Data%20protection%20policy

DATA PROTECTION POLICY Scottish Association of Local Sports Councils

Updated by Board of Directors on:

27/08/2013

Data Protection Policy

Updated by Board at meeting on 27/08/2013

Page 1 of 11

SALSC is supported by

CONTENTS Section 1: Principles of Data Protection

Manual Data The Rights of Individuals

Section 2: Managing Personnel Records Managing Data Protection Collecting and Keeping General Records Security Sickness and Accident Records Equal Opportunities Monitoring Marketing Fraud Detection Individuals’ Access to Information about Themselves References Disclosure Requests Publication and Other Disclosures Mergers and Acquisitions Discipline, Grievance and Dismissal Outsourcing Data Protection Retention of Records



Page 2 of 11


SECTION 1: PRINCIPLES OF DATA PROTECTION 1.1 SALSC must ensure that:

(a) They have obtained data fairly and lawfully: SALSC will put its name on all paperwork and will state (for any data being collected) what the information is to be used for and if necessary who will receive the data.

(b) They hold data only for specific and lawful purposes: SALSC will ensure that data to be used for direct marketing purposes will be done with the permission of the data subjects and the third party will be asked to sign a declaration form stating how data is to be used. In addition they will be asked to agree not to copy the data for further use.

(c) Data held is relevant, adequate and not excessive for it’s purpose: SALSC will monitor the quantities of data held for their business purposes and ensure that we hold neither too much, or too little data in respect of the individuals about whom the data is held.

(d) Data held is accurate and up to date: All errors must be rectified as soon as SALSC becomes aware of an error. On written request SALSC can provide its members with a copy of their data once a year for information and updating where relevant. All records are then amended accordingly.

(e) Data is not kept longer than necessary: All financial data will be held for seven years and then destroyed. All personal data will be removed from the system after one year of non-membership has lapsed.

(f) Data is secure: SALSC must ensure that it has adequate security precautions in place to prevent loss, destruction or unauthorised disclosures of the data. All SALSC computers have a log on system, which allows only authorised personnel to access the personal data. All personal, financial and child protection data is kept in a filing cabinet and can only be accessed by the COO and/or Chair. When SALSC individuals are using laptop computers out of the office care should always be taken to ensure that personal data on screen is not visible to strangers.

(g) Prevention of the accidental loss or theft of personal data: SALSC automatically backs-up all data held. The back-up is held securely.

(h) Transfer of data: All personal data held by SALSC must not be transferred outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Manual Data

1.2 All membership forms are filed and are located within SALSC office premises. These files are cleared on an annual basis.



Page 3 of 11


The Rights of Individuals 1.3 All individuals for whom SALSC holds data have the right to:

(a) Be informed upon request of all the information held about them within 40 days

(b) Prevent the processing of their data for direct marketing purposes

(c) Compensation if they can show that they have been caused damage by any contravention of the Act.

(d) The removal or correction of any inaccurate data about them. 1.4 SALSC has the right to charge a fee (as determined by the Board) for the service of providing an individual/member with the information held on them.



Page 4 of 11


SECTION 2: MANAGING PERSONNEL RECORDS 2.1 It is the role of the COO and Chair to administer the Data Protection Act requirements for SALSC. Managing Data Protection 2.2 SALSC observes the following key action points:

(a) The Audit Working Group shall be responsible for ensuring that employment practices and procedures comply with the Act and for ensuring that they continue to do so.

(b) SALSC will ensure that people who process information about individuals understand their own responsibility for data protection compliance and if necessary amend their working practices in the light of this.

(c) SALSC will assess what personal data about individuals are in existence and who is responsible for them.

(d) SALSC will eliminate the collection of personal data that is irrelevant or excessive. If sensitive data are collected ensure that a sensitive data condition is satisfied.

(e) SALSC will ensure that individuals are aware of the extent to which they can be criminally liable if they knowingly or recklessly disclose personal data outside SALSC’s policies and procedures. Serious breaches of data protection rules are a disciplinary offence.

