Who we are

This Notice tells you what to expect in relation to personal information about you which is collected, handled and processed by Harrogate Town AFC CIO, Community House, 46-50 East Parade, Harrogate, HG1 5RR (“HTAFC CIO” or “We”) as Data Controller.

We are committed to protecting your data and respecting your privacy.

We aim to be clear when we collect your data and not do anything you wouldn’t reasonably expect with your data. We handle and process data in accordance with the General Data Protection Regulation 2018 (“GDPR”).

Information we may collect

You give us information when you apply for a job; complete an application form or submit a CV; attend an interview; accept a job offer and provide details for your contract of employment and to enable us to pay you and for general administrative purposes or when you complete an employee survey or form. We also use cookies on our website. This information may be provided via a form, phone, email or online; or by communicating with us via any other channel.

The information about you that we may collect, hold and process may include:

  • Name and contact information including postal addresses, email addresses and phone numbers
  • National Insurance numbers or other national government identifiers
  • Date of birth
  • Gender
  • Financial account information such as bank account details and payroll information
  • Pension and Insurance enrolment information.
  • Health and genetic information
  • Drug and alcohol testing information
  • Passport and driving licence information
  • Personal records
  • Marital status, dependants and beneficiaries
  • Next of kin and emergency contact information
  • Salary, annual leave and benefit information
  • Compensation history
  • Performance information
  • Disciplinary and grievance information, where applicable
  • Start date and job title
  • Location of employment
  • Education and training qualifications, skills and employment history
  • Employment records (including professional memberships, references, work history, and proof of work eligibility)
  • Photographs
  • IP Address
  • Other personal details included in a CV or cover letter or that you have otherwise voluntarily provided.
  • Information gathered by employee monitoring and (where applicable) CCTV footage
  • Cookies data when visiting our website


The sensitive personal information that we may also collect includes:

  • Racial or ethnic origin
  • Political opinions
  • Religious and philosophical beliefs
  • Trade union membership
  • Health, sex life or sexual orientation
  • Genetic and biometric data


We may collect information about you from third parties such as:

  • Recruitment and employment agencies
  • HMRC
  • DVLA Previous employers and referees provided to us by you
  • Disclosure and Barring Service
  • Medical professionals or occupational health
  • Training providers
  • Public sources such as LinkedIn, FaceBook and other social media platforms
  • Police

We keep a record of the emails sent between you and HTAFC CIO.

We may monitor or record calls for commercial, security and training purposes and to improve our business processes.

Your image and vehicle number plate may be recorded by CCTV at any of our sites for safety and security purposes and for disciplinary purposes. This footage may also be used to exercise and defend our legal rights. Where necessary this footage will also be shared with the authorities for law enforcement purposes.

How we use your information

The above information is used to:

Administer and manage the employment contract and relationship

  • Payroll, pension and benefits administration
  • Background checks
  • Insurance
  • Performance reviews and evaluations
  • Training and development
  • Investigating grievances and disciplinary matters
  • Monitoring employee activities
  • Entry identification and time recording
  • Compliance with applicable laws, court orders or other legal or tax requirements
  • Allow us to make reasonable adjustments in respect of any disability you have informed us of
  • Allow us to monitor the effectiveness of our equal opportunities policy
  • Obtain government or other third party funding and apply the apprenticeship levy
  • Assist in any Governing Body or other external stakeholder investigations
  • Management of travel, accommodation and insurance on your behalf
  • Notify you of Group Company offers
  • TO make you aware of relevant information based on your cookies preferences

Performance of the employment contract including:

  • Obligations required by law and HMRC
  • Management, planning and organisation of work
  • Equality and diversity in the workplace


Health and safety

  • Protection of employer or customer property
  • Rights and benefits related to employment
  • Disciplinary and termination


During the performance of your duties as an employee HTAFC CIO and/or its media partners may from time to time create images and/or audio-visual footages of you for the following purposes:

  • Safety and security purposes;
  • Promotional, marketing and commercial purposes;
  • Training for Foundation employees and third parties who work with the Foundation;
  • Broadcasting and editorial purposes.


How we keep your information safe
All personal information we hold is stored on our secured servers in the UK and EU.

