Scope
At Grimsby Town Sport and Education Trust (from here on in referred to as GTSET) our data protection policy sets out our commitment to protecting personal data and how we implement that commitment with regards to the collection and use of personal data. There is a need to develop a policy and procedures for the retention, storage and destruction of any records that relate to all employees of GTSET as well as any information held on any child or young person under the age of 18, participating in any GTSET programmes including adults at risk employed or involved in any activities within Grimsby Town Sport and Education Trust.
This policy and procedures was created by Martin George (Lead Designated Safeguarding Officer) using guidance from the General Data Protection Regulations 2018.
The policy applies to all staff employed by GTSET on either full time, part-time, voluntary or casual basis.
GTSET are committed to:
- Ensuring that we comply with the eight data protection principles, as listed below
- Meeting our legal obligations as laid down by the General Data Protection Regulations 2018.
- Ensuring that data is collected and used fairly and lawfully
- Processing personal data only in order to meet our operational needs or fulfil legal requirements
- Taking steps to ensure that personal data is up to date and accurate
- Establishing appropriate retention periods for personal data
- Ensuring that data subjects' rights can be appropriately exercised
- Providing adequate security measures to protect personal data
- Ensuring that a nominated officer is responsible for GDPR compliance and provides a point of contact for all data protection issues
- Ensuring that all staff are made aware of good practice in data protection
- Providing adequate training for all staff responsible for personal data
- Ensuring that everyone handling personal data knows where to find further guidance
- Ensuring that queries about data protection, internal and external to the organisation, is dealt with effectively and promptly
- Regularly reviewing data protection procedures and guidelines within the organisation.
Data protection principles:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998 (as amended by GDPR 2018)
- Appropriate technical and organisational measures shall be taken against unauthorised and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The above principles are administered and controlled through the IT system employed within the Trust. Access to the system is controlled and managed by a local computer and electronics company on a subcontract basis. The company ensure that all necessary IT security products preventing outside access are installed, including ‘Firewall’. They also consistently review and update all software.
This policy and the Data Protection Act 1998 amended by the General Data Protection Regulations 2018 apply to all personal data handled by Grimsby Town Sport and Education, both that held in paper files and data held electronically. So long as the processing of the data is carried out for GTSET purposes, it also applies regardless of where data is held, (for example, it covers data held on site and on mobile devices such as on electronic notebooks or laptops) and regardless of who owns the PC/device on which it is stored.
‘Processing’ data is widely defined and includes every plausible form of action that could be taken in relation to the data such as obtaining, recording, keeping, or using it in any way; sharing or disclosing it; erasing and destroying it.
Definitions:
Personal data:
Data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller. The GTSET is the Trust Manager Graham Rodger.
Examples of personal data are the name and address of an individual or an ID number which when put with other information held by GTSET could identify a staff member, adult, child or young person under18 or adult at risk engaged in any programme or activity. The majority of staff (including all line managers) will therefore handle personal data at least occasionally.
Sensitive personal data:
Personal data consisting of information relating to:
- Race or ethnic origin of the data subject
- Their political opinions
- Their religious beliefs or other beliefs of a similar nature
- Whether they are a member of a trade union
- Their physical or mental health or condition
- Their sexual life.
- Any commission or alleged commission by them of any offence
- Any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
Staff working in certain areas, or in certain roles (eg Managers, Lead coaches/educators) will have regular access to sensitive personal data, others are likely to do so only rarely if at all.
Confidential data:
Data given in confidence or data agreed to be kept confidential, in other words a secret between two parties, and that is not in the public domain.
Some confidential data will also be personal data and/or sensitive personal data and therefore come within the terms of this policy. Staff working in certain functions and in senior management roles will handle confidential data regularly.
The GTFC Academy also handles data about children, young people which comprises data collected or created for the purposes of education and activities.
Legal framework:
GTSET needs to collect and keep certain types of information about the people with whom it deals. This includes information relating to its staff, students and other individuals. It needs to process ‘personal data’ for a variety of reasons, such as to recruit and pay its staff, to record the academic progress of its students/young Futsal players and to comply with statutory obligations (for example, health & safety requirements).
The General Data Protection Regulations 2018 applies to all ‘personal data’ processed by GTSET and to comply with the law, all personal data must be collected and used fairly, stored safely and not disclosed to any third party unlawfully.
Responsibilities of staff and players:
All staff and players must:
- Be mindful of the fact that individuals have the right to see their ‘personal data’ (and this may include for example information received from staff written in connection with their activity progress or any comments written about them in emails). Staff should not therefore record comments or other data about individuals which they would not be comfortable in the individual seeing, either in emails or elsewhere.
