Beggsboro AFC through its governance, establishes the regulations and policies that are in use through all of its teams. Beggsboro AFC considers it of utmost importance that all policies are managed/enforced fairly and consistently throughout our teams.
The Beggsboro AFC Data Protection Policy is, as the time of writing, built upon the guidelines available from the Data Protection Commissioners website at:
https://www.dataprotection.ie/docs/Self-Assessment-Data-Protection-Checklist/y/22.htm
This policy document will use each guideline in turn and develop a usable and practical policy based on the guideline recommendations.
All affiliated teams will retain responsibility for adhering to this policy and an audit, at the discretion of Beggsboro AFC may be performed to ensure compliance.
Beggsboro AFC in addition to all its affiliated teams are covered by the guidelines listed in this document and must adhere to the recommendations outlined in each of the main responsibilities in this policy document.
It should be noted that the Data Protection Acts 1988 & 2003 refer to any information held and recorded in respect of an individual on either paper or electronic mediums.
The General Data Protection Regulation (GDPR) that took effect on 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive. As part of this directive any person on whom you do, or have stored information on has the right to be forgotten i.e. you must delete all reference of them from all records kept once they have requested that you do so.
MAIN RESPONSIBILITIES OF DATA PROTECTION
Rule 1: Fair obtaining:
• At the time when we collect information about individuals, are they made aware of the uses for that information?
• Are people made aware of any disclosures of their data to third parties?
• Have we obtained people’s consent for any secondary uses of their personal data, which might not be obvious to them
• Can we describe our data-collection practices as open, transparent and up-front?
Registration Form
When a member joins Beggsboro AFC a Registration form/registration will be used to gather only relevant information for the person. Forms will be signed yearly to ensure that only up to date information is recorded. A copy of the blank Registration form will be made available to members should they request it. Registration forms will be reviewed yearly to make sure non relevant information is not being sought.
Information provided/collected
The information will include contact information, background information and any health issues that could affect a person’s participation in Football. The person is to be made aware that the information provided will be used for club administration purposes and can be shared by the club with the FAI as the national governing body but with confidentiality assured by both parties.
Members will be aware of the person responsible for Data Protection and the process involved for any information requests and costs associated.
Social Media/Internet/Advertising
If, on our website, any social media or advertising posters/leaflets etc. we intend to use images taken of our players, the players will be aware from the Registration form that their image may be used. In the event that the player is under 18 years of age, then parent/guardian consent will be obtained on their behalf. A procedure will be in place for the removal/correction of any data stored/used for the above purposes.
Rule 2: Purpose specification
• Are we clear about the purpose (or purposes) for which we keep personal information?
• Are the individuals on our database also clear about this purpose?
• If we are required to register with the Data Protection Commissioner, does our register entry include a proper, comprehensive statement of our purpose? [Remember, if you are using personal data for a purpose not listed on your register entry, you may be committing an offence.]
• Has responsibility been assigned for maintaining a list of all data sets and the purpose associated with each?
Purpose of Data
Any data collected will be done in a way that can be clearly defined in terms of its use. Data will not be collected if it has no relevance to the administration of Beggsboro AFC . All information collection and recorded will be factual. Speculative information will not be recorded as it is open to interpretation/opinion.
Any questions asked on Registration/data gathering forms will not be ambiguous and the purpose of it being required will be apparent to the person completing the form.
Beggsboro AFC is a data controller under the Data Protection Acts 1988 & 2003, however it is not required to register with the office of the Data Protection Commissioner due to exemptions listed under section 16 (1)(b) of the Acts.
While Beggsboro AFC is a data controller and is not required to register with the office of the Data Protection Commissioner, it still must comply with the provisions of the Act.
All persons with access to personal information will be informed of the importance of accurate recording, confidentiality and the proper use of collected data. Beggsboro AFC will nominate a person(s) who is authorised to access personal data and ensure that no unauthorised access or unintended usage or collected data is permitted.
Rule 3: Use and disclosure of information
• Are there defined rules about the use and disclosure of information?
• Are all staff aware of these rules?
• Are the individuals aware of the uses and disclosures of their personal data? Would they be surprised if they learned about them? Consider whether the consent of the individuals should be obtained for these uses and disclosures.
• If we are required to register with the Data Protection Commissioner, does our register entry include a full list of persons to whom we may need to disclose personal data? [Remember, if you disclose personal data to someone not listed on your register entry, you may be committing an offence.]
Use of information
Beggsboro AFC will have a nominated person responsible for data collected either electronically or manually, to whom requests under the Data Protection Act can be made.
Any other person(s) (other than the nominated person) within Beggsboro AFC that has access to personal data will be educated in respect of the information that can be disclosed and to whom they may disclose it. If they are not sure they will seek guidance prior to releasing data.
Any person for whom you retain information has a right under the Data Protection Act to request to see all information stored. The person if necessary can seek an amendment of any information recorded incorrectly.
Where an individual completes any form or data that will be recorded/stored there should be a notification informing them that information may:
• Be shared
• With whom the information can be shared.
Information recorded will be factual and relevant only. No information will be recorded or disclosed that may cause concern for any individual if it was to be released without their consent/knowledge.