Access to our information is strictly controlled. We may disclose your details to police, regulatory bodies, local authorities, football governing bodies or legal and professional advisors and insurers if so required. If any of the organisations to which we disclose your personal information is situated outside the European Economic Area (EEA) we would take reasonable steps to ensure that your information is properly protected including safeguards such as using contractual provisions to ensure your information is properly protected.

Disclosure of your information

We do not share your information with any other third party without your agreement unless we are under a duty to disclose or share your personal data in order to comply with any legal or tax obligation, or in order to enforce or apply our terms the employment contract; or to protect the rights, property, or safety of the Foundation or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection.

We will share your information with future employers on your request.

Any third party providers used by us to fulfil our contractual obligations to you will only collect, use, store and disclose your information in the manner and to the extent necessary for them to provide their services to us. We have written agreements in place with each third party to ensure that your information is kept securely, is not used for any other purpose and is deleted when no longer required.

Such third party providers may include:

  • Sage Payroll
  • Howard Matthews Accountancy/Elite Payroll
  • Pension company
  • Private healthcare
  • Life assurance and insurance companies
  • Strata Homes (IT)
  • Travel and accommodation booking services
  • Training providers
  • Funding providers
  • HMRC
  • Department of Work & Pensions
  • HSE
  • Police

We may share personal information with other organisations such as the Premier League, the English Football League, the Office for National Statistics and other governing bodies compliance purposes, research, reporting and improvement of strategic planning and business decisions or funding.

We never sell personal information to third parties.

What is the legal basis for processing information

The legal basis for collecting and processing your data may be:

  1. Consent – you may have pro-actively given us your written consent to use your data (if there is no other legal basis to do so). We will also seek your consent for accessing potentially sensitive data such as health records and other potentially sensitive data. You can withdraw your consent at any time.
  2. Performance of a Contract– entering into and performance of the employment contract with us means we need your personal information including financial information.
  3. Legal obligation – if required by law to process personal information for example to comply with employment, social security or social protection law, health and safety and equality obligations, to provide information to the police to prevent fraud or criminal activity and to comply with our HMRC obligations.
  4. Legitimate interest – for a genuine business reason that does not override your rights, freedom or interests for example administrative purposes.
  5. To protect another person’s vital interest.
  6. For carrying our public functions or for public interest.

Your rights

You have the right at any time to ask for a copy of the information we hold about you and confirmation of how it is being processed. You will be required to verify your identity when making a request. If you would like to make a request for information please:

Email – [email protected] or Send a request in writing to Data Protection Officer, Harrogate Town AFC CIO, the Envirovent Stadium, Wetherby Road, Harrogate, HG2 7SA

You also have the right to:

  • Request that we correct inaccuracies to your information or complete your information if incomplete. You must notify us of any updates, amendments or corrections to previously collected personal information in writing to HR. This can be via email. We require you to keep the personal information we hold on you up to date and accurate;

  • request that we delete some or all of your personal information for example if it is no longer necessary for us to hold it for the purpose it was provided and we have no legal basis to retain it;

  • request that we stop or limit the processing of your information where you think the information we hold is inaccurate (until the accuracy is proved or updated); if you have objected to the processing (when it was necessary for legitimate interests); if you have consented to the use of it; or if it is no longer necessary for us to hold it for the purpose it was provided and we have no legal basis to retain it;

  • (in certain circumstances) move, copy or transfer your personal information to another organisation or to yourself. This applies only to personal information you have provided us with and is being processed by us with your consent or for performance of a contract and is processed automatically;

  • (in certain circumstances) you have the right to object to certain types of processing of your personal information when it is based on legitimate interests, when it is processed for direct marketing including profiling, or when it is processed for the purpose of statistics.


How long do we keep your information?

Appropriate retention of data is necessary for our operational performance and in some cases is required to fulfil statutory or other regulatory requirements.

However, the retention of data can lead to unnecessary and excessive use of electronic or physical storage space, and indefinite retention of personal data can breach the General Data Protection Regulation (2018). Harrogate Town AFC CIO looks to ensure that records and documents are preserved in line with business and legislative requirements and that data is not retained for any longer than necessary.


Data Archiving
The rules on data archiving vary according to the format of a data record, as set out below.

