Who we are
This Notice tells you what to expect in relation to personal information about you which is collected, handled and processed by Harrogate Town AFC CIO, Community House, 46-50 East Parade, Harrogate, HG1 5RR (“HTAFC CIO” or “We”) as Data Controller.
We are committed to protecting your data and respecting your privacy.
We aim to be clear when we collect your data and not do anything you wouldn’t reasonably expect with your data. We handle and process data in accordance with the General Data Protection Regulation 2018 (“GDPR”).
Information we may collect
You give us information when you apply for a job; complete an application form or submit a CV; attend an interview; accept a job offer and provide details for your contract of employment and to enable us to pay you and for general administrative purposes or when you complete an employee survey or form. We also use cookies on our website. This information may be provided via a form, phone, email or online; or by communicating with us via any other channel.
The information about you that we may collect, hold and process may include:
- Name and contact information including postal addresses, email addresses and phone numbers
- National Insurance numbers or other national government identifiers
- Date of birth
- Gender
- Financial account information such as bank account details and payroll information
- Pension and Insurance enrolment information.
- Health and genetic information
- Drug and alcohol testing information
- Passport and driving licence information
- Personal records
- Marital status, dependants and beneficiaries
- Next of kin and emergency contact information
- Salary, annual leave and benefit information
- Compensation history
- Performance information
- Disciplinary and grievance information, where applicable
- Start date and job title
- Location of employment
- Education and training qualifications, skills and employment history
- Employment records (including professional memberships, references, work history, and proof of work eligibility)
- Photographs
- IP Address
- Other personal details included in a CV or cover letter or that you have otherwise voluntarily provided.
- Information gathered by employee monitoring and (where applicable) CCTV footage
- Cookies data when visiting our website
The sensitive personal information that we may also collect includes:
- Racial or ethnic origin
- Political opinions
- Religious and philosophical beliefs
- Trade union membership
- Health, sex life or sexual orientation
- Genetic and biometric data
We may collect information about you from third parties such as:
- Recruitment and employment agencies
- HMRC
- DVLA Previous employers and referees provided to us by you
- Disclosure and Barring Service
- Medical professionals or occupational health
- Training providers
- Public sources such as LinkedIn, FaceBook and other social media platforms
- Police
We keep a record of the emails sent between you and HTAFC CIO.
We may monitor or record calls for commercial, security and training purposes and to improve our business processes.
Your image and vehicle number plate may be recorded by CCTV at any of our sites for safety and security purposes and for disciplinary purposes. This footage may also be used to exercise and defend our legal rights. Where necessary this footage will also be shared with the authorities for law enforcement purposes.
How we use your information
The above information is used to:
Administer and manage the employment contract and relationship
- Payroll, pension and benefits administration
- Background checks
- Insurance
- Performance reviews and evaluations
- Training and development
- Investigating grievances and disciplinary matters
- Monitoring employee activities
- Entry identification and time recording
- Compliance with applicable laws, court orders or other legal or tax requirements
- Allow us to make reasonable adjustments in respect of any disability you have informed us of
- Allow us to monitor the effectiveness of our equal opportunities policy
- Obtain government or other third party funding and apply the apprenticeship levy
- Assist in any Governing Body or other external stakeholder investigations
- Management of travel, accommodation and insurance on your behalf
- Notify you of Group Company offers
- TO make you aware of relevant information based on your cookies preferences
Performance of the employment contract including:
- Obligations required by law and HMRC
- Management, planning and organisation of work
- Equality and diversity in the workplace
Health and safety
- Protection of employer or customer property
- Rights and benefits related to employment
- Disciplinary and termination
During the performance of your duties as an employee HTAFC CIO and/or its media partners may from time to time create images and/or audio-visual footages of you for the following purposes:
- Safety and security purposes;
- Promotional, marketing and commercial purposes;
- Training for Foundation employees and third parties who work with the Foundation;
- Broadcasting and editorial purposes.
How we keep your information safe
All personal information we hold is stored on our secured servers in the UK and EU.
Access to our information is strictly controlled. We may disclose your details to police, regulatory bodies, local authorities, football governing bodies or legal and professional advisors and insurers if so required. If any of the organisations to which we disclose your personal information is situated outside the European Economic Area (EEA) we would take reasonable steps to ensure that your information is properly protected including safeguards such as using contractual provisions to ensure your information is properly protected.
