We hold personal data about our employees, members, customers, suppliers and other individuals for a variety of business purposes. The aim of the Data Protection Policy is to enable that as a club we comply with the requirements of EU General Data Protection Regulation (GDPR) 2016. The GDPR places a duty on us as a business to protect the personal information held on our employees and members
This policy sets out how we seek to protect personal data and ensure that staff understand the rules governing their use of personal data to which they have access in the course of their work. In particular, this policy requires staff to ensure that the Data Protection Manager be consulted before any significant new data processing activity is initiated to ensure that the relevant compliance steps are addressed.
The purposes for which personal data may be used by us, including:
Business purposes include the following:
Any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data we gather may include information about individuals’:
|Special Categories of Personal Data||
Special categories of data include information about an individual's:
The legal person or entity, organisation, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, where the purposes and means of such processing are determined by law.
Frilford Heath Golf Club is a data controller.
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller. Data processors who process data on behalf of Frilford Heath Golf Club include:
Biff Bang Pow, ESP, Clubsystems, Golf Genius, ADS, Mailchimp
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as:
|Supervisory Authority||The national body responsible for data protection. The supervisory authority for Frilford Heath Golf Club is the Information Commissioners Office (ICO).|
This data protection policy ensures that Frilford Heath Golf Club:
This policy supplements our other policies around acceptable use of internet and email, and the management of IT and security. We may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.
This policy should be read in conjunction with the Handling Subject Access Requests and Handling Data Breaches policies.
Data protection is about protecting people from misuse of their personal information. Frilford Heath Golf Club regards the lawful and correct treatment of personal information as very important to successfully achieving the aims of the business, and to maintaining stakeholder trust and confidence.
These rules apply regardless of whether data is stored electronically or on paper. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. The GDPR requires that data:
The GDPR also gives individuals the right to access, delete, correct or receive in an easily transferable format, where applicable, personal information held by the business upon request.
The GDPR requires that organisations demonstrate compliance with the regulation and are accountable for their use of personal data. Organisations must also be transparent with individuals about how they will use the personal data they are responsible for. We will demonstrate compliance through documented plans, policies and procedures as well as maintaining an up-to-date log of our processing activities (the Information Asset Register). We will be transparent with individuals through the appropriate use of privacy information notices.
The policy applies equally to full time and part time employees on a substantive or fixed term contract and to associated persons who work for Frilford Heath Golf Club, such as agency staff, investors, contractors, others employed under a contract of service. It stipulates their duties and responsibilities for the effective handling of personal and sensitive data, in order to comply with the policy and legislative, financial and best practice requirements.
The policy applies to all personal and sensitive data collected, handled and stored by Frilford Heath Golf Club, in electronic and paper formats. This can include:
This policy helps to protect Frilford Heath Golf Club from some very real data security risks, including:
The GDPR determines the role of a Data Controller as a ‘legal’ person or company that determines the purposes and means of any personal information and is fully responsible for the actions of anyone processing data on behalf of the club. The Data Protection Manager is the identified Data Controller for Frilford Heath Golf Club.
Everyone who works for or with Frilford Heath Golf Club must process personal data fairly and lawfully in accordance with individuals’ rights.
Each member of staff that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, these people have key areas of responsibilities:
- Keeping the board updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- Arranging data protection training and advice for the people covered by this policy.
- Handling data protection questions from staff and anyone else covered by this policy.
- Dealing with requests from individuals such as members and employees to see the data Frilford Heath Golf Club holds about them (also called Subject Access Requests).
- Checking and approving any contracts or agreements with third parties that may handle the club’s sensitive data.
- Leading on responding to and managing a data protection breach
- Liaising with the ICO to report and investigate personal data breaches if required.
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
- Evaluating any third-party services the club is considering using to store or process data. For instance, cloud computing services, online accounting packages, online practice management systems or other similar systems.
- Approving any data protection privacy statements attached to communications such as emails and letters.
