Data Protection Policy

Context and Overview

Key Document Details

  • Prepared by Gareth Parr (Hon. Secretary)
  • Approved by Executive on December 12th 2018
  • Policy became operational when approved by Executive
  • Next scheduled review date is 2 years from Operational Date

Introduction

The Nottinghamshire Hockey Association needs to gather and use certain information about individuals.

This can include facilities, clubs, club members, coaches, umpires, volunteers, suppliers and other people the Association has a relationship with or may need to contact.

This policy describes how this data must be collected, handled and stored to meet the Association’s Data Protection standards and comply with the law.

Why this Policy Exists

This data protection policy ensures that the Nottinghamshire Hockey Association;

  • Complies with data protection law and follows good practice
  • Protects the rights of volunteers, clubs and partners
  • Is open about how it stores and processed individuals’ data
  • Protects itself from the risks of a data breach

Policy Scope

This policy applies to:

  • All staff and volunteers of the Nottinghamshire Hockey Association
  • All other people working on behalf of the Nottinghamshire Hockey Association

It applies to all data that the Association holds relating to individuals.  The exact data held is described later in this document.

Data Protection Risks

This policy puts guidelines in place to help protect the Nottinghamshire Hockey Association, including

  • Breaches of confidentiality. For instance, information being given out inappropriately
  • Failing to offer choice. For instance, all individuals should be free to choose how the association uses the data it holds relating to them.  Clubs and individuals should understand that a minimum level of their data may be required for the association to operate as directed by Midlands Region Hockey Association Ltd. or by England Hockey.
  • Reputational damage. For instance, what could happen if a data breach occurs and access to sensitive data is gained by unauthorised parties.

Responsibilities

All volunteers and suppliers to the Nottinghamshire Hockey Association have some responsibility towards ensuring that data is collected, stored and handled appropriately.

Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

However, these people have key areas of responsibility:

  • The Association Executive is ultimately responsible for ensuring that the Nottinghamshire Hockey Association meets all its legal obligations.
  • The Association Secretary is responsible for:
    • Keeping the executive updated about data protection responsibilities, risks and issues.
    • Reviewing all data protection procedures and related policies in line with an agreed schedule.
    • Arranging data protection training and advice for the people covered in this policy.
    • Handling data protection questions from volunteers and anyone else covered by this policy.
    • Dealing with request from individuals about the data the Nottinghamshire Hockey Association holds about them (‘Subject Access Requests’)
    • Ensuring (as far as practical) all systems, services and equipment used for storing data meet acceptable standards.
    • Addressing any data protection queries

General Guidelines

People should only have access to the subset of data necessary to do their work

Data should not be shared informally.  There should be an audit-able request for data, supported by a valid reason to the data holder.  If the data holder is unsure if access should be granted then they should contact, in the first instance, the Association Secretary.

All data should be kept securely, by taking sensible precautions and following the guidelines below.

Wherever necessary, strong passwords (i.e. Upper & lower case, number and special characters should be used) and they should never be shared.

Personal data should not be disclosed to anyone that does not have access to it.

Data should be regularly reviewed and updated if it is found to be out-of-date.  If it is no longer needed it should be removed and disposed of.

If unsure on any aspect help should be sought form the Association Secretary.

Data Storage

These rules describe how and where data should be safely stored.  Questions about data storage can be directed to the Secretary.

When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.

These guidelines also apply to data that is usually stored electronically but has been printed for some reason:

  • When not required, the paper or files should be kept in a secure location.
  • People should ensure that paper copies and printouts are not left where unauthorised people can see them.
  • Printouts and paper documents should be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

  • Data should be protected by strong passwords that are changed regularly and never shared.
  • If data is stored on removable ‘hard’ media (i.e. CD or DVD) these should be kept locked away securely when not being used.
  • If data is stored on a removable USB stick or other ‘soft’ memory device then it should be password protected and encrypted.
  • If data is stored on a computer or mobile device (phone/tablet) it should be password protected as a minimum and preferably encrypted.
  • Data should only be stored on approved cloud computing
  • Data should be backed up regularly. Those backups should be checked for viability periodically.

Data Use

Personal data is most at risk of loss, corruption or theft when it is in use:

  • When working with personal data, the screens of computers should always be locked when left unattended.
  • Personal data should not be shared informally.
  • Data must be encrypted before being sent electronically.
  • Personal data must not be shared outside the Nottinghamshire Hockey Association except as indicated in the section ‘Consent’, unless specifically approved by the individual/club.

Data Accuracy

The law requires that the Nottinghamshire Hockey Association takes reasonable steps to ensure that the data it holds is accurate.