(f) SALSC will allocate responsibility for checking that your organisation has a valid notification in the register of data controllers that relates to the processing of personal data about individuals, unless it is exempt from notification.

(g) SALSC will consult trade unions or other individuals’ representatives, if any, or individuals themselves over the development and implementation of employment practices and procedures that involve the processing of individuals’ data.

Collecting and Keeping General Records 2.3 SALSC observes the following key action points:

(a) SALSC will ensure that newly appointed individuals are aware of the nature and source of any information stored about them, how it will be used and whom it will be disclosed to;

(b) SALSC shall inform new individuals and remind existing individuals about their rights under the Act, including their right of access to the information kept upon them;

(c) SALSC will ensure that there is a clear and foreseeable need for any information collected from individuals and that the information collected actually meets that need;



Page 5 of 11


(d) On request, SALSC will provide each individual with a copy of information that may be subject to change, e.g. personal details such as home address. Individuals may be asked to check their records for accuracy and ensure any necessary amendments are made to bring records up-to-date;

(e) SALSC will incorporate accuracy, consistency and validity checks into systems. Security 2.4 SALSC observes the following key action points:

(a) SALSC will apply security standards that take account of the risks of unauthorised access to, accidental loss of, destruction of, or damage to records;

(b) SALSC will install a system of access controls and passwords to ensure that individuals can only gain access to records where they have a legitimate business need to do so;

(c) SALSC will use the audit trail capabilities of automated systems to track access and amendments to personal data;

(d) SALSC will take steps to ensure the reliability of individuals that have access to individuals’ records. This is not just a matter of carrying out background checks, it shall also include training and ensuring that individuals understand their responsibilities for confidential or sensitive information. SALSC will ensure confidentiality clauses are placed in all contracts of employment;

(e) SALSC will ensure that if records are taken off-site, e.g. on laptop computers, this is controlled, making sure only the necessary information is taken and there are security rules for individuals to follow;

(f) SALSC will take account of the risks of transmitting confidential individual information by fax or e-mail. SALSC will only transmit information between locations if a secure network or comparable arrangements are in place.

Sickness and Accident Records 2.5 SALSC observes the following key action points:

(a) The Chair will keep sickness and accident records in separate folders from absence records. SALSC will not use sickness records for a particular purpose when records of absence could be used instead.

(b) SALSC will ensure that the holding and use of sickness and accident records satisfies a sensitive data condition.

(c) SALSC will only disclose information from sickness or accident records about an individual’s illness, medical condition or injury where there is a legal obligation to do so, where it is



Page 6 of 11


necessary for legal proceedings or where the individual has given explicit consent to the disclosure.

(d) SALSC will not make the sickness, accident or absence records of specific individuals available to other individuals with information about those who work for them in so far as this is necessary for them to carry out their managerial roles.

Equal Opportunities Monitoring 2.6 SALSC observes the following key action points:

(a) Information about an individual’s ethnic origin, disability or religion is sensitive personal data. SALSC will ensure that equal opportunities monitoring of these characteristics satisfies a sensitive data condition;

(b) SALSC will only use information that identifies an individual where this is necessary to carry out meaningful equal opportunities monitoring. Where practicable, SALSC will keep the information collected in an anonymous form;

(c) SALSC will ensure questions are designed so that the personal information collected through them is accurate and not excessive.

Marketing 2.7 SALSC observes the following key action points:

(a) SALSC will inform new individuals if it intends to use their personal information to deliver advertising or marketing messages to them. SALSC shall give individuals a clear opportunity to object (an ‘opt-out’) and respect any objections whenever received;

(b) SALSC will not disclose individuals’ details to other organisations for their marketing unless individuals have positively and freely indicated their agreement (an ‘opt-in’);

(c) SALSC will ensure that if the association intends to use details of existing individuals for marketing for the first time either in ways that were not explained when they first joined or that they would not expect, do not proceed until individuals have positively and freely indicated their agreement (an ‘opt-in’).

