Wigan Athletic Community Trust ‘The Trust’ acknowledges and accepts it has a responsibility to ensure data collected internally and externally within the Trust is stored securely and in line with the guidelines set out in this policy. Any breach of the Trusts Data Protection Policy is considered to be an offence and in that event, the Trust’s disciplinary procedures will apply. 


As a matter of good practice, other agencies and individuals working with the Trust, and who have access to personal information, will be expected to have read and comply with this policy. It is expected that departments/sections who deal with external agencies will take responsibility for ensuring that such agencies sign a contract agreeing to abide by this policy. 


  1. Personal Data must be processed fairly and lawfully and shall not be processed unless certain conditions are met.
  2. Data must be obtained only for specified and lawful purposes and must not be processed in any way that is incompatible with that purpose.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed.
  4. Personal Data shall be accurate and kept up-to-date.
  5. Personal Data processed for any purposes shall not be kept for longer than is necessary for those purposes.
  6. Personal data shall be processed in accordance with the rights of the data subjects under this Act [Data Protection Act 1998].
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

All staff, participants and other contacts are entitled to:

  • know what information the Trust holds and processes about them and why;
  • know how to gain access to it;
  • know how to keep it up to date;
  • know what the Trust is doing to comply with its obligations under the 1998 Act.

The Trust will therefore provide all staff and participants and other relevant users with a standard form of notification. This will state all the types of data the Trust holds and processes about them, and the reasons for which it is processed. The Trust will try to do this at least once every two years for participants and once every 3 years for staff. 


  • checking that any information that they provide to the Trust  in connection with their employment is accurate and up to date;
  • informing the Trust of any changes to information, which they have provided, i.e. changes of address
  • checking the information that the Trust  will send out from time to time, giving details of information kept and processed about participants;
  • informing the Trust of any errors or changes. The Trust cannot be held responsible for any errors unless the staff member has informed the Trust of them.

If and when, as part of their responsibilities, staff collect information about other people, (i.e. opinions about ability, references to other programmes, or details of personal circumstances), they must ensure they are password protected.

Any member of staff, who considers that the policy has not been followed in respect of their personal data, should raise the matter with their line manager. If the matter is not resolved it should be raised in line with the Trusts Grievance Procedure.



All employees are responsible for ensuring that:

  • Any personal data which they hold is kept securely.
  • Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.
  • Passwords to logon to laptops/PCs should be changed monthly. This will be circulated by the Operations Manager and a log will be kept centrally.

Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases.

Personal information should be:

  • kept in a locked filing cabinet; or
  • in a locked drawer; or
  • if it is computerised, be password protected; or kept only on disk which is itself kept securely.

Participants responsibilities

Participants must ensure that all personal data provided to the Trust is accurate and up 

Rights to access information

Employees, participants and other contacts, have the right to access any personal data that is being kept about them either on computer or in certain files. Any participant who wishes to exercise this right should complete the “Access to Information" form and give it to their line manager.

The Trust aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within one week unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request.


In many cases, the Trust can only process personal data with the consent of the individual. In some cases, if the data is sensitive, express consent must be obtained. Agreement to the Trust processing some specified classes of personal data is a condition of acceptance on a course or programme/activity, and a condition of employment for staff. This includes information about previous criminal convictions.

Some activities will bring staff into contact with children, including young people between the ages of U6 and U18. The Trust has a duty under the Children Act and other enactments to ensure that employees are suitable for these activities. The Trust also has a duty of care to all employees and participants and must therefore make sure that employees and those who use the Trust facilities do not pose a threat or danger to other users.

The Trust will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes. The Organisation will only use the information in the protection of the health and safety of the individual, but will need consent to process in the event of a medical emergency, for 


Sometimes it is necessary to process information about a person's health, criminal convictions, race and gender and family details.

This may be to ensure the Organisation is a safe place for everyone, or to operate other Club policies. All registered participants will be required to give their consent at the start of their employment or participation with the trust for their sensitive data to be processed. All such information will be processed in line with data protection requirements.   