  • Data will be held in as few places as possible. Personal copies should not be created.
  • Regular reviews to ensure data is accurate will take place.

Providing Information

The Nottinghamshire Hockey Association aims to ensure that individuals are aware that their data is being stored and processed and that they understand:

  • How the data is being used
  • How to exercise their rights over their data.

Subject Access Requests

All individuals who are the subject of personal data held by the Nottinghamshire Hockey Association are entitled to:

  • Ask what information the association holds about them and why.
  • Ask for a copy of it.
  • Ask for it to be updated.
  • Be informed how the Association is meeting its data protection obligations.

If an individual contacts the association requesting this information, this is called a subject access request.

Subject access requests from individuals should be made by email to the Association Secretary.

The Association aims to respond within 14 days.

The secretary will always take reasonable steps to verify the requester before handing over any information.

Consent

Consent to hold and process someone’s personal data should be obtained at the time the data is obtained.  The person should be told why this information is required and directed to this Data Protection Policy for full details.  The source of the consent should be recorded and the original indication archived (whether it be email or on paper).

Committee members and clubs that affiliate to the Nottinghamshire Hockey Association consent for us to hold their contact information (as described below), and share it with England Hockey and Midland Region Hockey Association Ltd. and Midlands Leagues, as necessary, to administer the association, region and leagues.

What Data do we Routinely hold?

The Nottinghamshire Hockey association is made up of several entities, although all are ultimately the responsibility of the Nottinghamshire Hockey Association.

In order to carry out the activities delegated to us by Midland Region Hockey Association Ltd. and England Hockey we hold some personal data about clubs and individuals.  The data we hold is outlined below:

The Association Secretary holds the following data about Nottinghamshire Hockey Association committee members:

  • Name
  • Address
  • Telephone numbers (Home and Mobile)
  • email address

The Association Secretary holds this information about clubs in order to communicate with them:

  • Club
  • Number of Men’s Teams
  • Number of Ladies Teams
  • Secretaries Name
  • Secretaries email
  • Secretaries Address
  • Discipline Officer email
  • Discipline Officer telephone number

The Men’s Competitions (County) holds this information about players that attend trials and represent the county:

  • Name
  • Club
  • Email
  • Phone
  • Honours
  • Emergency/Next of Kin name and contact details

The Association Treasurer holds this information:

  • Affiliation Invoice amounts
  • Red Card administration fee amounts

As part of our banking, our bank will hold, on our behalf, bank details of our creditors and debtors (i.e. sort code and account code, payment history)

The Nottinghamshire Hockey Development Group holds this information about coaches:

  • Name
  • Email
  • Phone

The Nottinghamshire Hockey Development Group holds this information about Other Volunteers:

  • Name
  • Email
  • Phone

As part of our banking, our bank will hold, on our behalf, bank details of our creditors and debtors (i.e. sort code and account code, payment history)

All Player Information is held within the England Hockey Systems.  Any temporary extract of this is held securely, used for its purpose and then destroyed.

The Nottinghamshire Women’s Hockey League holds this information:

  • Nottingham Hockey Association
    • Chairman Name
    • Chairman Email
    • Secretary Name
    • Secretary Address
    • Secretary Phone
    • Secretary Email
    • Treasurer Name
    • Treasurer Address
    • Treasurer Phone
    • Treasurer Email
    • NWHL Rep Name
    • NWHL Address
    • NWHL Phone
    • NWHL Email
  • Nottinghamshire Women’s Hockey league
    • Secretary Name
    • Secretary Address
    • Secretary Phone
    • Secretary Email
    • Treasurer Name
    • Treasurer Address
    • Treasurer Phone
    • Treasurer Email
    • Divisional Secretaries Names
    • Divisional Secretaries Addresses
    • Divisional Secretaries Phone Numbers
    • Divisional Secretaries Email addresses
  • Club Details
    • Secretary Name
    • Secretary Phone
    • Secretary Email
    • Fixtures Secretary Name
    • Fixtures Secretary Phone
    • Fixtures Secretary Email

Email

If you contact any committee member via email then any information you send to us will only be used for that specific purpose but may be held on our email servers, unless you request otherwise.

Data Protection Checklist

All administrators in the Nottinghamshire Hockey Association will agree to the following where personal data is used;

  • Mandatory ‘strong’ password protection on all devices
  • When working with personal data, the screens of computers should always be locked when left unattended
  • Correctly set up and use email distributions lists, where possible, on all devices
  • Use BCC only for group emails
  • Maintain confidentiality of printed documents
  • Regularly review the data you hold and update/delete as appropriate