THE IRISH BOWLS FEDERATION – DATA PROTECTION POLICY
If you handle personal information about individuals, you have a number of legal
obligations to protect that information under the Data Protection Act 1998.
The Data Protection Act came into force in 1998 and is a complex piece of legislation and it is vital that those who collect and use personal data maintain the confidence of those who are asked to provide it by complying with the requirements of the Data Protection Legislation.
The Legislation applies to personal data that is data about identifiable living individuals and those who decide how and why personal data is processed must comply with the rules of good information handling known as the ‘Data Protection Principles’ listed below and the other requirements within the Legislation.
The Legislation requires that any personal data that is collected must be handled correctly and must comply with the eight enforceable principles of good practice. These are:
Fairly and lawfully processed
Processed for limited purposes and not in a manner incompatible with those
Adequate, relevant and not excessive
Not kept for longer than is necessary
Processed in line with the Data Subject’s rights
Not transferred to countries without adequate protection
However, most Clubs may claim the unincorporated members Clubs exemption from registration, subject to access request under the old Act. This applies to non-profit making organisations.
The exemption from notification does not exempt you from complying with the other provisions of the Legislation, particularly subject access request and the processing of data in accordance with the Data Protection Principles as indicated above.
To benefit from the exemption the following conditions must be satisfied in relation to the processing of data:
This is carried out by a body or Association not established or conducted for profit
It is for the purposes of establishing or maintaining membership of or support for the body or organisation providing or administering activities for individuals who are members of the body or have regular contact with it
It is personal data, of which the Data Subject is a past, present or prospective
member of the body
It consists of the name, address and other identifiers as to the eligibility for
It does not involve disclosure to third parties other than with consent or where
necessary to process the data
It does not involve keeping the data after relationship ends, unless and for so long
as is necessary for exempt purposes
Essentially, this exemption enables Clubs to manage themselves and carry out there
purpose without having to notify with a Data Protection Registrar. Many Clubs will not hold vast amounts of data about individuals or use the data held by them for a wider purpose. If you are holding data about individuals that you need for your purposes then in order to fall within the exemption it may be sensible to audit the data so that you hold what you need to carry out your purposes.
It is very important, in order to benefit from the exemption that you obtain the specific consent from each of your Data Subjects to the transfer of data to third parties if you propose to do this. If an individual does not consent then the data may not be transferred.
Using your membership data commercially
If you process data for purposes wider than running of your Club, for example, if you
fundraise by obtaining sponsorship or sell your databases, then you will need to NOTIFY with the Data Protection Registrar. There is a template form for Clubs/Societies, which lists the general purposes for which a Club processes data (administration of membership, fundraising and processing note for profit organisations). If you process data for other purposes, for example trading, in personal data or information administration these purposes will need to be added.
Collection of data
When collecting data, the following information must be provided to the Data Subject:
Who you are
What data you are collecting
For what purpose (if there is more than one this must be stated and if direct
marketing is one of the purposes an opportunity must be given)
If the data will be transferred to a third party (and give them the opportunity to
opt out of this)
Where the data is being used for direct marketing it is important to get consent to this purpose from the Data Subject, as it is unlikely that any of the other conditions in Schedule 1 to the Act will be met permitting you to process the data. If the data is sensitive, explicit (positive) consent must be obtained i.e. a tick box will not be sufficient.
Transfer of data
If you do transfer data to third parties you need to ensure that in your agreement with them you have an undertaking from them to use the data only for the purpose agreed, which cannot be a wider purpose than what you tell your members that you are transferring thedata for.
If you employ a Data Processor to carryout processing on your behalf, eg data inputting, you need a written contract with the Data Processor, which needs to include specific guarantees relating to the Data Security.
The Rights of Individuals
The Act allows individuals to find out what information is held about them on computer and some paper records. This is known as the Right of Subject Access.
The Act allows individuals to apply to the court to order a Data Controller to rectify, block, erase or destroy personal details, if they are inaccurate or contain expressions of opinion, which are based on inaccurate data.
The Data Subjects can ask the Data Controller to stop or not to begin processing data
relating to him or her for direct marketing purposes. This is an ‘absolute right’.
Subjects can claim compensation from a Data Controller for damage or damage and
distress caused by any breach of the Data Protection Act.
It is an offence to obtain, disclose, sell or advertise for sale, or bring about the disclosure of personal data without the consent of the Data Controller.
For more information go to: http://www.ico.gov.uk/for_organisations/data_protection.aspx
For more detailed and indepth information the following websites may help you to find the information that you need.
Running Sports – Data Protection Guidance for Sport Providers
Information Commissioner’s Office
The above information is provided as a basic guide and signposts to organisations with the appropriate level of expertise that can offer guidance and support in this particular area of legislation. IBF and its staff cannot accept any liability for any loss arising as a result of reliance upon the information contained herein. Readers are advised to obtain professional advice on an individual basis.