Privacy

2018b

Ref: 18.07.SIS.POL.AX.2018b

 

The Mission.

“SPIRIT IN SPORT” (and its community arm ‘Spirit in the Community’) (“WE”) promote social inclusion and good health and wellbeing for public benefit, by providing community and sports-based services and activities for members of the community in accordance with Christian principles, to prevent or relieve social and economic exclusion by reason of age, ill-health, disability, financial hardship or other disadvantage.

Protecting Your Personal Data.

We exist to serve people with the compassion of Christ. The protection of information about people is not only imperative for us by law, but also by nature. Without it, there is no trust, no integrity, no accountability. Without this, we cannot help lives change.

Personal Data.

What is it?  

“PERSONAL DATA” is information about “YOU” (or “YOUR” information, whether an individual employee, volunteer, visitor, service-user, or the general public, but not a whole organisation such as a church, school, or company, for example). This information will either directly identify you, or indirectly; when combined with other information.

Even where your name is replaced with a ‘fake’ name for example, it is still personal. If information is truly anonymised, about a deceased person, or about a company or public authority at the corporate (non-individual) level, it is not subject to GDPR.

Why do we need it?

We keep your personal data to:

  1. Grow in number.
  2. Keep in touch.
  3. Know what we need to know about you to help do what we aim to do – safely and effectively.
  4. Learn about and share our impact
  5. Improve what we do.  

How is it protected?

As covered in more detail in our “GDPR PLAN”, your data is protected at each stage of “DATA PROCESSING”, including collecting, storing, transmitting, releasing, checking, and removing data.

People.

Whose responsible?

The “DATA CONTROLLER” decides whose personal data is processed and why, what it includes, what it is used for, who it is shared with, and how long it is kept. The Data Controller is either:

  1. SPIRIT IN SPORT (registered charity number: 1161773, registered address: Immanuel Baptist Church, 109 Victoria Road North, Southsea, PO5 1PS), when we provide the activity or service directly and your data is needed to make that happen.
  2. A THIRD PARTY PARTNER AGENCY such as a school, church, local authority or charity who would refer information about you to us when we work in partnership with them.

The “DATA PROCESSOR” is anyone providing a service to us and needs our data to do it. This could be a consultant, such as a web developer building our website for example, and needs access to images and audience analytics. They would only use the data with consent and when they’re trained to handle it well.

The “DATA PROTECTION OFFICER” (DPO) acts independently, but is in direct contact with the boss and board, and is here to help us all understand GDPR and make sure we’re getting it right, and be here for you to get in touch with. The DPO in Spirit in Sport is ANDY BULLOCK.

The SiS Personal Data System.

We capture and record what personal data we have about you and what we do with it through our “INFORMATION ASSET REGISTER” (IAR). This tells us:

  • Who you are
  • What information you’ve given us
  • Where it came from
  • When and how you gave us permission to have it
  • What you’ve given us permission to do with it
  • How we have used it
  • If it is at risk
  • If you’ve used any rights to make a request and how we responded to that
  • Where this is all documented.

The IAR is updated at least once a month and reviewed and improved every six months as part of our auditing process.  

Collection.

We may collect your data at different “CONTACT POINTS” whether you are an employee, volunteer, regular service-user, one-off visitor, website user, social media page user/follower, or have been referred to us by another agency while using their service.  We will always try to do it in a way that makes sense, is convenient, and transparent.

Consent

You have a “RIGHT” to know everything about our data processing when agreeing to it – why, who will may see it, and how long we’ll have it for. In asking for your consent, we do it in a concise way that is transparent, easy to read and access, clear, and in plain English. We’ll do it in a way that is positive and not misleading (you have to ‘opt-in’ not ‘opt-out’), specific (not vague), and ‘granular’ (meaning you have control to agree to some things but not others). You don’t have to agree before working or volunteering with us or using our services.

We will remind you about this privacy policy, available on the website (www.spiritinsport.org.uk/privacy-policy), and notice boards, and on request.  It is updated twice a year.

Primary Collection Sources

Your consent may be requested through, for example,:

  • Registration forms
  • Sign-in register
  • Email consent
  • Media consent form

We will keep a copy in our Cabinet and/or The Cloud.

If for some reason we don’t get your consent, we must make all reasonable attempts to do so within one calendar month, and record our evidence of doing so.

Further information on our website and social media accounts, and where your personal data may be used in them, is available on request.

On occasions, your consent may not be necessary or possible to obtain, although we may still be able to process it as a legal obligation, if it’s vital for protection and safety, be in the public interest, or relate to legitimate interests. We will always record our justification.

Storage.

Filing

Ourl “DATA PROCESSING FILING SYSTEM” , which is subject to routine and regular security testing and monitoring, includes “THE CABINET” located in the Spirit in Sport office under a three-lock system, and “THE CLOUD”, which is a Google Drive secured by “Two Factor Authentication” (2FA).

Only the Data Controllers have access to these and no personal data is stored on personal devices or local drives.

