The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (GDPR).
Clubs will be “controllers” of personal data (for example – name, address, date of birth, email address) that they collect, store, use, share and delete (this is known as “processing” of personal data). Clubs will process personal data of their members, parents, volunteers, committee members etc. therefore the GDPR will indeed apply to clubs, regardless of size.
The GDPR will even apply to clubs which are not incorporated (for example, as a company) as they will still process personal data, whether or not this is shared with anyone outside of the club.
As controllers, clubs need to prepare for the GDPR. It may seem like a lot of work at first, but using Scottish Handball's templates – please see the top of this page – will help clubs and aim to reduce the burden of the GDPR for clubs.
The GDPR includes six data protection principles that clubs need to be aware of whenever they are using personal data (for example signing up a new member, sending an email to a volunteer etc.).
In order to comply with these principles, clubs need to:
The GDPR is mainly concerned with electronic personal data. However, if a club uses a paper filing system that allows information to be picked from specific criteria then the GDPR will apply this to paper filing system. Most clubs will use email and any personal data included in emails will be caught by the GDPR.
There is a specific list of “lawful bases” for processing personal data in the GDPR and clubs will need to identify which one applies before collecting and/or using personal data. Once clubs have identified their lawful basis, they must explain this to individuals in privacy notices.
When processing members’ personal data (for example, membership admission, membership fee payments, AGM’s, etc.) clubs will have a “contractual” lawful basis. This is because the club needs to use members’ personal data to comply with the terms of their membership and the club should only use such personal data for this purpose.
A club may also be legally required to process members’ personal data for specific purposes, for example, health and safety. This lawful basis is known as the “legal obligation” lawful basis, as it applies when a controller needs to use personal data to comply with legal obligation.
Again, clubs will have a “contractual” lawful as basis as employees will have a contract of employment and clubs should only use employees’ personal data to comply with their obligations under that contract of employment.
Clubs will also need to process employees’ personal data for legal reasons under the “legal obligation” lawful basis. For example, cubs will need to report details of employees’ income to HMRC for tax reporting purposes.
Another lawful basis is where the club (or a third party) has legitimate interests for processing personal data. However, the catch with this lawful basis is that any such legitimate interests cannot be outweighed by the interests of the relevant individual.
This might apply where clubs issue newsletters to members / other individuals or communications promoting upcoming events / competitions, which is seen as ‘direct marketing’. Clubs should always make sure that individuals can stop receiving such newsletters or communications by contacting the club.
Asking individuals if they consent to the club using their personal data is a lawful basis under the GDPR. However, there are specific requirements for asking for consent, which means it will be more difficult going forward and clubs should use one of the other lawful bases if more appropriate.
If clubs do want to ask individuals for consent, then they must use a consent statement that:
Where clubs use social media pages, it is likely that social media websites will have updated privacy policies as the providers will consider that they are controllers. Clubs should hopefully not notice much of a difference. However, clubs are advised to check these privacy policies.
Special category personal data, is a separate category of personal data under the GDPR and includes data revealing a person’s racial or ethnic origin; health; sex life or sexual orientation; or religious or philosophical beliefs.
Where clubs process special category personal data they must have a lawful basis and meet at least one condition for processing special category personal data. The template privacy notice wording include some examples of these conditions and we would recommend that clubs seek advice if they process other special category personal data and want to check the conditions.
There will also be separate conditions in the new UK Act for processing personal data relating to actual or alleged criminal offences, which are still to be finalised.
A “privacy notice” is a statement by a “controller” explaining to individuals what they do with personal data. Clubs have access to template wording for privacy notices.
When collecting or receiving personal data from anyone, clubs must give a privacy notice to the individual whose personal data the club is processing. For example, the privacy notice should be included in applications for membership, membership renewal forms, booking forms, and employment / volunteer forms.
Clubs should also put their privacy notices on their website and can provide individuals with the link to the relevant page.
The template set out all of the headings that the GDPR states should be in a privacy notice. However, the text under the headings can be tailored by clubs. It is important for clubs to cover all of their data processing activities in privacy notices.
If clubs pass membership data or other personal data to SGB’s i.e. Scottish Handball, the SGB will become a controller of that personal data in most cases. The clubs’ privacy notice must tell individuals that the SGB will receive their personal data and become a controller of it.
If clubs publish any personal data on a website then this must be stated within the privacy notice.
Individuals (known as “data subjects”) have certain rights regarding their personal data under the GDPR. Clubs will need to consider requests from data subjects and provide a response within one month.
We would recommend that if a club received a request from an individual and it is unsure how to respond, it should take advice. Clubs need to be aware of the one month timescale and make sure that they comply.
Data subjects can ask clubs to:
Data subjects can also object to a club processing their personal data, which is known as the “right to object”. This right only applies in some circumstances – for example, members can object to receiving the club’s newsletter and the club should stop sending the newsletter to the member immediately.
If clubs use any third party suppliers they should check if they are given or have access to any personal data held by clubs as such suppliers are defined as “processors” under the GDPR. Clubs may use suppliers to send mailshots, administer online systems, process payments, host websites, online surveys, etc.
Clubs should have suppliers sign the template data processing agreement or enter into a contract or terms and conditions, which includes the template data processing clause.
The GDPR requires controllers to be responsible for and be able to demonstrate compliance with the data protection principles – ‘accountability’. This principle will apply to clubs, who will need to keep records of their processing activities – i.e. details of what they use personal data for.
There is an exemption for controllers with less than 250 employees and guidance is awaited regarding the scope of this exemption. For clubs, this will mean that they only have to keep records of data processing activities that: are not occasional; could result in a risk to the rights and freedoms of the individuals; or involves special category personal data or data relating to criminal convictions or offences.
It is likely that clubs will need to keep a record of what and how they process personal data for members, employees, volunteers, participants as they do this on a regular basis.
Clubs should keep a document recording (such as a spreadsheet or table) the following:
Clubs should also keep copies of privacy notices and consent statements so they can evidence that these have been provided to individuals.
If a club loses personal data or suffers a data security incident then this would result in a personal data breach. Examples of breaches include: access to personal data by an unauthorised person; sending personal data to the wrong person; or losing computer or mobile equipment containing personal data.
If the breach is severe and could affect individual (i.e. – risks their rights and freedoms) then clubs will be under an obligation to notify the Information Commissioner’s Office (the ICO) within 72 hours of becoming aware of a breach. Clubs will also have to notify the affected individuals if there is a risk to their rights and freedoms.
If a club fails to notify either the ICO or affected individuals of a breach when required to do so, they could suffer a significant fine.
Clubs that breach the GDPR may be liable to a large fine (£20m or 4% of annual turnover (whichever is greater) for serious compliance failures). Individuals can also sue clubs for compensation. Accordingly, it is important for clubs to prepare for the GDPR to reduce the risk of breaching it.
This briefing paper represents the proposed law and guidance as at 1 March 2018, and was provided by sportscotland. sportscotland have been advised on this process from Expert Resource, Harper Macleod LLP. Should you have any questions in relation to the above guidance notes, please contact firstname.lastname@example.org