- Any incidents or concerns, they should immediately report the matter or if they find any lost or discarded data which they believe contains personal data, (for example, may include a memory stick) or, if they become aware that personal data has been accidentally lost or stolen or inadvertently disclosed (for example, if their laptop is stolen or their phone is lost and it has personal data stored on it), to their line manager.
- Hold the contents of any personal data which comes into their possession securely.
- Ensure that any personal data they provide to GTSET (for example, their contact details) is accurate.
- Notify GTSET promptly of any changes to their personal data (for example, change of address or emergency contact details).
- Only ever obtain or use personal data relating to third parties for approved work or football related purposes.
Staff with access to ‘personal data’ must:
- Ensure that they only ever process personal data in accordance with requirements of the General Data Protection Regulations 2018 and in particular follow the 8 Principles above. The best way to ensure compliance is through familiarisation with this policy and the guidance it provides.
Key points insofar as the guidance given include:
- Fair processing – for example, ensure that the individual consents to their data being used and knows what it will be used for, and ensure that it is not subsequently used for something else
- Data Security – ensure any personal data which is held is always kept and disposed of securely, (taking into account any cyber security considerations).
- Non-disclosure – ensure personal data is not disclosed to any unauthorised third party.
- Be mindful of the scope of Data Protection regulation. This includes that fact that ‘personal data’ is widely defined, (and so will cover for example comments made about an individual in an email to someone else), and the fact that it covers data held on remote devices (such as tablets and on mobile phones) regardless of who owns the actual device and where the device is stored.
- Seek advice whenever a new or novel form of processing personal data is contemplated or if any data protection related concerns ever arise.
Data security
Any information you access when conducting GTSET business that pertains to living individuals is covered by the GDPR. More stringent rules apply to personal sensitive data containing information such as a person’s race or ethnic origin, religious beliefs or health.
The GDPR applies to personal data held processed by or on behalf of GTSET and remotely on mobile devices, even if the device is your personal property. If you use a mobile device or home computer to access or save your emails, there is likely to be personal data within those emails that falls under the GDPR.
Keeping data secure:
Physical access to GTSET offices are via a key coded secure door from a public reception area which is also covered by a security CCTV camera, leading into a passageway, there are then three further key coded doors giving access to the GTSET facility. The whole premises are then alarmed between office working hours.
Locked and secure cabinets within the GTSET offices are used to secure paper files containing personal and confidential information on both staff and players.
The most common causes of data loss or leakage and breaches of the GDPR can be avoided by following our guidance.
Keep personal data secure
- Paper files should be kept in locked cabinets or locked offices when not being used and stored securely at the end of the day – not left on desks.
- Offices should be locked when left unattended (during meetings and lunch breaks).
- Always ensure that you log off from your computer when away from it.
- Password protection should be used for any electronic files/documents containing sensitive personal data.
- Take particular care when transferring personal data onto a memory stick, laptop or any other mobile device – use password protection and encryption where appropriate.
- If you ever need to include sensitive personal data in an email use password protection or encryption where appropriate.
- Change your password frequently and adhere to the GTFC/Academy IT Security Policy.
- Don’t copy any personal data unless it is strictly necessary.
Restrict access to personal data
- Ensure that access to data is only granted to GTSET staff who require it for legitimate purposes.
- Don’t disclose personal data to other third parties.
- Avoid third parties seeing digital screens displaying personal data.
- If you need to share data with a third party for business purposes contact the Data Protection controller so that a data sharing agreement can be entered into with them.
Storing personal data:
- Whenever possible, store/save personal data on a Computing Services server.
- Never store personal data, especially sensitive personal data, on a mobile device or home computer unless it is strictly necessary and the device has been encrypted where appropriate.
- Don’t store or transfer personal data where it could be lost or exposed (on unencrypted USB drives, mobile devices and laptops).
- Dispose of personal data carefully
- Shred paper files or dispose of them securely using confidential waste sacks.
- If you store personal data on your own device you must securely erase all personal data on it before disposing of it.
Report data breaches
You must immediately report breaches or potential breaches as soon as you become aware of them. This includes lost or stolen laptops, memory sticks or other mobile devices, and accidental disclosures of information, for example sending an email to the wrong recipient.
Information Security Principles:
The following principles provide a framework for the security and management of the GTSET’s information and information systems including personal data which is transferred to and from a third party.
- Information should be classified in line with the GDPR 2018 and in accordance with any other legislative, regulatory or contractual requirements that might increase the sensitivity of the information and security requirements.
