Privacy Policy

1. Introduction

Walsall FC Community Programme is committed to providing a confidential service to its users. No information given to the Community Programme will be shared with any other organisation or individual without the user’s expressed permission. WFCCP is a Data Controller and acknowledgesthat it processes personal sensitive data of its services users and staff. When processing data of children, we will seek consent from parents and/or responsible adults for this information.

For the purpose of this policy, confidentiality relates to the transmission of personal, sensitive or identifiable information about individuals or organisations (confidential information), which comes into the possession of WFCCP through its work.

Walsall FCCP holds personal data about its staff, users, members etc which will only be used for the purposes for which it was gathered and will not be disclosed to anyone outside of the organisation without prior permission.

All personal data will be dealt with sensitively and in the strictest confidence internally and externally. It is important that all legal requirements surrounding Data Protection are met and that the Scheme remains compliant at all times.

2. Purpose

The purpose of the Confidentiality Policy is to ensure that all staff, members, volunteers and users understand the scheme’s requirements in relation to the disclosure of personal data and confidential information. Compliance with the legal requirements is of paramount importance to the WFCCP.

3. Principles

• All personal paper-based and electronic data must be stored in accordance with the Data Protection Act 2018 and the General Data Protection Reform (GDPR) 2018, and must be secured against unauthorised access, accidental disclosure, loss or destruction.

• All personal paper-based and electronic data must only be accessible to those individuals authorised to have access.

4. Responsibility

The overall responsibility for monitoring and delivery of Data Protection legislation for the Community Programme falls with the Community Director, also acting as Data Protection Lead (who will liaise with the IT Supplier for digital responsibilities) and the Board of Trustees.

If required by WFCCP, the Data Protection Lead may wish to contact Walsall Football Club’s HR company for professional advice.

Individual staff responsibility includes, but is not exhaustive of:

Correctly archiving hard copy data collected from individual activities
Use of secure passwords when controlling data in a digital format
Logging out of emails when leaving computer terminals vacant
Maintaining a clear desk when leaving desk space vacant
Ensuring hard copy registers are not accessible to member of the public/service users whilst in use at sessions
Not sharing data, without consent, in group messaging or emails
To correctly destroy hard copy documents that contain personal data but do not require archiving
To correctly delete digital documents that contain personal data but do not require archiving
To ensure all personal data is secured in the Community Offices/Archive Room once no longer needed for delivery/sessional purposes
To ensure unauthorised access to personal data all staff must ensure that all areas of the Community Department are locked when vacant. This includes access from outside of the offices, both externally and internally, is locked, internal office doors are locked and the archive room is locked.

5. Types of Personal Data

Personal data is defined in the GDPR 2018, as any information that relates to an individual. These identifiers that can be used to identify an individual may include name, age, address or any factors that are specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the person.

Walsall FCCP also regularly collect phone numbers and email addresses of participants or parents for contact details, particularly in case of emergency.

6. How Personal Data Will Be Used

First and foremost, Walsall FC Community Programme will use personal data to ensure the Safeguarding and Health and Safety of participants on our activities. Phone numbers and emails added to registration forms can be used in an emergency to contact next of kin and to ensure parents are aware of any incidents that have occurred. The contact details are also paramount if a child has not been collected from a session at the appropriate time. Coaches at sessions should have registers with these details available at all times and never left visible and unattended.

Unless opted out, which is an option on all WFCCP forms, contact details may also be used to send emails and texts reminding participants and parents of upcoming events and sessions, relevant to the activity they are already registered on.

Medical forms will be completed for all development players, with medical notes sections onregistration forms for all other participants. Coaches will use this data so they are aware of any existing medical conditions, and know best how to act in a medical emergency during a session. This will save vital time and confusion in an emergency situation.

Walsall FCCP may also be required to provide personal data to funders such as the Premier League Charitable Fund and EFL Trust to monitor and evaluate our impact on the local community. All personal details are rarely required, however entries can be anonymised if appropriate because a participant, group, school, organisation has opted out.

As an ICO registered charity, all staff may handle personal data for the above reasons, however managers and senior members of staff should oversee the sharing of data with funders or beneficiaries. Any member of staff unsure on the guidelines should consult the Data Protection Lead.

7.1 Consent Consent to Third Party Sharing of Data

In all cases participants, staff and users are to be given the option to opt out of data being used or shared by the charity.

In the event of sharing details to a third party, consent will be gathered prior to the sharing of data. WFCCP will then also ensure the correct processes and steps are taken to seek assurance and evidence that the Third Party has the correct Data Protection cover in place as Data Processors and/or Data Handlers (ICO registered).

At WFCCP, we recognise that parents have a right to know the information they share with us will be regarded as confidential, as well as to be informed about the circumstances when and the reasons why, we are obliged to share information.

