0
Items : 0
Subtotal : £0.00
View CartCheck Out
0
Items : 0
Subtotal : £0.00
View CartCheck Out

DATA PROTECTION POLICY

Data Protection Policy

Bury Football Club Supporters’ Society Ltd.

(Formerly Forever Bury)

Data Protection Policy

March 2022

The Directors of Bury Football Club Supporters’ Society Ltd. in adopting this policy fully understand their legal obligations and the importance of monitoring and implementing the policy within Bury Football Club Supporters’ Society Ltd.

Data Protection Policy

March 2022

1 Introduction

  • This policy sets out Bury Football Club Supporters’ Society Ltd. commitment to handling personal data in accordance with the Data Protection Act 1998 from 25th May 2018 this will be replaced by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (the Act). Bury Football Club Supporters’ Society Ltd. is currently not registered under the Act with the Information Commissioners Office (ICO).

The Act states that an organization must:

  • Use personal information fairly and lawfully;
  • Collect only the information necessary for a specific purpose(s);
  • Ensure it is relevant, accurate and up to date;
  • Only hold as much as you need, and only for as long as you need it;
  • Allow the subject of the information to see it on request; and keep it secure.

In order to comply with the Act and ensure abidance by these principles Bury Football Club Supporters’ Society Ltd. have developed this Data Protection Policy.

 

2 Purpose

2.1 This policy sets out the Bury Football Club Supporters’ Society Ltd. approach to handling personal data and developing a security-conscious and ethical approach to handling personal and other sensitive data. It informs all persons who process personal data on Bury Football Club Supporters’ Society Ltd. behalf and their obligations when handling this data.

 

3 Scope

3.1 This policy applies to all Bury Football Club Supporters’ Society Ltd. “staff”, associates, volunteers, Directors, members, contractors, or third parties, who process personal data on behalf of Bury Football Club Supporters’ Society Ltd.

3.2 For ease of use where this policy reads ‘staff’ this includes all of those highlighted above.

3.3 This policy continues to apply to ‘staff’ even after their relationship with Bury Football Club Supporters’ Society Ltd. has ended.

 

4 Responsibilities

4.1 Overall responsibility for organisational Data Protection rests with the Directors to ensure adequate controls are in place to ensure compliance.

4.2 All ‘staff’ are personally responsible for complying with the Act and this Data Protection Policy. All ‘staff’ must ensure the information they have access to, handle, or share is processed lawfully, securely, and professionally.

4.3 Any reckless or deliberate breach of this policy will require appropriate action to control the risks, and may include criminal or civil action being taken if reputational or financial loss to Bury Football Club Supporters’ Society Ltd. results.

4.4 Advice on handling or sharing personal data should be provided by the supervising representative of Bury Football Club Supporters’ Society Ltd. Further information can be obtained from www.ico.gov.uk.

 

5 Policy content

5.1 The Act contains a set of eight principles that govern the way Bury Football Club Supporters’ Society Ltd. processes personal data. Personal data means that which relates to a living individual who can be identified from that data or other information held by Bury Football Club Supporters’ Society Ltd. All ‘staff’ who process, collect, use, store, access, disclose or otherwise handle personal data must do so in accordance with these principles.

5.2 This section sets out how Bury Football Club Supporters’ Society Ltd. complies with each of these principles and expectations on ‘staff’ when handling personal data.

5.3 The eight data protection principles Personal data shall be:

  • Processed fairly and lawfully.
  • Processed for specified and lawful purposes.
  • Adequate, relevant, and not excessive.
  • Accurate, and kept up to date.
  • Not kept longer than necessary.
  • Processed in accordance with the rights of data subjects
  • Kept secure.

Fair and lawful

5.4 The first principle requires Bury Football Club Supporters’ Society Ltd. to be fair by being open and transparent with individuals about how their personal data is going to be collected, used, held, shared, processed etc. This is known as fair processing and expressed through a Privacy Notice e.g. when collecting data.

5.5 Bury Football Club Supporters’ Society Ltd. will, when collecting or handling personal data, tell individuals what will happen to their information, what it will be used for, and how long it will be held (a Privacy Notice).

5.6 Under Schedule 2 of the Act the data subject needs to have given their consent to the processing that it is

  • necessary for the performance of a contract to which the data subject is a party, or for the taking of steps at the request of the data subject with a view to entering into a contract.
  • necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
  • necessary in order to protect the vital interests of the data subject.
  • necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

5.7 Further provisions exist under the Act in relation to legal access to data.

Sensitive Personal Data

5.8 Sensitive personal data under Schedule 3 of the Act may also apply to Bury Football Club Supporters’ Society Ltd. where data on a person’s racial or ethnic origin, religious beliefs, or other similar data are collected.

