Privacy Policy

Who we are

This Notice tells you what to expect in relation to personal information about you which is collected, handled and processed by Harrogate Town AFC CIO, Community House, 46-50 East Parade, Harrogate, HG1 5RR (“HTAFC CIO” or “We”) as Data Controller.

We are committed to protecting your data and respecting your privacy.

We aim to be clear when we collect your data and not do anything you wouldn’t reasonably expect with your data. We handle and process data in accordance with the General Data Protection Regulation 2018 (“GDPR”).

Information we may collect

You give us information when you apply for a job; complete an application form or submit a CV; attend an interview; accept a job offer and provide details for your contract of employment and to enable us to pay you and for general administrative purposes or when you complete an employee survey or form. We also use cookies on our website. This information may be provided via a form, phone, email or online; or by communicating with us via any other channel.

The information about you that we may collect, hold and process may include:

Name and contact information including postal addresses, email addresses and phone numbers
National Insurance numbers or other national government identifiers
Date of birth
Gender
Financial account information such as bank account details and payroll information
Pension and Insurance enrolment information.
Health and genetic information
Drug and alcohol testing information
Passport and driving licence information
Personal records
Marital status, dependants and beneficiaries
Next of kin and emergency contact information
Salary, annual leave and benefit information
Compensation history
Performance information
Disciplinary and grievance information, where applicable
Start date and job title
Location of employment
Education and training qualifications, skills and employment history
Employment records (including professional memberships, references, work history, and proof of work eligibility)
Photographs
IP Address
Other personal details included in a CV or cover letter or that you have otherwise voluntarily provided.
Information gathered by employee monitoring and (where applicable) CCTV footage
Cookies data when visiting our website

The sensitive personal information that we may also collect includes:

Racial or ethnic origin
Political opinions
Religious and philosophical beliefs
Trade union membership
Health, sex life or sexual orientation
Genetic and biometric data

We may collect information about you from third parties such as:

Recruitment and employment agencies
HMRC
DVLA Previous employers and referees provided to us by you
Disclosure and Barring Service
Medical professionals or occupational health
Training providers
Public sources such as LinkedIn, FaceBook and other social media platforms
Police

We keep a record of the emails sent between you and HTAFC CIO.

We may monitor or record calls for commercial, security and training purposes and to improve our business processes.

Your image and vehicle number plate may be recorded by CCTV at any of our sites for safety and security purposes and for disciplinary purposes. This footage may also be used to exercise and defend our legal rights. Where necessary this footage will also be shared with the authorities for law enforcement purposes.

How we use your information

The above information is used to:

Administer and manage the employment contract and relationship

Payroll, pension and benefits administration
Background checks
Insurance
Performance reviews and evaluations
Training and development
Investigating grievances and disciplinary matters
Monitoring employee activities
Entry identification and time recording
Compliance with applicable laws, court orders or other legal or tax requirements
Allow us to make reasonable adjustments in respect of any disability you have informed us of
Allow us to monitor the effectiveness of our equal opportunities policy
Obtain government or other third party funding and apply the apprenticeship levy
Assist in any Governing Body or other external stakeholder investigations
Management of travel, accommodation and insurance on your behalf
Notify you of Group Company offers
TO make you aware of relevant information based on your cookies preferences

Performance of the employment contract including:

Obligations required by law and HMRC
Management, planning and organisation of work
Equality and diversity in the workplace

Health and safety

Protection of employer or customer property
Rights and benefits related to employment
Disciplinary and termination

During the performance of your duties as an employee HTAFC CIO and/or its media partners may from time to time create images and/or audio-visual footages of you for the following purposes:

Safety and security purposes;
Promotional, marketing and commercial purposes;
Training for Foundation employees and third parties who work with the Foundation;
Broadcasting and editorial purposes.

How we keep your information safe
All personal information we hold is stored on our secured servers in the UK and EU.

Access to our information is strictly controlled. We may disclose your details to police, regulatory bodies, local authorities, football governing bodies or legal and professional advisors and insurers if so required. If any of the organisations to which we disclose your personal information is situated outside the European Economic Area (EEA) we would take reasonable steps to ensure that your information is properly protected including safeguards such as using contractual provisions to ensure your information is properly protected.

