Data Protection Policy
About this Policy
Everyone has rights with regard to the way in which their personal data is handled. Oldham Athletic (2004) Association Football Club Limited (OAFC) collect, stores and processes personal data about staff, volunteers, participants, suppliers and other third parties, and it is recognised that the correct and lawful treatment of this data will maintain confidence in the organisation.
Those who are involved in the processing of personal data are obliged to comply with the policy when doing so. Any breach of this policy may result in disciplinary action.
This policy sets out the basis on which OAFC will process any personal data collected and explains the process of third parties access to information.
General Statement of duties
OAFC is required to process relevant personal data regarding individuals as part of its operation to provide sessions funded by the PLCF, EFL & EFL Trust. OAFC shall take all reasonable steps necessary in accordance with this policy. Processing may include obtaining, recording, holding, disclosing, destroying or using data.
Data Protection Officer
OAFC has appointed Mark Sheridan, Club Secretary, as Data Protection Officer (DPO), who will endeavour to ensure that all personal data is processed in compliance with this policy and the principles of the Act. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the DPO.
The Data Protection Principles
Anyone processing personal data must comply with the eight enforceable principle of good practice as enshrined within the requirements of the GDPR. These provide that personal data must be:
Fairly and Lawfully processed
Processed for a lawful purpose
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than necessary
Processed in accordance with the data subject’s rights
Secure
Not transferred to other countries without adequate protection
Types of Personal Data Processed
Personal data covers both facts and opinions about an individual. We may process a wide range of personal data about individuals including, by way of example:
Names, Address, Date of birth, Gender and Ethnicity Records (including information about any special needs) Where appropriate, information about individuals’ health, and contact details for their next of kin Images of participants engaged in OAFC activities.
Sensitive Personal Data
From time to time we may need to process sensitive personal data regarding individuals. Sensitive personal data includes information about an individual’s physical or mental health, race or ethnic origin, political or religious beliefs, sex life, trade union membership or criminal records and proceedings. Sensitive personal data is entitled to special protection under the Act, and will only be processed by OAFC with the explicit consent of the appropriate individual, or as otherwise permitted by the Act. The consent should be informed, which means it needs to identify the relevant data, why it is being processed and to whom it will be disclosed. Staff should contact the DPO for more information on obtaining consent to process sensitive personal data.
Use of Personal Data
OAFC will use (and where appropriate share with third parties) personal data about individuals for a number of purposes as part of its operations, including as follows:
Reports to our funders who require information on the impact of the delivery
In the event of an emergency, medical condition
To make use of photographic images on the OAFC twitter, social media channels in accordance with our policy on taking, storing and using images
For security purposes, and for regulatory and legal purposes (for example safeguarding and child protection and health and safety) and to comply with its legal obligations
Keeping In Touch
OAFC will use the contact details of parents, to keep them updated about the activities we have on offer, including by sending updates by email. Unless the relevant individual objects, we may also:
Contact parents regarding activities and initiatives
Should you wish to limit or object to any such use, or would like further information about them, please contact the DPO
Rights of Access to Personal Data (‘Subject Access Request’)
Individuals have the right under the Act to access to personal data about them held by OAFC, subject to certain exemptions and limitations set out in the Act. Any individual wishing to access their personal data should put their request in writing to the DPO. We will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within statutory time limits (one month).
It should be noted that certain data is exempt from the right of access under the Act. This may include information which identifies other individuals or information which is subject to legal professional privilege.
The GDPR states that young people under the age of 16 are to be considered as ‘vulnerable’ and therefore are not allowed to access their own data.
Only a person with parental responsibility will generally be expected to make a subject access request on their behalf. A participant/child of any age may ask a parent or other representative to make a subject access request on their behalf. In line with the GDPR, we recognise the following rights in relation to data:
1. Right of Access.
Individuals have the right to obtain confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to that personal data.
2. Right to Rectification.
Individuals have the right to obtain rectification of inaccurate personal data and the right to provide additional personal data to complete any incomplete personal data.
3. Right to Erasure (“Right to be Forgotten”).
In certain cases, individuals have the right to obtain the erasure of their personal data.
4. Right to Restriction of Processing.
Individuals have the right to obtain a restriction of processing, applicable for a certain period and/or for certain situations.
5. Right to Data Portability.
Individuals have the right to receive their personal data and they have the right to transmit such personal data to another controller.
6. Right to Object.
In certain cases, individuals have the right to object to processing of their personal data, including with regards to profiling. They have the right to object to further processing of their personal data in so far as they have been collected for direct marketing purposes.
7. Right to be Not Subject to Automated Individual Decision-Making.
Individuals have the right to not be subject to a decision based solely on automated processing.
8. Right to Filing Complaints.
Individuals have the right to file complaints about the processing of their personal data with the relevant data protection authorities.
9. Right to Compensation of Damages.
In case of a breach of the applicable legislation on processing of (their) personal data, individuals have the right to claim damages that such a breach may have caused with them.
Exemptions
Certain data is exempted from the provisions of the Act, including the following:
The prevention or detection of crime
The assessment of any tax or duty
Where the processing is necessary to exercise a right or obligation conferred or imposed by law.