Disclosure of your information
We do not share your information with any other third party without your agreement unless we are under a duty to disclose or share your personal data in order to comply with any legal or tax obligation, or in order to enforce or apply our terms the employment contract; or to protect the rights, property, or safety of the Foundation or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection.
We will share your information with future employers on your request.
Any third party providers used by us to fulfil our contractual obligations to you will only collect, use, store and disclose your information in the manner and to the extent necessary for them to provide their services to us. We have written agreements in place with each third party to ensure that your information is kept securely, is not used for any other purpose and is deleted when no longer required.
Such third party providers may include:
- Sage Payroll
- Howard Matthews Accountancy/Elite Payroll
- Pension company
- Private healthcare
- Life assurance and insurance companies
- Strata Homes (IT)
- Travel and accommodation booking services
- Training providers
- Funding providers
- HMRC
- Department of Work & Pensions
- HSE
- Police
We may share personal information with other organisations such as the Premier League, the English Football League, the Office for National Statistics and other governing bodies compliance purposes, research, reporting and improvement of strategic planning and business decisions or funding.
We never sell personal information to third parties.
What is the legal basis for processing information
The legal basis for collecting and processing your data may be:
- Consent – you may have pro-actively given us your written consent to use your data (if there is no other legal basis to do so). We will also seek your consent for accessing potentially sensitive data such as health records and other potentially sensitive data. You can withdraw your consent at any time.
- Performance of a Contract– entering into and performance of the employment contract with us means we need your personal information including financial information.
- Legal obligation – if required by law to process personal information for example to comply with employment, social security or social protection law, health and safety and equality obligations, to provide information to the police to prevent fraud or criminal activity and to comply with our HMRC obligations.
- Legitimate interest – for a genuine business reason that does not override your rights, freedom or interests for example administrative purposes.
- To protect another person’s vital interest.
- For carrying our public functions or for public interest.
Your rights
You have the right at any time to ask for a copy of the information we hold about you and confirmation of how it is being processed. You will be required to verify your identity when making a request. If you would like to make a request for information please:
Email – [email protected] or Send a request in writing to Data Protection Officer, Harrogate Town AFC CIO, the Envirovent Stadium, Wetherby Road, Harrogate, HG2 7SA
You also have the right to:
- Request that we correct inaccuracies to your information or complete your information if incomplete. You must notify us of any updates, amendments or corrections to previously collected personal information in writing to HR. This can be via email. We require you to keep the personal information we hold on you up to date and accurate;
- request that we delete some or all of your personal information for example if it is no longer necessary for us to hold it for the purpose it was provided and we have no legal basis to retain it;
- request that we stop or limit the processing of your information where you think the information we hold is inaccurate (until the accuracy is proved or updated); if you have objected to the processing (when it was necessary for legitimate interests); if you have consented to the use of it; or if it is no longer necessary for us to hold it for the purpose it was provided and we have no legal basis to retain it;
- (in certain circumstances) move, copy or transfer your personal information to another organisation or to yourself. This applies only to personal information you have provided us with and is being processed by us with your consent or for performance of a contract and is processed automatically;
- (in certain circumstances) you have the right to object to certain types of processing of your personal information when it is based on legitimate interests, when it is processed for direct marketing including profiling, or when it is processed for the purpose of statistics.
How long do we keep your information?
Appropriate retention of data is necessary for our operational performance and in some cases is required to fulfil statutory or other regulatory requirements.
However, the retention of data can lead to unnecessary and excessive use of electronic or physical storage space, and indefinite retention of personal data can breach the General Data Protection Regulation (2018). Harrogate Town AFC CIO looks to ensure that records and documents are preserved in line with business and legislative requirements and that data is not retained for any longer than necessary.
Data Archiving
The rules on data archiving vary according to the format of a data record, as set out below.
Automated Electronic Records Archive - Documents, Email, Multimedia Non-statutory electronic records stored on personal drives that have not been accessed for 2 years will be automatically transferred to an electronic archive. Statutory records will be excluded from this process if they are stored in the designated departmental statutory records folder. Archived files may be accessed in read-only format through the Archive (R:\) drive until they are subsequently removed from the system, 7 years after their creation.
Physical Records Archive
Physical statutory records which are older than 2 years and don’t need to be accessed on a day-to-day basis must be archived. The records will be archived within the Harrogate Town AFC CIO offices.
