Bury Football Club Supporters’ Society Ltd.
(Formerly Forever Bury)
Data Protection Policy
The Directors of Bury Football Club Supporters’ Society Ltd. in adopting this policy fully understand their legal obligations and the importance of monitoring and implementing the policy within Bury Football Club Supporters’ Society Ltd.
Data Protection Policy
The Act states that an organization must:
In order to comply with the Act and ensure abidance by these principles Bury Football Club Supporters’ Society Ltd. have developed this Data Protection Policy.
2.1 This policy sets out the Bury Football Club Supporters’ Society Ltd. approach to handling personal data and developing a security-conscious and ethical approach to handling personal and other sensitive data. It informs all persons who process personal data on Bury Football Club Supporters’ Society Ltd. behalf and their obligations when handling this data.
3.1 This policy applies to all Bury Football Club Supporters’ Society Ltd. “staff”, associates, volunteers, Directors, members, contractors, or third parties, who process personal data on behalf of Bury Football Club Supporters’ Society Ltd.
3.2 For ease of use where this policy reads ‘staff’ this includes all of those highlighted above.
3.3 This policy continues to apply to ‘staff’ even after their relationship with Bury Football Club Supporters’ Society Ltd. has ended.
4.1 Overall responsibility for organisational Data Protection rests with the Directors to ensure adequate controls are in place to ensure compliance.
4.2 All ‘staff’ are personally responsible for complying with the Act and this Data Protection Policy. All ‘staff’ must ensure the information they have access to, handle, or share is processed lawfully, securely, and professionally.
4.3 Any reckless or deliberate breach of this policy will require appropriate action to control the risks, and may include criminal or civil action being taken if reputational or financial loss to Bury Football Club Supporters’ Society Ltd. results.
4.4 Advice on handling or sharing personal data should be provided by the supervising representative of Bury Football Club Supporters’ Society Ltd. Further information can be obtained from www.ico.gov.uk.
5 Policy content
5.1 The Act contains a set of eight principles that govern the way Bury Football Club Supporters’ Society Ltd. processes personal data. Personal data means that which relates to a living individual who can be identified from that data or other information held by Bury Football Club Supporters’ Society Ltd. All ‘staff’ who process, collect, use, store, access, disclose or otherwise handle personal data must do so in accordance with these principles.
5.2 This section sets out how Bury Football Club Supporters’ Society Ltd. complies with each of these principles and expectations on ‘staff’ when handling personal data.
5.3 The eight data protection principles Personal data shall be:
Fair and lawful
5.4 The first principle requires Bury Football Club Supporters’ Society Ltd. to be fair by being open and transparent with individuals about how their personal data is going to be collected, used, held, shared, processed etc. This is known as fair processing and expressed through a Privacy Notice e.g. when collecting data.
5.5 Bury Football Club Supporters’ Society Ltd. will, when collecting or handling personal data, tell individuals what will happen to their information, what it will be used for, and how long it will be held (a Privacy Notice).
5.6 Under Schedule 2 of the Act the data subject needs to have given their consent to the processing that it is
5.7 Further provisions exist under the Act in relation to legal access to data.
Sensitive Personal Data
5.8 Sensitive personal data under Schedule 3 of the Act may also apply to Bury Football Club Supporters’ Society Ltd. where data on a person’s racial or ethnic origin, religious beliefs, or other similar data are collected.
5.9 The data subject should have given their explicit consent to the processing of the personal data. This applies particularly where the data is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment. This also applies where the processing is carried out in the course of its legitimate activities by any body or association which is not established or conducted for profit, and exists for political, philosophical, religious or tradeunion purposes; is carried out with appropriate safeguards for the rights and freedoms of data subjects; relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes; and does not involve disclosure of the personal data to a third party without the consent of the data subject.
5.10 Further provisions exist under the Act in relation to processing sensitive personal data.
Specified and lawful purposes (limited purposes)
5.11 This principle requires Bury Football Club Supporters’ Society Ltd. to process personal data for the purpose or purposes for which it was intended. The way in which Bury Football Club Supporters’ Society Ltd. intends to use the data should be set out in a Privacy Notice, and ‘staff’ must ensure they use personal data in a way in which individuals providing their data would reasonably expect in accordance with the Privacy Notice.
Adequate, relevant, and not excessive
5.12 Bury Football Club Supporters’ Society Ltd. ‘staff’ are required to ensure that any personal data it holds and processes is adequate (fit for purpose), relevant and not excessive (not more than required for the purpose set out in the Privacy Notice).
Accurate and up to date
5.13 All ‘staff’ must take reasonable steps to ensure data is accurate and kept up to date. Information should be checked at regular intervals to ensure it is correct, and if found to be inaccurate steps taken to correct the information held. This may be as simple as putting a standard notice on all correspondence asking to notify us of any inaccuracies, or if data inactive either checking within a 2 year period, before updating or deleting. (Although not covered by the Act we will also delete any information relating to deceased persons once we become aware of this fact).
Any person we hold data on has a right to:
5.14 Bury Football Club Supporters’ Society Ltd. will take steps to ensure the reliability of ‘staff’ with access to personal data and will ensure proper training has been provided prior to handling personal data. All ‘staff’ handling personal data should sign this policy to show that they have agreed to and will work in accordance with this policy before being given access to any personal data held by Bury Football Club Supporters’ Society Ltd.
5.15 ‘Staff’ will only be given access to personal data on a ‘need to know’ basis to carry out tasks for Bury Football Club Supporters’ Society Ltd.
5.16 Where ‘staff’ become aware of a potential breach of data security they should notify the Directors immediately.
Transferring personal data overseas
5.17 The Act requires that when transferring personal data to a country outside the European Economic Area (EEA) it is only permitted when the country has an adequate level of protection for rights and freedoms of data subjects. This may include emailing personal data abroad, or using online tools to broadcast emails, or collect personal information using online forms.
5.18 All ‘staff’ should apply these principles in their work for Bury Football Club Supporters’ Society Ltd.
5.19 Bury Football Club Supporters’ Society Ltd. was established as a non-profit Community Benefit organisation and where it makes a profit this is for its own purposes, and not used to enrich others personally. Based on current information and business practice Bury Football Club Supporters’ Society Ltd. do not have to register with the ICO, although it’s important that the business adheres to the principles of the Data Protection Act and understands best practice for managing information. (see http://ico.org.uk/for_organisations/data_protection/registration) .
Bury Football Club Supporters’ Society Ltd. and ‘staff’ must:
5.20 Bury Football Club Supporters’ Society Ltd. may wish to voluntarily register with the Information Commissioners Office or review its practice from time to time to ensure it does not require to do so.
6 Policy History
Original policy May 2018. Last updated May 2018. This included self-reassessment of the need to register with the ICO, the result of which indicated that Bury Football Club Supporters’ Society Ltd. does not need to register at this time.