North Belfast Harriers Data Protection Policy
This policy applies to all Committee, coaches and volunteers of North Belfast Harriers
The purpose of this policy is to enable North Belfast Harriers to:
• comply with the law in respect of the data it holds about individuals;
• follow good practice;
• protect North Belfast Harriers members, coaches, volunteers and other individuals;
• protect the organisation from the consequences of a breach of its responsibilities.
Brief introduction to Data Protection Act 1998
The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:
• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with the rights of Data Subjects
• Not transferred to other countries without adequate protection
The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.
North Belfast Harriers will:
• comply with both the law and good practice
• respect individuals’ rights
• be open and honest with individuals whose data is held
• provide training and support for volunteers who handle personal data, so that they can act confidently and consistently
North Belfast Harriers recognises that its first priority under the Data Protection Act is to avoid causing harm to individuals. Information about members, coaches, volunteers and other individuals will be used fairly, securely and not disclosed to any person unlawfully.
Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, North Belfast Harriers will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used. All processing of personal data will be undertaken in accordance with the data protection principles.
The Data Subject is the individual whose personal data is being processed. Examples include:
Processing means the use made of personal data including:
• obtaining and retrieving
• holding and storing
• making available within or outside the organisation
• printing, sorting, matching, comparing, destroying.
The Data Controller is the legal ‘person’, or organisation, that decides why and how personal data is to be processed. The data controller is responsible for complying with the Data Protection Act.
The Data Processor – the data controller may get another organisation to be their data processor, in other words to process the data on their behalf. Data processors are not subject to the Data Protection Act. The responsibility of what is processed and how remains with the data controller. There should be a written contract with the data processor who must have appropriate security.
The Data Protection Officer is the name given to the person in organisations who is the central point of contact for all data compliance issues.
The Committee recognises its overall responsibility for ensuring that North Belfast Harriers complies with its legal obligations.
The Data Protection Officer is currently [name of member], who has the following responsibilities:
• Briefing the Committee on Data Protection responsibilities
• Reviewing Data Protection and related policies
• Advising other members on Data Protection issues
• Ensuring that Data Protection induction and training takes place
• Handling subject access requests
• Approving unusual or controversial disclosures of personal data
• Ensuring contracts with Data Processors have appropriate data protection clauses
• Electronic security
• Approving data protection-related statements on publicity materials and letters
Each member and volunteer at North Belfast Harriers who handles personal data will comply with the organisation’s operational procedures for handling personal data (including induction and training) to ensure that good Data Protection practice is established and followed.
All volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their voluntary work.
Significant breaches of this policy will be handled under North Belfast Harriers disciplinary procedures.
Data Recording and storage
North Belfast Harriers has a single database holding basic information about all clients and volunteers. The back-up discs of data are kept in the Club office.
North Belfast Harriers will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:
• The database system is reviewed and re-designed, where necessary, to encourage and facilitate the entry of accurate data.
• Data on any individual will be held in as few places as necessary, and all volunteers will be discouraged from establishing unnecessary additional data sets.
• Effective procedures are in place so that all relevant systems are updated when information about any individual changes.
• Data will be corrected if shown to be inaccurate
North Belfast Harriers stores archived paper records of members and volunteers securely in the office.
Access to data
All members and volunteers have the right to request access to all information stored about them. Any subject access requests will be handled by the Data Protection Officer within the required time limit.
Subject access requests must be in writing. All members and volunteers are required to pass on anything which might be a subject access request to the Data Protection Officer without delay.
All those making a subject access request will be asked to identify any other individuals who may also hold information about them, so that this data can be retrieved.
Where the individual making a subject access request is not personally known to the Data Protection Officer their identity will be verified before handing over any information.
The required information will be provided in permanent form unless the applicant makes a specific request to be given supervised access in person.