The Trust as a body corporate is the data controller under the Act, and is therefore ultimately responsible for implementation.  In general terms, employees have the following responsibilities:

  • to ensure that all data is processed fairly;
  • to ensure that the data is accurate, and that processes exist to check and amend data as necessary;
  • to ensure that consent is obtained either generally or expressly;
  • to ensure that policies and procedures are in place to enable access by those whom the data concerns;
  • to ensure that data is kept securely and disposed of properly;
  • to make sure the notification requirements are satisfied;


The Trust will keep some forms of information for longer than others. Because of storage problems, information about participants cannot be kept indefinitely, unless there are specific requests to do so. In general information about participants will be kept for a minimum time.  Information may include

  • name and address, age, address and postcode, gender, ethnicity

All other information, including any information about health, race or disciplinary matters will be destroyed within one year of the participant leaving the Trust activity/courses/programmes. The Trust will also need to keep information about staff. In general, all information will be kept for three years after a member of staff leaves the Trust.

Compliance with the 1998 Act is the responsibility of all members of the Organisation. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Head of department.


  1. All employees will process data about participants on a regular basis, when marking registers, writing reports or references, or as part of a pastoral or Coaching or supervisory role.  The Organisation will ensure through induction procedures, that all participants give their consent to this sort of processing, and are notified of the categories of processing, as required by the 1998 Act.  The information that Staff deal with on a day-to-day basis will be 'standard’.
  2. Information about a players/participant’s physical or mental health; sexual life; political or religious views; ethnicity or race is sensitive and can only be collected and processed with their written consent

E.g.: recording information about dietary needs, for religious or health reasons prior to taking participants on a field trip; recording information that a player/participant is depressed, as part of pastoral duties.

  1. All employees have a duty to make sure that they comply with the data protection principles, which are set out in this (and the club’s) Data Protection Policy.  In particular, Staff must ensure that all player records are:
  • accurate;
  • up-to-date;
  • fair;
  • kept and disposed of safely
  1. Staff must seek advice from their line manager to hold or process data that is:
  • non-standard data; or
  • sensitive data.

Sensitive or non-standard data may be disclosed to a third party byt the senior management team if the Trusts Head of Community is not available. This should only happen in very limited circumstances, e.g. a player/participant is injured and unconscious, but in need of medical attention, and staff tell the hospital that the player is on medication or a Jehovah's Witness.

  1. All employees will be responsible for ensuring that all data is kept securely within the Department.
  2. Staff must not disclose personal data to any player/participant, unless for normal technical or pastoral purposes, without prior agreement from their line manager
  3. Employees shall not disclose personal data to any other staff member except with the prior agreement of their line manager.
  4. Before processing any personal data, all employees should consider the checklist.

Employee Checklist for Recording Data

  • Do you really need to record the information?
  • Is the information 'standard' or is it 'sensitive'?
  • If it is sensitive, do you have the data subject's express consent?
  • Has the player been told that this type of data will be processed?
  • Are you authorised to collect/store/process the data?
  • If yes have you checked with the data subject that the data is accurate?
  • Are you sure that the data is secure?
  • If you do not have the data subject's consent to process, are you satisfied that it is in the best interests of the player or the staff member to collect and retain the data?
  • Have you reported the fact of data collection to your line manager?


Types of Data

Suggested Retention Period


Personnel files including training records and notes of disciplinary and grievance hearings.

6 years from the end of employment

References and potential litigation

Application forms / interview notes

At least 1 year from the date of the interviews

Time limits on litigation

Facts relating to redundancies where less than 20 redundancies

3 years from the date of redundancy

Limitation Act 1980

Income Tax and NI returns, including correspondence with tax office

At least 3 years after the end of the financial year to which the records relate

Income Tax (Employment) Regulations 1993

Statutory Maternity Pay records and calculations

As Above

Statutory Maternity Pay (General) Regulations 1986

Statutory Sick Pay records and calculations

As Above

Statutory Sick Pay (General) Regulations 1982

Wages and salary records

6 years

Taxes Management Act 1970

Accident books, and records and reports of accidents

3 years after the date of the last entry


Health records

During employment

Management of Health and Safety at Work Regulations

Health records where reason for termination of employment is connected with health, including stress related illness

3 years

Limitation period for personal injury claims

Medical Records kept by reason of the Control of Substances Hazardous to Health Regulations 1994

40 years


Participants’  records, including technical/academic achievements, and conduct

At least 3 years from the date the player leaves Wigan Athletic in case of litigation for negligence.

At least 5 years for personal and technical/ academic references, with the agreement of the player.

Limitation period for negligence