We are obliged to share confidential information without authorisation from the person who provided it, or to whom it relates, if it is in the public interest. That is when:

It is to prevent a crime from being committed or to intervene where one may have been, or to prevent harm to a child or adult; or
Not sharing it could be worse that the outcome of having shared it.
The decision should never be made as an individual, but with the back-up of the management team. The three critical criteria are:
Where there is evidence that a child is suffering, or at risk of suffering, significant harm.Where there is reasonable cause to believe that a child may be suffering, or is at risk of suffering significant harm.
To prevent significant harm arising to children and young people or adults, including the prevention, detection and prosecution of serious crime.

7.2 Procedures

Our procedure is based on the seven golden rules for information sharing as set out in Information Sharing: Guidance for Practitioners and Managers (DSCF 2008).

1. Remember that the Data Protection act is not a barrier to information sharing but provides a

framework to ensure that personal information about living persons is shared appropriately.

Our policy and procedures on Information Sharing provide guidance to appropriate sharing of information with external agencies.

2. Be open and honest with the person (and/or their family where appropriate) from the outset and why, what, how and with whom information will, or could, be shared, and seek their agreement, unless it is unsafe or inappropriate to do so.

In our scheme we ensure parents:

Can request to see our Information Sharing Policy and understand when we may share information. This will only be when it is a matter of safeguarding a child or vulnerable staff;
Have information about our Safeguarding and Children Protection Policy; and
Have information about the other circumstances when information will be shared with external agencies.

3. Seek advice if you are in doubt, without disclosing the identity of the person where possible.

4. Share with consent where appropriate and, where possible, respect the wishes of those who donot consent to share confidential information. You may still share information without consent if, in the judgement, that lack of consent can be overridden in the public interest. You will need to base your judgements on the facts of the case.

Guidelines for consent are part of this procedure.

5. Consider safety and well-being: Base you information sharing decisions on considerations of the

safety and well-being of the person and others who may be affected by their actions. In our scheme

we:

Records concerns and discuss these with the scheme’s designated person(s) for child protection matters;
Record decisions made and the reasons why information will be shared and to whom; and
Follow the procedures for reporting concerns and record keeping.

6. Necessary, proportionate, relevant, accurate, timely and secure. Ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with the people whoneed to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely.

Our Safeguarding Children and Child Protection Policy and Children’s Records Policy set out how and where information should be recorded and what information should be shared with another agency when making a referral.

7. Keep a record of your decision and the reasons for it – whether it is so share information or not. If you decide to share, then record what you have shared, with whom and for what purpose.

Where information is shared, the reasons for doing so are recorded; where it is decided that information is not be to be shared that is recorded too.

7.3 Consent

Parents have a right to be informed that their consent to share information will be sought in most cases, as well as the kinds of circumstances when their consent may not be sought or their refusal to give consent may be overridden. We do this as follows:

Our policies and procedures set out responsibility regarding gaining consent to share information and when it may not be sought or overridden.

We consider the following questions when we need to share:

- Is there legitimate purpose to sharing the information?

- Does the information enable to person to be identified?

- Is the information confidential?

- If the information is confidential, do we have consent to share?

- Is there a statutory duty or court order requiring us to share the information?

- If consent is refused, or there are good reasons not to see consent, is there sufficient public

interest for us to share information?

- If the decision is to share, are we sharing the right information in the right way?

- Have we properly recorded our decision?

All of the undertakings above are subject to the paramount commitment of the scheme, which is to the safety and well-being of the participant. Please see our Safeguarding Children and Safeguarding Adults policies.

8. Accuracy and Updating Data

To ensure registers and personal data is as accurate as possible, WFCCP staff should make sure the participants themselves, or parent, guardian or carer where applicable, fill in the registration form for activities.

Forms should then be updated regularly to ensure all details, particularly phone numbers, are accurate and up to date. If a coach cannot contact a participant using the phone numbers available to them, they should speak to them at a session as soon as reasonably possible and ensure this is rectified. Any data that is found to be false or incorrect should be amended or erased without delay.

If there is a mistake in personal data, once amended, this should be recorded. Records should also identify any matters of opinion (e.g. medical), and whose opinion it is. WFCCP staff should record any challenges to the accuracy of personal data they encounter as good practice.

9. Statistical Recording

Walsall FC Community Programme is committed to effective statistical recording of the use of its services in order to monitor usage and performance.

All statistical records given to third parties, such as to support funding applications or monitoring reports for the local authority shall be produced in anonymous form so individuals cannot be recognised, or in line with policies supplied to WFCCP by the third party wishing to collect this data.

10. Records and Archiving

All records are kept in locked offices and filing cabinets. All information relating to service users will be left in locked drawers. This includes notebooks, copies of correspondence and any other sources of information.

Once records such as registers or forms are no longer needed by staff, they may be archived for future reference. Walsall FCCP have an Archive Room, with the key kept in a secure location. Any items that are archived should be placed in the most relevant filing cabinet, and the archiving staff member should detail this on the Archive Room’s log. Items should be kept in the archive room for up to three years before they should be destroyed, however certain items can be held in the Archive Room longer if necessary.