Automated Electronic Records Archive - Documents, Email, Multimedia Non-statutory electronic records stored on personal drives that have not been accessed for 2 years will be automatically transferred to an electronic archive. Statutory records will be excluded from this process if they are stored in the designated departmental statutory records folder. Archived files may be accessed in read-only format through the Archive (R:\) drive until they are subsequently removed from the system, 7 years after their creation.

Physical Records Archive
Physical statutory records which are older than 2 years and don’t need to be accessed on a day-to-day basis must be archived. The records will be archived within the Harrogate Town AFC CIO offices.

Electronic Records Retention & Disposal - Documents, Email, Multimedia
The following retention rules apply to all Harrogate Town AFC CIO documents, email and multimedia. Non-Statutory Records - Schedules A-E:




Archive & Disposal Policy


Non-statutory shared Personal Drive Data


Automatically archived if not accessed for 2 years


Archive (R:\) data


Automatically disposed of 7 years after it was originally created


Temporary Storage Area (Scratch Area)


Automatically disposed of if not accessed for 30 days


Email data (emails only)


Mailbox items automatically disposed of 2 years after they were created, sent or received. All sent and received mailbox items also logged and archived separately for 5 years.

Deleted Items folder contents automatically cleared after 30 days


Mailbox items automatically disposed from the archive 5 years after they were sent or received


Multimedia data


Automatically disposed of 3 years after it was created (unless flagged otherwise by Community Manager or data controller)

Appendix 1 shows the Statutory Records Retention and Disposal Schedule

Withdrawing consent

If you have provided us with your consent to process your personal information you have the right to withdraw this at any time. In order to do so you should contact us by emailing [email protected]

Contact us

If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us by contacting:

Harrogate Town AFC CIO
Community House
46-50 East Parade




[email protected]

You also have the right to contact the Information Commissioners Office at https:\\ico.org.uk\concerns\

Changes to this notice

Our policies are constantly under review and this Privacy Notice may be changed by us at any time. Any significant changes shall be notified to you.

Policy Date 01/02/2021

Appendix 1 – Definition of Terms

Listed below are the definitions of certain terms as they are used in this policy.

Archive (electronic)

Harrogate Town AFC CIO’s read-only file repository that is used to store non-statutory shared (S:\) and personal (P:\) drive data that has not been accessed for 2 years, ahead of its disposal (5 years after creation).

Archive (physical)

Harrogate Town AFC CIO currently archive documents at their Head Office.

Confidential data

For this policy, any data that is not in the public domain and, if

illegitimately accessed, altered, disclosed or destroyed could cause a

non-negligible level of risk to Harrogate Town AFC CIO, its staff and beneficiaries. Examples of confidential data include data protected by

privacy legislation (i.e. personal data and special category personal

data) and data protected by confidentiality agreements as well as

internal-only documents and records, such as papers, reports, plans

or emails etc.


Any physical or electronic report, article, spreadsheet, presentation,

chart, plan, contract, drawing or similar.


For this policy, any item created in Microsoft Outlook, including

emails, calendar items, contacts, tasks, notes and journal items.

IT User

Any individual (e.g. employee, volunteer, intern, apprentice, agency

staff, consultant, contractor, trustee) working for or on behalf of Harrogate Town AFC CIO who utilises any of our IT services to fulfil their role.


Image, video and audio files or physical photographs, cassettes or



For this policy, any record that is retained by Harrogate Town AFC CIO that is not required in order to comply with its legal, regulatory, compliance or

contractual obligations.

Personal data

Data, whether facts or opinions, which relate to a living individual who

can be identified either from the data or from the data in combination

with other information that is in the possession of, or likely to come

into the possession of Harrogate Town AFC CIO.


For this policy, an organised collection of data items arranged for

processing by a computer program or for consumption by an end

user, either within a ‘structured’ database or ‘structured’ physical filing

system or within ‘unstructured’ file repository, such as a document on

the shared (S:\) or personal (P:\) drives or a printed physical copy.

Special category personal data: For this policy, information about an individual’s characteristics that are protected under the GDPR (2018) and/or the Equality Act (2010), i.e. that relates to age, disability, health, sexual orientation, sex life, gender, gender reassignment, pregnancy and maternity, racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, health, criminal proceedings or convictions.