Electronic Records Retention & Disposal - Documents, Email, Multimedia
The following retention rules apply to all Harrogate Town AFC CIO documents, email and multimedia. Non-Statutory Records - Schedules A-E:
Schedule |
Description |
Status |
Archive & Disposal Policy |
A |
Non-statutory shared Personal Drive Data |
Live |
Automatically archived if not accessed for 2 years |
B |
Archive (R:\) data |
Archive |
Automatically disposed of 7 years after it was originally created |
C |
Temporary Storage Area (Scratch Area) |
Live |
Automatically disposed of if not accessed for 30 days |
D |
Email data (emails only) |
Live |
Mailbox items automatically disposed of 2 years after they were created, sent or received. All sent and received mailbox items also logged and archived separately for 5 years. |
Deleted Items folder contents automatically cleared after 30 days |
|||
Archive |
Mailbox items automatically disposed from the archive 5 years after they were sent or received |
||
E |
Multimedia data |
Live |
Automatically disposed of 3 years after it was created (unless flagged otherwise by Community Manager or data controller) |
Appendix 1 shows the Statutory Records Retention and Disposal Schedule
Withdrawing consent
If you have provided us with your consent to process your personal information you have the right to withdraw this at any time. In order to do so you should contact us by emailing [email protected]
Contact us
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us by contacting:
Harrogate Town AFC CIO
Community House
46-50 East Parade
Harrogate
HG1 5RR
You also have the right to contact the Information Commissioners Office at https:\\ico.org.uk\concerns\
Changes to this notice
Our policies are constantly under review and this Privacy Notice may be changed by us at any time. Any significant changes shall be notified to you.
Policy Date 01/02/2021
Appendix 1 – Definition of Terms
Listed below are the definitions of certain terms as they are used in this policy.
Archive (electronic) |
Harrogate Town AFC CIO’s read-only file repository that is used to store non-statutory shared (S:\) and personal (P:\) drive data that has not been accessed for 2 years, ahead of its disposal (5 years after creation). |
Archive (physical) |
Harrogate Town AFC CIO currently archive documents at their Head Office. |
Confidential data |
For this policy, any data that is not in the public domain and, if illegitimately accessed, altered, disclosed or destroyed could cause a non-negligible level of risk to Harrogate Town AFC CIO, its staff and beneficiaries. Examples of confidential data include data protected by privacy legislation (i.e. personal data and special category personal data) and data protected by confidentiality agreements as well as internal-only documents and records, such as papers, reports, plans or emails etc. |
Document |
Any physical or electronic report, article, spreadsheet, presentation, chart, plan, contract, drawing or similar. |
|
For this policy, any item created in Microsoft Outlook, including emails, calendar items, contacts, tasks, notes and journal items. |
IT User |
Any individual (e.g. employee, volunteer, intern, apprentice, agency staff, consultant, contractor, trustee) working for or on behalf of Harrogate Town AFC CIO who utilises any of our IT services to fulfil their role. |
Multimedia |
Image, video and audio files or physical photographs, cassettes or discs. |
Non-statutory |
For this policy, any record that is retained by Harrogate Town AFC CIO that is not required in order to comply with its legal, regulatory, compliance or contractual obligations. |
Personal data |
Data, whether facts or opinions, which relate to a living individual who can be identified either from the data or from the data in combination with other information that is in the possession of, or likely to come into the possession of Harrogate Town AFC CIO. |
Record |
For this policy, an organised collection of data items arranged for processing by a computer program or for consumption by an end user, either within a ‘structured’ database or ‘structured’ physical filing system or within ‘unstructured’ file repository, such as a document on the shared (S:\) or personal (P:\) drives or a printed physical copy.