- Addressing any data protection queries from members, target audience, journalists or media outlets like newspapers.
- Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
- Ensuring that only personal data with the appropriate legal basis for processing for marketing activities is used
Frilford Heath Golf Club must process personal data fairly and lawfully in accordance with individuals’ rights under the first Principle. If we cannot apply a lawful basis as outlined below, our processing does not conform to the first principle and will be unlawful. Individuals have the right to have any data unlawfully processed erased. We will ensure that any new processing activities are assessed with a privacy by design approach prior to undertaking the processing. The following procedure will ensure that we meet this requirement of the regulation.
Frilford Heath Golf Club must establish a lawful basis for processing data. Employees must ensure that any data they are responsible for managing has a documented lawful basis approved by the Data Protection Manager in the information asset register. It is each employee’s responsibility to check the lawful basis for any data they are working with and ensure all of their actions comply with the lawful basis. At least one of the following conditions must apply whenever we process personal data:
When Frilford Heath Golf Club are making an assessment of the lawful basis, we will first establish that the processing is necessary. This means the processing must be a targeted, appropriate way of achieving the stated purpose. We cannot rely on a lawful basis if we can reasonably achieve the same purpose by some other means.
Where more than one lawful basis applies, Frilford Heath Golf Club will rely on what will best fit the purpose, not what is easiest.
We will always consider the following factors and document the answers:
▪ What is the purpose for processing the data?
▪ Can it reasonably be done in a different way?
▪ Is there a choice as to whether or not to process the data?
▪ Who does the processing benefit?
▪ After selecting the lawful basis, is this the same as the lawful basis the data subject would expect?
▪ What is the impact of the processing on the individual?
▪ Are you in a position of power over them?
▪ Are they a vulnerable person?
▪ Would they be likely to object to the processing?
▪ Are you able to stop the processing at any time on request, and have you factored in how to do this?
Frilford Heath Golf Club’s commitment to accountability and transparency requires that we document this process and show that we have considered which lawful basis best applies to each processing purpose, and fully justify these decisions.
We must also ensure that individuals whose data is being processed by us are informed of the lawful basis for processing their data, as well as the intended purpose. This will be achieved via a privacy information notice. This applies whether we have collected the data directly from the individual, or from another source.
Employees who are responsible for making an assessment of the lawful basis and implementing the privacy notice for new processing activities must have them approved by the Data Protection Manager.
These rules describe how and where data will be safely stored. Questions about storing data safely can be directed to the Data Protection Manager.
When data is stored on paper, it will be kept in a secure place where unauthorised people cannot see it.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
Personal data is of no value to Frilford Heath Golf Club unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
Frilford Heath Golf Club will ensure that data will be stored for only as long as it is needed or in line with required statute and will be disposed of appropriately.
Frilford Heath Golf Club will ensure that any personal data that is processed is accurate, adequate and relevant and not excessive, given the purpose for which it is obtained. Frilford Heath Golf Club will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
It is the responsibility of all employees who work with personal and or personal sensitive data to take reasonable steps to ensure it is kept accurate and up to data as possible.
There are restrictions on international transfers of personal data. Frilford Heath Golf Club does not permit the transfer of personal data anywhere outside the European Economic Area (EEA) without first consulting the Data Protection Manager.
Regular data audits to manage and mitigate risks will inform the information asset register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant. It will be reviewed on a regular basis and at a minimum every six months, or when the club undertakes new data processing.
Frilford Heath Golf Club will ensure any use of personal data is justified using at least one of the conditions (e.g. consent, legitimate interest, performance of a contract, legal obligation) for processing and this will be specifically documented within the Information Asset Register. All staff that are responsible for processing personal data will be aware of the conditions for processing. The GDPR provides the following rights for individuals:
All individuals who are the subject of personal data held by Frilford Heath Golf Club are entitled to:
If an individual contacts the club requesting this information, this is called a subject access request.