For this policy, any record that is retained by Harrogate Town AFC CIO in order to comply with its legal, regulatory, compliance or contractual


Scratch area / Temporary Storage Area

An alternative electronic data storage area that is designed for easily sharing and collaborating on documents and multimedia such as photos and videos at low cost. The scratch area is accessible through Windows Explorer on the X:\ drive and is open to all IT users. There are no internal security controls in place, which means that all IT users may access all files stored in the scratch area, and therefore, it must never be used to store

confidential data. Data stored in the scratch area is not backed up

(and is therefore not recoverable in the event of loss) and all data

stored there is automatically deleted 30 days after it was last accessed.


Appendix 2 - Statutory Records Retention & Disposal Schedule


Organisational Area



Disposal Policy

Accountable (Role)

Corporate Governance


Records on establishment and development of the organisation’s legal framework and governance

6 years after end of life of organisation

Corporate Governance


Trustee Board papers and minutes

6 years after end of life of organisation

Corporate Governance


Management papers and minutes

6 years after end of financial year

Corporate Governance


Subject Access Requests (requests and responses)

6 years from response

Corporate Governance


Litigation with third parties

6 years after settlement of case

Corporate Governance


Provision of legal advice

6 years from date of advice

Corporate Governance


Audit reports

6 years from completion

Corporate Governance


Fraud Investigations

6 years from completion or 5 years after award completion (whichever is later)

Corporate Governance


Strategic plan, business plan, risk plans

6 years from completion

Corporate Governance

Data Protection


Consent (where unstructured data)

6 years after consent expired

Data Protection Officer


Privacy notices and index

6 years after end of life of organisation

Data Protection Officer


Record of Processing Activities

6 years after end of life of organisation

Data Protection Officer


Subject Access Requests

6 years after end of life of organisation

Data Protection Officer


Subject Access Request case data

90 days after the SAR case is closed

Data Protection Officer

Financial Management


Financial records

6 years after date of signing of accounts or, as applicable, 5 years after award completion (whichever is later)

Community Manager/Financial Controller


Property acquisition (purchase, donation, rental, transfer) Deeds and certificates

6 years after end of ownership/asset liability period

Community Manager


Property leases

15 years after expiry

Community Manager


General contracts and agreements

6 years after contract termination

Community Manager


Unsuccessful tender documents

1 year after tender awarded

Community Manager

Award / Grant Management


Unsuccessful application

2 years after decision

Community Manager


Successful award file

6 years after end of award

Community Manager

Human Resources Management


Job applications and interview records for unsuccessful applicants

6 months after interview

HR - Community Manager


Payroll records – salaries and other payments through payroll

6 years

HR - Community Manager / Payroll company


Payroll records - Maternity, Paternity, Adoption and SSP records

3 years after end of the tax year

HR - Community Manager / Payroll company


Pension details - name, National Insurance number, opt-in notice and joining notice. (Kept by Nest Pensions)

6 years after effective date

HR - Community Manager / Payroll company


Pension details – opt-out (kept by Nest Pensions)

4 years after opt out

HR - Community Manager / Payroll company


A summary of record of service e.g. name, position, dates of employment, pay

6 years after end of employment

HR - Community Manager / Payroll company


Timesheets, pay records and supporting documents such as contracts and contractual letters for employees charged to awards

5 years after payment of award balance

Community Manager


Evidence of right to work

2 years after end of employment

Community Manager


All other HR documents

1 year after end of employment

Community Manager

Donations / Supporters


Individual Giving supporter financial and banking data (excluding payment card details)

12 months after end of regular gift

Community Manager


Payment card data

Immediately after transaction

Community Manager/Financial Controller



Child welfare concerns referred to a local authority

6 years after referral

Safeguarding Manager


Child welfare concerns not referred to a local authority

1 year after child ceases to be associated with Plan

Safeguarding Manager


Concerns about an adult relating to child safeguarding

10 years

Safeguarding Manager


DBS check outcome

1 year after end of relationship with HTAFC CIO

Safeguarding Manager

For any other type of record, or if you have any questions, please liaise with your immediate Line Manager in the first instance and then, as necessary, the Data Protection Officer.