Information which might cause serious harm to the physical or mental health of the child or another individual
Cases where the disclosure would reveal a child is at risk of abuse
Information given to a court in proceedings under the Magistrates’ Courts (Children and Young Persons) Rules 1992
Unstructured Personal Information
OAFC will generally not be required to provide access to information held mutually and in an unstructured way.
The above are examples only of some of the exemptions under the Act. Any further information on exemptions should be sought from the DPO.
Further exemptions may include information which identifies other individuals, information which we believe is likely to cause damage or distress, or information which is subject to legal professional privilege. However, such a reference will only be disclosed if such disclosure will not identify the source of the reference or where, notwithstanding this, the referee has given their consent or if disclosure is reasonable in all the circumstances.
Whose Rights?
The rights under the Act are those of the individual to whom the data relates. However, in most cases we will rely on parental consent to process data relating to participants (if consent is required under the Act) unless, given the nature of the processing in question, and the child’s age and understanding, it is more appropriate to rely on the child’s consent. Parents should be aware that in such situations they may not be consulted. In general, we will assume that pupils consent to disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the pupil’s activities, progress and behaviour, and in the interests of the pupil’s welfare, unless, in the School’s opinion, there is a good reason to do otherwise.
However, where a child seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, we will maintain confidentiality unless, in our opinion, there is a good reason to do otherwise; for example where we believe disclosure will be in the best interests of the child.
Disclosure of Information
OAFC may receive requests from third parties to disclose personal data. However, OAFC does intend to disclose such data as is necessary to third parties for the following purposes:
To funders for projects delivered such as Primary Stars, FFD, Kicks, PLCF, ELF, EFL Trust etc
Accuracy
OAFC will endeavour to ensure that all personal data held in relation to an individual is as up-to-date and accurate as possible, for all participants, staff and volunteers. Individuals must notify the DPO of any changes to information held about them. An individual has the right to request that inaccurate information about them is erased or corrected (subject to certain exemptions and limitations under the Act) and may do so by contacting the DPO in writing.
Timely Processing
We will not keep personal data longer than is necessary for the purpose or purposes for which it was collected and will take all reasonable steps to destroy, or erase from its systems, all data which is no longer required. Except in safeguarding circumstances where information may be required for a longer period of time.
Enforcement
If an individual believes that OAFC has not complied with this Policy or acted otherwise than in accordance with the Act, they should utilise our complaints procedure and should also notify the DPO.
Data Security
OAFC will take appropriate technical and organisational steps to ensure the security of personal data about individuals, and to ensure that members of staff will only have access to personal data relating to participants, other staff or volunteers where it is necessary for them to do so. All staff will be made aware of this policy and their duties under the Act.
We will ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of or damage to, personal data. Accordingly, no member of staff is permitted to remove personal data whether in paper or electronic form and wherever stored, without prior consent. Where a member of staff is permitted to take data offsite it must be encrypted.
Data Breaches
OAFC takes seriously any data breach and will, through its policy and practice endeavour to minimise the risk of a breach. However, in the rare circumstances surrounding a data breach a process will be followed. This process can be seen in Appendix A.
The GDPR states that breaches should be referred to the Information Commissioners Office (ICO) within 72 hours of disclosure. However, it is appropriate for us to consider the following factors before referring to the ICO:
Scale | How many children's data is involved? |
|---|---|
Content | What is the nature of the content? |
Possible Outcomes | What is the likelihood of the data being returned having not been accessed or shared? |
Reputational Risk | What would the risk if we didn't refer / report it? |
Complaints
Complaints related to the management of data will be handled through our existing Complaints Procedure, copies of which are available upon request.
Requests for Amendments of Data
The GDPR establishes the right to amend any data held that is inaccurate or may have a negative or detrimental effect on an individual. Amendments may take the form of updates, redactions or removals. We believe that before any amendment request is granted the first step is to view the data so as to ensure that it may be necessary. However, in the rare circumstances surrounding a data amendment request a process will be followed. This process can be seen in Appendix B.
Transparency and Accountability
To ensure that OAFC is open and transparent about what data it holds and how it will be managed, we will bear in mind the following prompts in all that it does:
The 8 Prompts to GDPR Compliance When Gathering Information
What
What information do you need?Why
Why do you need the information?Where
Where would the information be held?How Long
How long will the information be kept?What If
What if providing the information isn't agreed?Sharing
Who is it possible that you may share that information with?Who With
Who might you need to share the information with?Access
Who will have access to the information?
Introducing A New Initiative or Project
The GDPR requires us to undertake an evaluation of the data management impact resulting from new initiatives.
Rights to Refuse a Request
OAFC reserves the right to refuse a request to view or amend data held. This would be rare and only on the following basis:
Vexatious requests
Where information held maybe required by future legal processes e.g. Child Protection
The request would lead to inaccurate and misleading information being recorded
The request has come from an individual who has no rights of access
Where we decide not to adhere to a request will we notify the person who made the request:
The reason why the request has been refused
Their legal rights of appeal or complaint
Their legal rights of referral to the ICO
Generic Policies
OAFC will undertake to review all of its policies to ensure that any potential data management issues are identified and resolved.
Reviewed Date: September 2024
Next Review: September 2025
