BAC Data Protection Policy
1. Policy Statement
Everyone has rights with regard to the way in which their personal data in handled. During the course of its activities, the British Athletes Commission needs to keep certain personal data, for example about its staff and athlete membership, to fulfil its purpose and to meet its legal obligations to funding bodies and government. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, the British Athletes Commission must comply with the Data Protection Principles which are set out in the Data Protection Act, 1998.
This policy and any other documents referred to in it sets out the basis on which the British Athletes Commission will process any personal data it collects from data subjects, or that is provided to it by data subjects or other sources.
2. Definition of Data Protection Terms
Data is information which is stored electronically, on a computer, or in certain paper-based filing systems.
Data subjects for the purpose of this policy include all living individuals about whom the British Athletes Commission holds personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal information.
Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour. 2
Data controllers are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies.
Data users are those whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
Sensitive personal data includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.
Personal data shall:
The British Athletes Commission and all its staff who process or use personal information must ensure that it follows these principles at all times. In order to ensure that this happens, the British Athletes Commission has developed this Data Protection Policy.
4. Status of the Policy
This policy has been approved by the British Athletes Commission Board and any breach will be taken seriously and may result in more formal action.
Any member of staff or athlete member who considers that the policy has not been followed in respect of personal data about themselves should raise the matter with the CEO of the British Athletes Commission in the first instance.
5. Fair and Lawful Processing
The Data Protection Act 1998 is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.
For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds of the Data Protection Act 1998. These include, the data subject’s consent to the processing, or that the processing is necessary for the performance of a contract with the data subject, for the compliance with a legal obligation to which the data controller is subject, or for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, additional conditions must be met. When processing personal data the British Athletes Commission will ensure that those requirements are met.
6. Notification of Data Held and Processed
In the course of business, the British Athletes Commission may collect and process personal data. This may include data received directly from the data subject and data received from other sources. The British Athletes Commission will only process personal data for a specific 4
purpose and will notify the data subject of those purposes when the data is first collected or as soon as practical after.
If the British Athletes Commission receive data directly from the data subject it will inform the data subject of the purpose for which it intends to process the personal data; the types of third parties with whom the data will be shared; and the means with which the data subject can limit the use and disclosure of the data. If the British Athletes Commission receive personal data about a data subject from other sources, it will provide the data subject with this information as soon practical.
All data subjects are entitled to;
7. Adequate, Relevant, and Non-Excessive Processing
The British Athletes Commission will only collect personal data to the extent that it is required for the specific purpose notified to the data subject.
The British Athletes Commission will ensure that personal data held is accurate and kept up to date. The British Athletes Commission will check the accuracy of any personal data at the point of collection and at regular intervals afterwards, and will take all reasonable steps to destroy or amend inaccurate or out-of-date data.
The British Athletes Commission will not keep personal data longer than is necessary for the purpose or purposes for which it was collected, and will take all reasonable steps to destroy or erase all data which is no longer required.
8. Responsibilities of Staff
All members of staff are responsible for: 5
If, as part of their responsibilities, staff collect information about other people they must comply with the Policy and with the Data Protection Guidance Notes.
9. Data Security
The need to ensure that data is kept securely means that precautions must be taken against unlawful or unauthorised processing of personal data and physical loss or damage, and that both access and disclosure must be restricted.
The British Athletes Commission will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction.
The British Athletes Commission will maintain data security by protecting the confidentiality, integrity and availability of the personal data.
All staff are responsible for ensuring that:
Detailed advice on data security is contained in the Data Protection Guidance Notes.
10. Rights to Access Information
Staff and athlete members have the right to access any personal data that is being kept about them on computer and also have access to paper-based data held in certain manual filing systems. Any person who wishes to exercise this right should make the request in writing to the British Athletes Commission’s CEO.
The British Athletes Commission aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days of 6
receipt unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request.
11. The British Athletes Commission Designated Data Controller
The British Athletes Commission is the data controller under the Act and is therefore ultimately responsible for implementation. However, day to day matters will be dealt with by the British Athletes Commission Office Manager Charlotte Mellors, firstname.lastname@example.org. Any questions or concerns about the interpretation or operation of this policy should be taken up in the first instance with the British Athletes Commission Office Manager.
12. Changes to the Policy
|The British Athletes Commission reserve the right to change this policy at any time. Where appropriate, the British Athletes Commission will notify data subjects of those changes by mail or email. Adopted by:||BAC Board||Adopted date:||23 January 2018|
|Review by:||BAC Board||Review date:||January 2019|