Disclosure of your information

We do not share your information with any other third party without your agreement unless we are under a duty to disclose or share your personal data in order to comply with any legal or tax obligation, or in order to enforce or apply our terms the employment contract; or to protect the rights, property, or safety of the Foundation or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection.

We will share your information with future employers on your request.

Any third party providers used by us to fulfil our contractual obligations to you will only collect, use, store and disclose your information in the manner and to the extent necessary for them to provide their services to us. We have written agreements in place with each third party to ensure that your information is kept securely, is not used for any other purpose and is deleted when no longer required.

Such third party providers may include:

Sage Payroll
Howard Matthews Accountancy/Elite Payroll
Pension company
Private healthcare
Life assurance and insurance companies
Strata Homes (IT)
Travel and accommodation booking services
Training providers
Funding providers
HMRC
Department of Work & Pensions
HSE
Police

We may share personal information with other organisations such as the Premier League, the English Football League, the Office for National Statistics and other governing bodies compliance purposes, research, reporting and improvement of strategic planning and business decisions or funding.

We never sell personal information to third parties.

What is the legal basis for processing information

The legal basis for collecting and processing your data may be:

Consent – you may have pro-actively given us your written consent to use your data (if there is no other legal basis to do so). We will also seek your consent for accessing potentially sensitive data such as health records and other potentially sensitive data. You can withdraw your consent at any time.
Performance of a Contract– entering into and performance of the employment contract with us means we need your personal information including financial information.
Legal obligation – if required by law to process personal information for example to comply with employment, social security or social protection law, health and safety and equality obligations, to provide information to the police to prevent fraud or criminal activity and to comply with our HMRC obligations.
Legitimate interest – for a genuine business reason that does not override your rights, freedom or interests for example administrative purposes.
To protect another person’s vital interest.
For carrying our public functions or for public interest.

Your rights

You have the right at any time to ask for a copy of the information we hold about you and confirmation of how it is being processed. You will be required to verify your identity when making a request. If you would like to make a request for information please:

Email – [email protected] or Send a request in writing to Data Protection Officer, Harrogate Town AFC CIO, the Envirovent Stadium, Wetherby Road, Harrogate, HG2 7SA

You also have the right to:

Request that we correct inaccuracies to your information or complete your information if incomplete. You must notify us of any updates, amendments or corrections to previously collected personal information in writing to HR. This can be via email. We require you to keep the personal information we hold on you up to date and accurate;
request that we delete some or all of your personal information for example if it is no longer necessary for us to hold it for the purpose it was provided and we have no legal basis to retain it;
request that we stop or limit the processing of your information where you think the information we hold is inaccurate (until the accuracy is proved or updated); if you have objected to the processing (when it was necessary for legitimate interests); if you have consented to the use of it; or if it is no longer necessary for us to hold it for the purpose it was provided and we have no legal basis to retain it;
(in certain circumstances) move, copy or transfer your personal information to another organisation or to yourself. This applies only to personal information you have provided us with and is being processed by us with your consent or for performance of a contract and is processed automatically;
(in certain circumstances) you have the right to object to certain types of processing of your personal information when it is based on legitimate interests, when it is processed for direct marketing including profiling, or when it is processed for the purpose of statistics.

How long do we keep your information?

Appropriate retention of data is necessary for our operational performance and in some cases is required to fulfil statutory or other regulatory requirements.

However, the retention of data can lead to unnecessary and excessive use of electronic or physical storage space, and indefinite retention of personal data can breach the General Data Protection Regulation (2018). Harrogate Town AFC CIO looks to ensure that records and documents are preserved in line with business and legislative requirements and that data is not retained for any longer than necessary.

Data Archiving
The rules on data archiving vary according to the format of a data record, as set out below.

Automated Electronic Records Archive - Documents, Email, Multimedia Non-statutory electronic records stored on personal drives that have not been accessed for 2 years will be automatically transferred to an electronic archive. Statutory records will be excluded from this process if they are stored in the designated departmental statutory records folder. Archived files may be accessed in read-only format through the Archive (R:\) drive until they are subsequently removed from the system, 7 years after their creation.

Physical Records Archive
Physical statutory records which are older than 2 years and don’t need to be accessed on a day-to-day basis must be archived. The records will be archived within the Harrogate Town AFC CIO offices.