- Where personal data is stored, appropriate consent for storage and processing must be gathered and recorded.
- All individuals covered by the scope of this policy must handle information appropriately in accordance with its classification level.
- Information should be only available to those with a legitimate need for access.
- Information will be protected against unauthorised access and processing.
- Information will be protected against loss and corruption.
- Information will be disposed of securely and in a timely manner with measures appropriate for its classification.
- Breaches of policy must be reported by anyone aware of the breach in a timely manner.
Procedures for Record Retention Periods:
The General Data Protection Regulations 2018 stipulates that personal information should be;
- Adequate, relevant and not excessive for the purpose(s) for which they are held.
- Accurate and where necessary kept up to date.
- Not kept longer than necessary for its purpose(s).
The following guidance on time periods is also given in the GDPR 2018 as follows;
“Where no legal requirement to retain information beyond the closure of the record exists an organisation will need to establish its own retention periods.”
Normally personal information should not be retained for longer than 6 years after the subject has left GTSET. Exceptions to the 6 year period will be when;
- The record needs to be retained because the information contained in it is relevant to legal action that has been started.
- Required to be kept longer by law.
- Archived for historical purposes (example where the football club was party to legal proceedings). Where there have been legal proceedings in the past it is advisable to seek legal advice about the retention period.
- Relate to individuals or service providers who have, or whose staff, have been judged unsatisfactory.
- Are held, in order to provide for the subject, aspects of their personal history (eg where a child or young person might seek access to their file at a later date and the information would not be available elsewhere).
When records are kept for longer than the 6 year period they must be clearly marked and reasons for the extension period clearly identified.
Some records are subject to statutory requirements for example there is a defined retention period. For GTSET this will apply to Data Barring Services (DBS) checks. Certificates should not be stored for more than 6 months, unless specific permission has been given to store them longer by the regulating body (The FA DBS Unit).
Whilst the disclosure certificate should normally be destroyed after 6 months it is permissible to keep a record of the date when the check was completed, the reference number of the disclosure certificate and the decision as to whether the person, was employed.
Concerns about adult behaviour.
Safeguarding and child protection concerns may also arise from the behaviour of adults who are working with children and young people under the age of 18 years. Where they have behaved in a way that has harmed, or may have harmed a child/young person, possibly committed a criminal offence against or related to a child/young person, or behaved in such a manner towards a child/young person that indicates she or he is unsuitable to work with children/young people.
In response to recent events and disclosures around safeguarding and child protection concerns in football it is important for GTSET to keep a clear and comprehensive summary of any allegations made, details of how the allegations were followed up and resolved and of any action taken and decisions reached.
Such information must be retained on file, including for people who leave GTSET, at least until the person reaches normal retirement age, or for 10 years if that is longer (GDPR 2018)
The purpose of the record is to enable accurate information to be given in response to any future request for a reference. It will also act to provide clarification in cases where a future DBS disclosure reveals information from the police that an allegation was made but did not result in a prosecution or a conviction. It will also prevent unnecessary re-investigation if, as sometimes happens, allegations resurface after a period of time.
If records are to be stored electronically then there will be a need to password-protect those records, which only those members mentioned in point 5 should have access to.
Staff Training:
All GTSET staff including the Board of Trustees, have undertaken training on their requirements under General Data Protection legislation and responsibilities related to IT security and use of Personal and Confidential Data. This training will be delivered at least every two years that the employee is with the Trust.
New members of staff will undertake and receive GDPR training within 4 weeks of joining the staff.
GTSET will keep written records of all GDPR training delivered including, dates, details of those attending and the matters covered.
Destruction of Records
Records should be incinerated or shredded in the presence of a member of GTSET or entrusted to a firm specialising in the destruction of confidential information/material. This action must be taken at the same time as the electronic record is purged.
If not shredded immediately, all confidential records must be held in a secured plastic bag, labelled confidential and locked in a cupboard or other secure place.
Implications of breaching this policy:
It is a condition of employment in the case of staff at GTSET. Any breach of this policy will be considered to be a disciplinary offence and may lead to disciplinary action. A serious breach of the General Data Protection Regulations may also result in GTSET and/or the individual being held liable in law.
Monitor and review the policy and procedures:
The Board of Trustees of GTSET acknowledge and adopt this policy and implementation of its monitoring procedures as above. The Data Controller for GTSET should regularly report progress, challenges, difficulties, achievements, gaps and areas including legislative changes where required to the Board of Trustees. The contents of this policy will be reviewed every two years.