Subject access requests from individuals can be made by email, addressed to the Data Protection Manager at email@example.com or in writing to: Data Protection Manager, Frilford Heath Golf Club, Oxford Road, Abingdon, Oxon, OX13 5NW. Frilford Heath Golf Club may supply a standard request form, although individuals do not have to use this. If a subject access request is sent directly to another Frilford Heath Golf Club employee, they must pass it immediately to the Data Protection Manager to handle.
The Data Protection Manager will always verify the identity of anyone making a subject access request before handing over any information. One of the following forms of ID will be required:
Frilford Heath Golf Club will aim to provide the relevant data without delay, and certainly within 30 days. Where the request is more complex, we will notify the individual making the request of any likely delay and extension period required. For more information please refer to the Handling Subject Access Requests Policy.
Individuals have the right to obtain and reuse their personal data for their own purposes across different services. The right to portability only applies:
Requests from individuals can be made by email, addressed to the Data Protection Manager at firstname.lastname@example.org or in writing to: Data Protection Manager, Frilford Heath Golf Club, Oxford Road, Abingdon, Oxon, OX13 5NW. They may also make the request verbally in person or via telephone: 01865 39064.
The Data Protection Manager will always verify the identity of anyone making a request under the right to portability their personal data before handing over any information. One of the following forms of ID will be required:
These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. A data subject may also request that their data is transferred directly to another system. This must be done for free. The data will be provided to the individual in a structured, commonly used and machine-readable format, e.g. a csv file, and will be transferred to them securely.
In certain circumstances, an individual may request that any information held on them by Frilford Heath Golf Club is deleted or removed, and any third parties who process or use that data must also comply with the request.
An individual has the right to have their information erased if:
An individual does not have the right to have their information erased if the processing of their personal data by Frilford Heath Golf Club is necessary for one of the following reasons:
Requests from individuals can be made by email, addressed to the Data Protection Manager at email@example.com or in writing to: Data Protection Manager, Frilford Heath Golf Club, Oxford Road, Abingdon, Oxon, OX13 5NW. They may also make the request verbally in person or via telephone: 01865 390864.
Frilford Heath Golf Club will aim to provide the relevant data without delay, and certainly within 30 days. Where the request is more complex, the Data Protection Manager will notify the individual making the request of any likely delay and extension period required.
In the event that any personal data that is to be erased in response to an individual’s request has been disclosed to third parties, the Data Protection Manager will inform those parties of the erasure (unless it is impossible or would require disproportionate effort to do so).
Any data breach of personal information must be recorded by Frilford Heath Golf Club. The GDPR sets out the requirements to respond to a personal data breach.
In order to effectively monitor data breaches, the Data Protection Manager will document each data breach in the Frilford Heath Golf Club Data Breach Log file, including facts of the breach, the effects and action taken. The Data Protection Manager, with relevant support from staff in the organization, will assess the likely risk and impact on individuals affected by the breach immediately, and where necessary report to the ICO within 72 hours via the ICO website. Further details about the breach will be established using the data breach process.
In order to understand why a breach occurred and prevent further breaches, the Data Protection Manager will:
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without consent of the data subject.
Under these circumstances, Frilford Heath Golf Club will disclose requested data. However, the Data Protection Manager will ensure the request is legitimate, seeking assistance from the board and from the club’s legal advisers where necessary.
The club will also include appropriate privacy information notices at the point where personal data is collected from individuals.
If any user is found to have breached this policy, they may be subject to Frilford Heath Golf Club’s disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s).
Any unauthorised disclosure of personal data to a third party by an employee will be viewed seriously and may result in disciplinary proceedings.
The Board of Directors are accountable for compliance of this policy. A director could be personally liable for any penalty arising from a breach that they have made.
This policy must be reviewed every 12 months and, if appropriate, will be amended to maintain its relevance. Further reviews will be undertaken to reflect changes in legislation or standards. The Data Protection Manager will undertake policy review.