Electronic Records Retention & Disposal - Documents, Email, Multimedia
The following retention rules apply to all Harrogate Town AFC CIO documents, email and multimedia. Non-Statutory Records - Schedules A-E:

Schedule	Description	Status	Archive & Disposal Policy
A	Non-statutory shared Personal Drive Data	Live	Automatically archived if not accessed for 2 years
B	Archive (R:\) data	Archive	Automatically disposed of 7 years after it was originally created
C	Temporary Storage Area (Scratch Area)	Live	Automatically disposed of if not accessed for 30 days
D	Email data (emails only)	Live	Mailbox items automatically disposed of 2 years after they were created, sent or received. All sent and received mailbox items also logged and archived separately for 5 years.
		Live	Deleted Items folder contents automatically cleared after 30 days
		Archive	Mailbox items automatically disposed from the archive 5 years after they were sent or received
E	Multimedia data	Live	Automatically disposed of 3 years after it was created (unless flagged otherwise by Community Manager or data controller)

Appendix 1 shows the Statutory Records Retention and Disposal Schedule

Withdrawing consent

If you have provided us with your consent to process your personal information you have the right to withdraw this at any time. In order to do so you should contact us by emailing [email protected]

Contact us

If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us by contacting:

Harrogate Town AFC CIO
Community House
46-50 East Parade

Harrogate

HG1 5RR

[email protected]

You also have the right to contact the Information Commissioners Office at https:\\ico.org.uk\concerns\

Changes to this notice

Our policies are constantly under review and this Privacy Notice may be changed by us at any time. Any significant changes shall be notified to you.

Policy Date 01/02/2021

Appendix 1 – Definition of Terms

Listed below are the definitions of certain terms as they are used in this policy.

Archive (electronic)	Harrogate Town AFC CIO’s read-only file repository that is used to store non-statutory shared (S:\) and personal (P:\) drive data that has not been accessed for 2 years, ahead of its disposal (5 years after creation).
Archive (physical)	Harrogate Town AFC CIO currently archive documents at their Head Office.
Confidential data	For this policy, any data that is not in the public domain and, if illegitimately accessed, altered, disclosed or destroyed could cause a non-negligible level of risk to Harrogate Town AFC CIO, its staff and beneficiaries. Examples of confidential data include data protected by privacy legislation (i.e. personal data and special category personal data) and data protected by confidentiality agreements as well as internal-only documents and records, such as papers, reports, plans or emails etc.
Document	Any physical or electronic report, article, spreadsheet, presentation, chart, plan, contract, drawing or similar.
Email	For this policy, any item created in Microsoft Outlook, including emails, calendar items, contacts, tasks, notes and journal items.
IT User	Any individual (e.g. employee, volunteer, intern, apprentice, agency staff, consultant, contractor, trustee) working for or on behalf of Harrogate Town AFC CIO who utilises any of our IT services to fulfil their role.
Multimedia	Image, video and audio files or physical photographs, cassettes or discs.
Non-statutory	For this policy, any record that is retained by Harrogate Town AFC CIO that is not required in order to comply with its legal, regulatory, compliance or contractual obligations.
Personal data	Data, whether facts or opinions, which relate to a living individual who can be identified either from the data or from the data in combination with other information that is in the possession of, or likely to come into the possession of Harrogate Town AFC CIO.
Record	For this policy, an organised collection of data items arranged for processing by a computer program or for consumption by an end user, either within a ‘structured’ database or ‘structured’ physical filing system or within ‘unstructured’ file repository, such as a document on the shared (S:\) or personal (P:\) drives or a printed physical copy. Special category personal data: For this policy, information about an individual’s characteristics that are protected under the GDPR (2018) and/or the Equality Act (2010), i.e. that relates to age, disability, health, sexual orientation, sex life, gender, gender reassignment, pregnancy and maternity, racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, health, criminal proceedings or convictions.
Statutory	For this policy, any record that is retained by Harrogate Town AFC CIO in order to comply with its legal, regulatory, compliance or contractual obligations.
Scratch area / Temporary Storage Area	An alternative electronic data storage area that is designed for easily sharing and collaborating on documents and multimedia such as photos and videos at low cost. The scratch area is accessible through Windows Explorer on the X:\ drive and is open to all IT users. There are no internal security controls in place, which means that all IT users may access all files stored in the scratch area, and therefore, it must never be used to store confidential data. Data stored in the scratch area is not backed up (and is therefore not recoverable in the event of loss) and all data stored there is automatically deleted 30 days after it was last accessed.