Personal Data Gateways

Personal Data can be accessed via other “GATEWAYS” such as email, the website, and social media accounts, as well as hardware such as personal devices including laptops, tablets, and mobile phones. They are not official storage spaces, but are paramount to our Data Protection System and are secured accordingly, including with password protection and 2FA.

Retention

Data is stored for the shortest time possible according to its purpose, and in a form that permits an individual’s identification for no longer than is necessary. This includes, for example:

  • Employee data only being kept in internal filing system while actively employed, with records of data destroyed within 6 MONTHS after termination of employment
  • Volunteer data only kept in internal filing system while actively volunteering or having registered as a volunteer within the LAST 3 YEARS
  • Service user data only kept in internal filing system within 5 YEARS of last using the service
  • Emails of more than 2 YEARS are archived, emails older than 10 YEARS are deleted.
  • Photographs may be kept in secure internal filing system storage (not personal devices or local drives)  INDEFINITELY in the interest of recording the charity’s progress. Individual photographs can be deleted from all records on request.

Usage.

Subject to consent, we may use your personal data for:

  • Vital operational safeguarding information relating to health, safety and well-being of all stakeholders;
  • Building ‘membership’, including employee, volunteer and general public participants;
  • Publicising updates to the general public and service users, include upcoming events, changes to services and policies;
  • Communicating about voluntary opportunities and notifications on events;
  • Making character references; assessing suitability to the role;
  • Payment of employee or volunteer stipends, expenses, or wage/salary, and;
  • Internal monitoring & evaluation for service improvement and development.

Subject to consent, your data may be transmitted externally for:

  • Sign-posting or referral to other external Christian and non-Christian based service providers
  • General publicity purposes (e.g. general volunteer photos on social media/ newsletters/banners);
  • Service improvements undertaken by third parties, such as website development
  • Personalised publicity purposes (e.g. specific newsletter features including personal stories/case studies);
  • Presentations or application forms, to display impact trends and case studies to external bodies including for funding or research purposes, and;
  • To third parties if we are under a duty to disclose or share personal data in order to comply with any legal obligation, and;
  • To third parties in order to enforce or apply the terms of use applicable to the Data Processing System or any other agreements with service-users; or to protect the rights, property, or safety of Spirit in Sport or Immanuel Baptist Church, other agencies operating within the same building, our service users, or others.

Where data is fully anonymised and identification of individuals is therefore not possible, it is not subject to GDPR and can be shared freely.

These lists are not exhaustive, and the justification for use of each data is recorded in the IAR.

Rights.

GDPR gives you certain data processing “rights” which our relevant to our work, including:

  1. To be informed
  2. To access your data
  3. To correct or complete your data
  4. To erase your data
  5. To restrict its use to storage only
  6. To obtain it from us to use elsewhere
  7. To object to its use

You can make a request any time verbally or in writing, and expect a written response within one month. We will not charge you at any point of the request but we may object if we believe this is an abuse of the rights, or may continue if there is a compelling reason to do so. We will record all requests relating to these rights and our response and resulting actions. We reserve the right to remove your data.

For all requests and questions, please contact the Data Protection Officer:

 

 

Name: Andy Bullock

Organisation: Spirit in Sport

Contact Email: andy@spiritinsport.org.uk

 

 

Are you between aged 13-18 and reading this?

You as a “CHILD” are really important to us. If you are a volunteer or use our services, then you need to know that:

  • You have the same GDPR rights as adults.
  • We may need to collect information about you.
  • We will need your consent – to agree to us collecting it and how we want to use it. (There may be some reasons we won’t or can’t ask for your consent but can still use the data).
  • That you are happy with how we store it.
  • That you know what we use it for.
  • That you have rights and can ask us to remind you what we have, change it, or remove it.

Under 13s need a parent or carer to give us this permission and we will need to confirm their age as well as yours. Thank you.

Quality Management.

This is not a one-off tick box exercise but an opportunity to build trust and accountability with you and continue to improve our service in the spirit of excellence. We have “QUALITY MANAGEMENT” in place to be effective and prevent, detect, report and investigate any security breaches through Data Protection Impact Assessments where necessary, bi-annual audits, and will be in touch at least once a year, where possible, to make sure you are still satisfied and fully aware about our data processing.

Further information is available on request.

Evidence of Support.

As Founder and Team Leader of Spirit in Sport, I fully support and make every effort to comply with our GDPR policy, as set out in this document. I am aware of and endorse the GDPR processes and procedures that are in place to ensure our community’s personal data is protected through our Data Protection system.

Chris Cox, Team Leader, Spirit in Sport

Date: 09.08.2018

I can confirm that I have prepared and received the full support of the processes and procedures as set out within this document, and that they will be reviewed and updated where necessary, on a regular basis.

Andy Bullock, Projects Coordinator & Data Protection Officer, Spirit in Sport

Date: 09.08.2018

 

Version Status Author Reviewer Date Stored
1 Draft AB CC 19.07.18 SiS GDrive

05 Policy>01 Plan & Policy

2 Final AB  CC 07.08.18 SiS GDrive

05 Policy>01 Plan & Policy