Fraud Detection 2.8 SALSC observes the following key action points:

(a) SALSC will consult trade unions or other individual representatives, if any, or individuals themselves before starting a data matching exercise. SALSC will act on any legitimate concerns raised in consultation before starting the exercise;



Page 7 of 11


(b) SALSC will inform new individuals of the use of payroll or other data in fraud prevention exercises and remind them of this periodically;

(c) SALSC will not disclose individual data to other organisations for the prevention or detection of fraud unless:

i. Required by law to make the disclosure, or

ii. SALSC believes that failure to disclose, in a particular instance, is likely to prejudice the

prevention or detection of crime, or

iii. The disclosure is provided for in an individuals’ contract of employment.

Individuals’ Access to Information about Themselves 2.9 SALSC observes the following key action points:

(a) SALSC will establish a system that enables the COO to recognise a subject access request and to locate all the information about an individual in order to be able to respond promptly and in any case within 40 calendar days of receiving a request;

(b) SALSC will check the identity of anyone making a subject access request to ensure information is only given to the person entitled to it;

(c) SALSC will provide the individual with a hard copy of the information kept, making clear any codes used and the sources of the information;

(d) SALSC will make a judgement as to what information is reasonable to withhold concerning the identities of third parties using the guidelines given later in this Policy;

(e) SALSC will inform relevant people in the organisation of the nature of information that will be released to individuals who make subject access requests;

(f) SALSC will ensure that on request, promptly and in any event within 40 calendar days, individuals are provided with a statement of how any automated decision-making process, to which they are subject, is used, and how it works;

(g) When purchasing a computerised system SALSC will ensure that the system enables SALSC to retrieve all the information relating to an individual without difficulty. SALSC will ensure that the supplier of a system used to take automated decisions about individuals provides the information needed to enable full responses to requests for information about how the system works.

References 2.10 SALSC observes the following key action points about references given:



Page 8 of 11


(a) SALSC will not provide confidential references about an individual unless you are sure that this is the individual's wish;

(b) SALSC will establish at the time an individual’s employment ends, whether or not the individual wishes references to be provided to future employers or to others.

2.11 SALSC observes the following key action point about references received:

(a) When responding to a request from an individual to see his or her own reference and the reference enables a third party to be identified, the Audit Working Group will make a judgement as to what information it is reasonable to withhold, using the guidelines given later in this Policy.

Disclosure Requests 2.12 SALSC observes the following key action points:

(a) SALSC will ensure that disclosure decisions that are not covered by clear policy rules are only

taken by individuals who are familiar with the Act and this Policy, and who are able to give the decision proper consideration;

(b) Unless under a legal obligation to do so, SALSC will only disclose information about an individual where the Audit Working Group concludes that in all circumstances it is fair to do so taking into account that the duty of fairness is owed primarily to the individual. Where possible SALSC will take account the individual’s views and only disclose confidential information if the individual has clearly agreed;

(c) Where a disclosure is requested in an emergency, SALSC will make a careful decision as to whether to disclose, considering the nature of the information being requested and the likely impact on the individual of not providing it;

(d) SALSC will make individuals aware that those seeking information sometimes use deception to gain access to it. Ensure that they check the legitimacy of any request and the identity and authority of the person making it;

(e) SALSC will ensure that if the association intends to disclose sensitive personal data, a sensitive data condition is satisfied;

(f) Where the disclosure would involve a transfer of information about an individual to a country outside the European Economic Area, SALSC will ensure that there is a proper basis for making the transfer;

(g) SALSC will inform the individual before or as soon as is practicable after a request has been received that a non-regular disclosure is to be made, unless prevented by law from doing so, or unless this would constitute a “tip off” prejudicing a criminal or tax investigation;



Page 9 of 11


(h) SALSC will keep a record of non-regular disclosures. SALSC will regularly check and review this record to ensure that the requirements of the Act are being satisfied.