Appendix 2 - Statutory Records Retention & Disposal Schedule

Organisational Area	ID	Record	Disposal Policy	Accountable (Role)
Corporate Governance	1	Records on establishment and development of the organisation’s legal framework and governance	6 years after end of life of organisation	Corporate Governance
	2	Trustee Board papers and minutes	6 years after end of life of organisation	Corporate Governance
	3	Management papers and minutes	6 years after end of financial year	Corporate Governance
	4	Subject Access Requests (requests and responses)	6 years from response	Corporate Governance
	5	Litigation with third parties	6 years after settlement of case	Corporate Governance
	6	Provision of legal advice	6 years from date of advice	Corporate Governance
	7	Audit reports	6 years from completion	Corporate Governance
	8	Fraud Investigations	6 years from completion or 5 years after award completion (whichever is later)	Corporate Governance
	9	Strategic plan, business plan, risk plans	6 years from completion	Corporate Governance
Data Protection	10	Consent (where unstructured data)	6 years after consent expired	Data Protection Officer
	11	Privacy notices and index	6 years after end of life of organisation	Data Protection Officer
	12	Record of Processing Activities	6 years after end of life of organisation	Data Protection Officer
	13	Subject Access Requests	6 years after end of life of organisation	Data Protection Officer
	14	Subject Access Request case data	90 days after the SAR case is closed	Data Protection Officer
Financial Management	15	Financial records	6 years after date of signing of accounts or, as applicable, 5 years after award completion (whichever is later)	Community Manager/Financial Controller
	16	Property acquisition (purchase, donation, rental, transfer) Deeds and certificates	6 years after end of ownership/asset liability period	Community Manager
	17	Property leases	15 years after expiry	Community Manager
	18	General contracts and agreements	6 years after contract termination	Community Manager
	19	Unsuccessful tender documents	1 year after tender awarded	Community Manager
Award / Grant Management	20	Unsuccessful application	2 years after decision	Community Manager
Award / Grant Management	21	Successful award file	6 years after end of award	Community Manager
Human Resources Management	22	Job applications and interview records for unsuccessful applicants	6 months after interview	HR - Community Manager
	23	Payroll records – salaries and other payments through payroll	6 years	HR - Community Manager / Payroll company
	24	Payroll records - Maternity, Paternity, Adoption and SSP records	3 years after end of the tax year	HR - Community Manager / Payroll company
	25	Pension details - name, National Insurance number, opt-in notice and joining notice. (Kept by Nest Pensions)	6 years after effective date	HR - Community Manager / Payroll company
	26	Pension details – opt-out (kept by Nest Pensions)	4 years after opt out	HR - Community Manager / Payroll company
	27	A summary of record of service e.g. name, position, dates of employment, pay	6 years after end of employment	HR - Community Manager / Payroll company
	28	Timesheets, pay records and supporting documents such as contracts and contractual letters for employees charged to awards	5 years after payment of award balance	Community Manager
	29	Evidence of right to work	2 years after end of employment	Community Manager
	30	All other HR documents	1 year after end of employment	Community Manager
Donations / Supporters	31	Individual Giving supporter financial and banking data (excluding payment card details)	12 months after end of regular gift	Community Manager
Donations / Supporters	32	Payment card data	Immediately after transaction	Community Manager/Financial Controller
Safeguarding	33	Child welfare concerns referred to a local authority	6 years after referral	Safeguarding Manager
	34	Child welfare concerns not referred to a local authority	1 year after child ceases to be associated with Plan	Safeguarding Manager
	35	Concerns about an adult relating to child safeguarding	10 years	Safeguarding Manager
	36	DBS check outcome	1 year after end of relationship with HTAFC CIO	Safeguarding Manager

For any other type of record, or if you have any questions, please liaise with your immediate Line Manager in the first instance and then, as necessary, the Data Protection Officer.