5.9 The data subject should have given their explicit consent to the processing of the personal data. This applies particularly where the data is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment. This also applies where the processing is carried out in the course of its legitimate activities by any body or association which is not established or conducted for profit, and exists for political, philosophical, religious or trade[1]union purposes; is carried out with appropriate safeguards for the rights and freedoms of data subjects; relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes; and does not involve disclosure of the personal data to a third party without the consent of the data subject.

5.10 Further provisions exist under the Act in relation to processing sensitive personal data.

Specified and lawful purposes (limited purposes)

5.11 This principle requires Bury Football Club Supporters’ Society Ltd. to process personal data for the purpose or purposes for which it was intended. The way in which Bury Football Club Supporters’ Society Ltd. intends to use the data should be set out in a Privacy Notice, and ‘staff’ must ensure they use personal data in a way in which individuals providing their data would reasonably expect in accordance with the Privacy Notice.

Adequate, relevant, and not excessive

5.12 Bury Football Club Supporters’ Society Ltd. ‘staff’ are required to ensure that any personal data it holds and processes is adequate (fit for purpose), relevant and not excessive (not more than required for the purpose set out in the Privacy Notice).

Accurate and up to date

5.13 All ‘staff’ must take reasonable steps to ensure data is accurate and kept up to date. Information should be checked at regular intervals to ensure it is correct, and if found to be inaccurate steps taken to correct the information held. This may be as simple as putting a standard notice on all correspondence asking to notify us of any inaccuracies, or if data inactive either checking within a 2 year period, before updating or deleting. (Although not covered by the Act we will also delete any information relating to deceased persons once we become aware of this fact).

Rights

Any person we hold data on has a right to:

  • Request a copy of personal data held about them, though steps must be taken to confirm their identity.
  • Prevent processing likely to cause damage or distress.
  • Prevent processing for direct marketing purposes (e.g. get their consent to hold their data and let them know if for direct marketing, and allow them to withdraw this consent at any time).
  • Have inaccurate or misleading information corrected or deleted.
  • Seek redress for failings to comply with the Data Protection Act.

Security

5.14 Bury Football Club Supporters’ Society Ltd. will take steps to ensure the reliability of ‘staff’ with access to personal data and will ensure proper training has been provided prior to handling personal data. All ‘staff’ handling personal data should sign this policy to show that they have agreed to and will work in accordance with this policy before being given access to any personal data held by Bury Football Club Supporters’ Society Ltd.

5.15 ‘Staff’ will only be given access to personal data on a ‘need to know’ basis to carry out tasks for Bury Football Club Supporters’ Society Ltd.

5.16 Where ‘staff’ become aware of a potential breach of data security they should notify the Directors immediately.

Transferring personal data overseas

5.17 The Act requires that when transferring personal data to a country outside the European Economic Area (EEA) it is only permitted when the country has an adequate level of protection for rights and freedoms of data subjects. This may include emailing personal data abroad, or using online tools to broadcast emails, or collect personal information using online forms.

5.18 All ‘staff’ should apply these principles in their work for Bury Football Club Supporters’ Society Ltd.

Registration

5.19 Bury Football Club Supporters’ Society Ltd. was established as a non-profit Community Benefit organisation and where it makes a profit this is for its own purposes, and not used to enrich others personally. Based on current information and business practice Bury Football Club Supporters’ Society Ltd. do not have to register with the ICO, although it’s important that the business adheres to the principles of the Data Protection Act and understands best practice for managing information. (see http://ico.org.uk/for_organisations/data_protection/registration) .

Bury Football Club Supporters’ Society Ltd. and ‘staff’ must:

  • only process information necessary to establish or maintain membership or support;
  • only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it;
  • only share the information with people and organisations necessary to carry out the organisation’s activities. Important – if individuals give you permission to share their information, this is OK
  • only keep the information while the individual is a member or supporter or as long as is necessary for member/supporter administration.

5.20 Bury Football Club Supporters’ Society Ltd. may wish to voluntarily register with the Information Commissioners Office or review its practice from time to time to ensure it does not require to do so.

 

6 Policy History

Original policy May 2018. Last updated May 2018. This included self-reassessment of the need to register with the ICO, the result of which indicated that Bury Football Club Supporters’ Society Ltd. does not need to register at this time.

Powered by Ultimate Auction
P