Publication and Other Disclosures 2.13 SALSC observes the following key action points:

(a) SALSC will only publish information about individuals where:

i. There is a legal obligation to do so, or

ii. The information is clearly not intrusive, or

iii. The individual has consented to disclosure, or

iv. The information is in a form that does not identify individuals.

(b) Where information about individuals is published on the basis of consent, SALSC will ensure that when the individual gives consent he or she is made aware of the extent of information that will be published, how it will be published and the implications of this;

(c) SALSC will only supply personal information about individuals to a trade union for its recruitment purposes if:

i. The trade union is recognised by SALSC,

ii. The information is limited to that necessary to enable a recruitment approach, and

iii. Each individual has been previously told that this will happen and has been given a

clear opportunity to object.

(d) Where individual information is supplied to trade unions in the course of collective bargaining, SALSC will ensure the information is such that specific individuals cannot be identified.

Mergers and Acquisitions 2.14 SALSC observes the following key action points:

(a) SALSC will ensure, wherever practicable, that information handed over to another organisation in connection with a prospective acquisition or merger is anonymous;

(b) SALSC will only hand over personal information prior to the final merger or acquisition decision after securing assurances that it will be used solely for the evaluation of assets and liabilities, it will be treated in confidence and will not be disclosed to other parties, and it will be destroyed or returned after use;



Page 10 of 11


(c) SALSC will advise individuals wherever practicable if their employment records are to be disclosed to another organisation before an acquisition or merger takes place. If the acquisition or merger proceeds SALSC will make sure individuals are aware of the extent to which their records are to be transferred to the new employer;

(d) SALSC will ensure that if an individual intends to disclose sensitive personal data a sensitive personal data condition is satisfied;

(e) Where a merger or acquisition involves a transfer of information about an individual to a country outside the European Economic Area (EEA) SALSC will ensure that there is a proper basis for making the transfer;

(f) SALSC will ensure that the records they hold as a result of a merger or acquisition do not include excessive information, and are accurate and relevant.

Discipline, Grievance and Dismissal 2.15 SALSC observes the following key action points:

(a) The Data Protection Act applies to personal data processed in relation to discipline, grievance and dismissal proceedings;

(b) SALSC will not access or use information kept about individuals merely because it might have some relevance to a disciplinary or grievance investigation if access or use would be either:

i. Incompatible with the purpose(s) the information is to be obtained for, or

ii. Disproportionate to the seriousness of the matter under investigation.

(c) SALSC will ensure that there are clear procedures on how "spent" disciplinary warnings are

handled;

(d) SALSC will ensure that when employment is terminated the reason for this is accurately recorded, and that the record reflects properly what the individual has been told about the termination.

Outsourcing Data Processing 2.16 SALSC observes the following key action points:

(a) SALSC will ensure that any data processor chosen adopts appropriate security measures both in terms of the technology it uses and how it is managed;

(b) SALSC will put in place a written contract with any data processor chosen that requires it to process personal information only on the instructions of the Chair, and to maintain appropriate security;



Page 11 of 11


(c) Where the use of a data processor would involve a transfer of information about an individual to a country outside the European Economic Area, SALSC will ensure that there is a proper basis for making the transfer.

Retention of Records 2.17 SALSC observes the following key action points:

(a) SALSC will establish and adhere to standard retention times for the various categories of information held on the records of individuals and former individuals. SALSC will base the retention times on business need taking into account relevant professional guidelines;

(b) SALSC will ensure that any data about individuals is made anonymous where practicable;

(c) If the holding of any information on criminal convictions of individuals is justified, SALSC will ensure that the information is deleted once the conviction is ‘spent’ under the Rehabilitation of Offenders Act;

(d) SALSC will ensure that records, which are to be disposed of, are securely and effectively destroyed.

Data%20protection%20policy

Documents

financial data

quantities of data

little data

c data

d data

child protection data

theft of personal data

processing of personal