Beggsboro AFC is a data controller under the Data Protection Acts 1988 & 2003, however it is not required to register with the office of the Data Protection Commissioner due to exemptions listed under section 16 (1)(b) of the Acts.
While Beggsboro AFC is a data controller and is not required to register with the office of the Data Protection Commissioner, it still must comply with the provisions of the Act.
Rule 4: Security
• Is there a list of security provisions in place for each data set?
• Is someone responsible for the development and review of these provisions?
• Are these provisions appropriate to the sensitivity of the personal data we keep?
• Are our computers and our databases password-protected, and encrypted if appropriate?
• Are our computers, servers, and files securely locked away from unauthorised people?
Security
The security of data should be considered under two separate headings:
1. Paper
2. Electronic
Paper Files
Information stored on paper will be securely locked in cabinets or other similar protected storage devices when not being accessed. These storage devices will only be accessible to the authorised person(s).
If work is being undertaken on paper files containing personal information, an empty desk policy will be adopted. Papers containing personal data will never be left unattended or in potential view any person not authorised to see it.
Electronic Storage
Data can be stored in a number of software solutions. While the software solution can vary protecting the electronic device on which they are stored is more secure. Electronic storage covers a number of mediums, server, PC, tablet, phone and USB Storage. In addition to live access there is also the issue of backup mediums which can be removable devices, disk, USB key or tape.
Data will only be stored on electronic devices that can satisfy at least two of the following criteria:
• Disk encryption
• Operating System Password
• Device password/Pin code
To ensure the security and integrity of data a dual factor authentication system will be in place. Two passwords will be required before data is accessible. All portable/mobile devices will be hard disk encrypted so data is not accessible if the device is lost or stolen. Any backups taken to portable devices will follow the same rules and only be used where the device is encrypted.
Pc’s servers etc. should contain an up to date anti-virus/malware product to protect the integrity of any data held.
Rule 5: Adequate, relevant and not excessive
• Do we collect all the information we need to serve our purpose effectively, and to deal with individuals in a fair and comprehensive manner?
• Have we checked to make sure that all the information we collect is relevant, and not excessive, for our specified purpose?
• If an individual asked us to justify every piece of information we hold about him or her, could we do so?
• Does a policy exist in this regard?
Information Value
Any data collected must be done in a way that can be clearly defined in terms of its use. Data will not be collected if it has no relevance to the administration of the association or one of its teams. All information collection and recorded will be factual. Speculative information will not be recorded as it is open to interpretation/opinion.
Forms will be reviewed yearly to make sure non relevant information is not being sought. If information that was once asked for is no longer required it will be removed and no longer collected.
A retention and review policy will be in place for all data.
Rule 6: Accurate and up-to-date
• Do we check our data for accuracy?
• Do we know how much of our personal data is time-sensitive, i.e. likely to become inaccurate over time unless it is updated?
• Do we take steps to ensure our databases are kept up-to-date?
Data Accuracy
Registration forms are the main form of data collection As per Rule 1, Registration forms will be resigned every year and information amended and kept up to date on paper and electronic records.
Rule 7: Retention time
• Is there a clear statement on how long items of information are to be retained?
• Are we clear about any legal requirements on us to retain data for a certain period?
• Do we regularly purge our databases of data which we no longer need, such as data relating to former customers or staff members?
• Do we have a policy on deleting personal data as soon as the purpose for which we obtained the data has been completed?
Retention
A member of Beggsboro AFC is defined as a person who has paid and is up to date with their association fees. In this regard Registration is easily checked.
As Football can be a lifetime journey people can start and take breaks so a reasonable time frame must be in place to allow a person to re-join or start again.
Both paper and electronic forms of data can be held for one year after the date Beggsboro AFC becomes aware that the person is no longer a member or has deemed that the Registration has lapsed.
Beggsboro AFC at the end of the appointed period will remove any records, both paper and electronic for the person. As Registrations may lapse at different times of the year a practical approach, quarterly, yearly etc. will be adopted for the destruction of records no longer required. Records should be verified as fulfilling the criteria before destruction. Records on paper will be securely disposed of e.g. shredding rather than recycling.
Rule 8: The Right of Access
• Is a named individual responsible for handling access requests?
• Are there clear procedures in place for dealing with such requests?
• Do these procedures guarantee compliance with the Act’s requirements?
Accessibility
As per Rule 3, Beggsboro AFC and will nominate a person to be responsible for Data Protection. All members will be aware of who the nominated person is. The nominated person is responsible for ensuring that they comply with this policy document and will regularly evaluate their process to guarantee compliance.
Beggsboro AFC will have a process in place for requests made under data protection.
When a request is received you must:
• Supply the information to the individual within 40 days of receiving the request. Note that, having received the access request, you cannot change or delete the personal data which you hold just because you do not wish the data subject to see it.
• Provide the information in a form which will be clear to the ordinary person (e.g., any codes must be explained).
• Ensure that you give personal information only to the individual concerned (or someone acting on his or her behalf and with their authority). For instance, you normally would not provide such information by phone.
If we do not keep any information on computer or in a relevant filing system about the individual making the request we will tell them so within the 40 days.