are involved then the consent must be in writing from parent/guardian
    5. Where consent is our legal basis for processing, we will need to keep records of when and how this consent was captured.
    6. Our Privacy Notice sets out the lawful bases on which we process data of our players and members.
  1. Notifying individuals
    1. Where we collect personal data directly from individuals, we will inform them about:
      1. the purpose(s) for which we intend to process that personal data;
      2. the legal basis on which we are processing that personal data;
      3. where that legal basis is a legitimate interest, what that legitimate interest is;
      4. where that legal basis is statutory or contractual, any possible consequences of failing to provide that personal data;
      5. the types of third parties, if any, with which we will share that personal data, including any international data transfers;
      6. their rights as data subjects, and how they can limit our use of their personal data;
      7. the period for which data will be stored and how that period is determined;
      8. any automated decision-making processing of that data and whether the data may be used for any further processing, and what that further processing is.
    2. If we receive personal data about an individual from other sources, we will provide the above information as soon as possible and let them know the source we received their personal data from;
    3. We will also inform those whose personal data we process that we AFC Darwen, are the data controller in regard to that data, and which individual(s) within AFC Darwen are responsible for data protection.
  2. Adequate, relevant and non-excessive processing
    1. We will only collect personal data that is required for the specific purpose notified to the individual.
    2. You may only process personal data if required to do so in your official capacity with AFC Darwen . You cannot process personal data for any reason unrelated to your duties.
    3. AFC Darwen must ensure that when personal data is no longer needed for specified purposes, it is deleted or anonymised.
  1. Accurate data

We will ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at the start of each season. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.

  1. Timely processing

We will not keep personal data longer than is necessary for the purpose(s) for which they were collected. We will take all reasonable steps to destroy or delete data which is no longer required, as per our Privacy Notice.

  1. Processing in line with data subjects’ rights
    1. As data subjects, all individuals have the right to:
      1. be informed of what personal data is being processed;
      2. request access to any data held about them by a data controller;
      3. object to processing of their data for direct-marketing purposes (including profiling);
      4. ask to have inaccurate or incomplete data rectified;
      5. be forgotten (deletion or removal of personal data);
      6. restrict processing;
      7. data portability; and
      8. not be subject to a decision which is based on automated processing.
    2. AFC Darwen is aware that not all individuals’ rights are absolute, and any requests regarding the above should be immediately reported to the committee, and if applicable escalated to the Lancashire Football Association for guidance.
  2. Data security
    1. We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
    2. We have proportionate procedures and technology to maintain the security of all personal data.
    3. Personal data will only be transferred to another party to process on our behalf (a data processor) where we have a GDPR-compliant written contract in place with that data processor.
    4. We will maintain data security by protecting the confidentiality, integrity and availability of the personal data.
    5. Our security procedures include:
      1. Entry controls. Any stranger seen in entry-controlled areas should be reported.
      2. Secure desks, cabinets and cupboards. Desks and cupboards should be locked if they hold personal data.
      3. Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed.
      4. Equipment. Screens and monitors must not show personal data to passers-by and should be locked when unattended. Excel spreadsheets will be password protected.
      5. Personal Devices. Anyone accessing or processing AFC Darwen’s personal data on their own device, must have and operate a password only access or similar lock function, and should have appropriate anti-virus protection. These devices must have AFC Darwen’s personal data removed prior to being replaced by a new device or prior to such individual ceasing to work with or support the Club.
  3. Disclosure and sharing of personal information
    1. We share personal data with Lancashire Football Association and The FA, and with applicable leagues using Whole Game System.
    2. We may share personal data with third parties or suppliers for the services they provide and instruct them to process our personal data on our behalf as data processors. Where we share data with third parties, we will ensure we have a compliant written contract in place incorporating the minimum data processer terms as set out in the GDPR, which may be in the form of a supplier’s terms of service.
    3. We may share personal data we hold if we are under a duty to disclose or share an individual’s personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with the individual or other agreements; or to protect our rights, property, or safety of our employees, players, other individuals associated with the AFC Darwen or others.
  4. Transferring personal data to a country outside the EEA

We may transfer any personal data we hold to a country outside the European Economic Area (EEA), provided that one of the appropriate safeguards applies.

  1. Reporting a personal data breach
    1. In the case of a breach of personal data, we may need to notify the applicable regulatory body and the individual.
    2. If you know or suspect that a personal data breach has occurred, inform a member of the committee immediately, who may need to escalate to the Lancashire Football Association as appropriate. You should preserve all evidence relating to a potential personal data breach.
  1. Dealing with subject access requests
    1. Individuals may make a formal request for information we hold about them. Anyone who receives such a request should forward it to the board/committee immediately, and where necessary escalated to the Lancashire Football Association for guidance. Nobody should feel bullied or pressured into disclosing personal information.
    2. When receiving telephone enquiries, we will only disclose personal data if we have checked the caller’s identity to make sure they are entitled to it.
  1. Accountability
    1. AFC Darwen must implement appropriate technical and organisational measures to look after personal data, and is responsible for, and must be able to demonstrate compliance with the data protection principles.
    2. AFC Darwen must have adequate resources and controls in place to ensure and to document GDPR compliance, such as:
      1. providing fair processing notice to individuals at all points of data capture;
      2. training committee and volunteers on the GDPR, and this Data Protection Policy; and
      3. reviewing the privacy measures implemented by the AFC Darwen.
  1. Changes to this policy

We reserve the right to change this policy at any time. Where appropriate, we will notify you by email.