|
Statutory |
For this policy, any record that is retained by Harrogate Town AFC CIO in order to comply with its legal, regulatory, compliance or contractual obligations. |
Scratch area / Temporary Storage Area |
An alternative electronic data storage area that is designed for easily sharing and collaborating on documents and multimedia such as photos and videos at low cost. The scratch area is accessible through Windows Explorer on the X:\ drive and is open to all IT users. There are no internal security controls in place, which means that all IT users may access all files stored in the scratch area, and therefore, it must never be used to store confidential data. Data stored in the scratch area is not backed up (and is therefore not recoverable in the event of loss) and all data stored there is automatically deleted 30 days after it was last accessed. |
Appendix 2 - Statutory Records Retention & Disposal Schedule
Organisational Area |
ID |
Record |
Disposal Policy |
Accountable (Role) |
Corporate Governance |
1 |
Records on establishment and development of the organisation’s legal framework and governance |
6 years after end of life of organisation |
Corporate Governance |
2 |
Trustee Board papers and minutes |
6 years after end of life of organisation |
Corporate Governance |
|
3 |
Management papers and minutes |
6 years after end of financial year |
Corporate Governance |
|
4 |
Subject Access Requests (requests and responses) |
6 years from response |
Corporate Governance |
|
5 |
Litigation with third parties |
6 years after settlement of case |
Corporate Governance |
|
6 |
Provision of legal advice |
6 years from date of advice |
Corporate Governance |
|
7 |
Audit reports |
6 years from completion |
Corporate Governance |
|
8 |
Fraud Investigations |
6 years from completion or 5 years after award completion (whichever is later) |
Corporate Governance |
|
9 |
Strategic plan, business plan, risk plans |
6 years from completion |
Corporate Governance |
|
Data Protection |
10 |
Consent (where unstructured data) |
6 years after consent expired |
Data Protection Officer |
11 |
Privacy notices and index |
6 years after end of life of organisation |
Data Protection Officer |
|
12 |
Record of Processing Activities |
6 years after end of life of organisation |
Data Protection Officer |
|
13 |
Subject Access Requests |
6 years after end of life of organisation |
Data Protection Officer |
|
14 |
Subject Access Request case data |
90 days after the SAR case is closed |
Data Protection Officer |
|
Financial Management |
15 |
Financial records |
6 years after date of signing of accounts or, as applicable, 5 years after award completion (whichever is later) |
Community Manager/Financial Controller |
16 |
Property acquisition (purchase, donation, rental, transfer) Deeds and certificates |
6 years after end of ownership/asset liability period |
Community Manager |
|
17 |
Property leases |
15 years after expiry |
Community Manager |
|
18 |
General contracts and agreements |
6 years after contract termination |
Community Manager |
|
19 |
Unsuccessful tender documents |
1 year after tender awarded |
Community Manager |
|
Award / Grant Management |
20 |
Unsuccessful application |
2 years after decision |
Community Manager |
21 |
Successful award file |
6 years after end of award |
Community Manager |
|
Human Resources Management |
22 |
Job applications and interview records for unsuccessful applicants |
6 months after interview |
HR - Community Manager |
23 |
Payroll records – salaries and other payments through payroll |
6 years |
HR - Community Manager / Payroll company |
|
24 |
Payroll records - Maternity, Paternity, Adoption and SSP records |
3 years after end of the tax year |
HR - Community Manager / Payroll company |
|
25 |
Pension details - name, National Insurance number, opt-in notice and joining notice. (Kept by Nest Pensions) |
6 years after effective date |
HR - Community Manager / Payroll company |
|
26 |
Pension details – opt-out (kept by Nest Pensions) |
4 years after opt out |
HR - Community Manager / Payroll company |
|
27 |
A summary of record of service e.g. name, position, dates of employment, pay |
6 years after end of employment |
HR - Community Manager / Payroll company |
|
28 |
Timesheets, pay records and supporting documents such as contracts and contractual letters for employees charged to awards |
5 years after payment of award balance |
Community Manager |
|
29 |
Evidence of right to work |
2 years after end of employment |
Community Manager |
|
30 |
All other HR documents |
1 year after end of employment |
Community Manager |
|
Donations / Supporters |
31 |
Individual Giving supporter financial and banking data (excluding payment card details) |
12 months after end of regular gift |
Community Manager |
32 |
Payment card data |
Immediately after transaction |
Community Manager/Financial Controller |
|
Safeguarding |
33 |
Child welfare concerns referred to a local authority |
6 years after referral |
Safeguarding Manager |
34 |
Child welfare concerns not referred to a local authority |
1 year after child ceases to be associated with Plan |
Safeguarding Manager |
|
35 |
Concerns about an adult relating to child safeguarding |
10 years |
Safeguarding Manager |
|
36 |
DBS check outcome |
1 year after end of relationship with HTAFC CIO |
Safeguarding Manager |
For any other type of record, or if you have any questions, please liaise with your immediate Line Manager in the first instance and then, as necessary, the Data Protection Officer.