Any paper containing personal data which does not need to be archived should be put in the ‘Shredding’ trays in the Community Offices. These must be emptied and paper shredded by staff on a regular basis.

11. Staff Training

Periodically, staff will be given internal staff training to ensure that they are fully aware of their responsibilities regarding data protection and confidentiality. The policy will also be included during the induction process for new staff members.

Training should be provided to all staff/volunteers within one month of joining the Community Programme, and then at least every two years thereafter.

Training should be organised by the Community Managers and Director, and should stay up to date with the latest data protection legislation.

12. Confidentiality and Privacy

At Walsall FC Community Programme we believe confidentiality is central to the trust between staff and participants. Participants have the right to expect their privacy will be respected and information will be kept in confidence by the scheme.

When information is shared with third parties, the same standard of confidentiality will apply. Registration forms will notify participants if data will be shared, along with the purposes of sharing and an option to opt out. Walsall FCCP will only share data with organisations that also have ICO certification, or equivalent, as registered data handlers.

If a person is registering some else on our activities, such as another family member, they should receive written or verbal consent to enrol them on the session, and share the relevant personal information with WFCCP.

Personal information should always remain confidential and private unless conditions for breaching confidentiality are met.

12.1 Breaches of Confidentiality

Walsall FCCP recognises that occasions may arise where individual workers feel they need to breach confidentiality. Confidential or sensitive information relating to an individual may be divulged where there is risk of danger to the individual, a volunteer or employee, or the public at large, or for safeguarding purposes, or where it is against the law (legal order) to withhold it. In these circumstances, information may be divulged to external agencies e.g. police or social services on a need to know basis.

Where workers feel confidentiality should be breached the following steps will be taken:

• The worker should raise the matter immediately with the relevant Community Manager.

• The worker must discuss with the Community Manager the issues involved in the case and explain why they feel confidentiality should be breached and what would be achieved by breaching confidentiality. The Community Manager should take a written note of this discussion.

• The Community Manager is responsible for discussing with the worker what options are available in each set of circumstances.

• The Community Manager is responsible for making a decision on whether confidentiality should be breached. If the Community Manager decides that confidentiality is to be breached then they should take the following steps:

- The Community Manager should contact the Community Director in the first instance, or Chair of the WFCCP Board of Trustees. The Manager should brief the Community Director or Chair of Trustees on the full facts of the case, ensuring they do not breach confidentiality in doing so. The Community Manager should seek authorisation to breach confidentiality from the Community Director or Chair of Trustees.

- If the Community Director or Chair of Trustees agrees to breach confidentiality, a full written report on the case should be made and any action agreed undertaken. The Community Manager is responsible for ensuring all activities are actioned.

- If the Community Director or Chair of Trustees does not agree to breach confidentiality then this is the final decision of WFCCP.

13. Information Technology

Walsall FCCP outsource IT support to a local IT provider. It is the responsibility of both The Community Programme and the IT supplier to ensure compliance to Data Protection.

Malware is installed on all computer systems and both parties review, annually, the software and email support to remain compliant.

To ensure data of participants is kept secure on computer systems the following procedures should be followed:

- Computer systems in the Community Office are the only systems to be used for storing Data.

- The Community Office is for staff only. Visitors are to be supervised at all times.

- All computers should be password controlled by staff that requires use.

- The Community Office should be kept locked, internally within the Stadium, if unattended at any

time.

- Laptops that are taken to external locations should be signed in and out of the Community Office.

- Unauthorised use of computers (including controlling data), or failure to follow procedure, will

result in Staff Disciplinary at the appropriate level.

14. Third Party Data Processors

Where required, contracts will be in place with third parties including the outsourced IT provider to ensure data protection of sensitive information is followed.

The outsourced wage accountants process all sensitive emails with encryption and individual passwords for all staff.

When required, and if available, emails sent that contain sensitive information will be encrypted.

15. Legislative Framework

The Data Protection Lead will monitor this policy to ensure it meets statutory and legal requirements including the Data Protection Act, GDPR, Children's Act, Rehabilitation of Offenders Act and Prevention of Terrorism Act. Training on the policy will include these aspects.

16. Ensuring the Effectiveness of the Policy

All Trustees will receive a copy of the policy. Existing and new workers will be introduced to theConfidentiality, Consent and Data Protection Policy via induction and training. The policy will be reviewed at once every three years and amendments will be proposed and agreed by the Trustees.

When amending the policy, the WFCCP Board of Trustees should consider any major changes in the scheme’s activities. The trustees should also take into account any changes in data protection law, or guidance by the ICO that will affect then Community Programme.

17. Non-adherence

Breaches of this policy will be dealt with under the Grievance and/or Disciplinary procedures as appropriate.