As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this regard. In the course of its activities, Edinburgh Kayak Club (EKC) will collect, store and process personal information, and it recognises that the correct and lawful treatment of this information will maintain confidence in the organisation
The types of personal information that EKC may be required to handle include
● members and, where applicable, their guardians;
● current, past and prospective officers, board and committee members, volunteers,
advisers, consultants, contractors and agents;
● those individuals who have undertaken training or qualifications through SCA or partner organisations;
● coaches and course providers;
● suppliers sponsors and others with whom it communicates.
The personal information, which may be held on paper or on a computer or other media, is subject to certain legal safeguards.
2. Status of the Policy
This sets out EKC policy on data protection and specifies how it will comply with the current legislation regarding the receiving, storage, processing, retention and disposal of personal
This policy applies to all those who process data within Edinburgh Kayak Club
Any breach of the policy will be taken seriously and may result in disciplinary action. Negligent or deliberate breaches could also result in personal criminal liability.
Any member or other person who considers that the policy has not been followed in respect of personal information about themselves or others should raise the matter with the Clubs Data Protection Champion the first instance.
3. The meaning of Data Protection Terms
Personal data means any information relating to an identified or identifiable natural person (a data subject)
E.G name, address, date of birth or email address of members, coaches,
participants, volunteers or parents
Processing means any operation performed on personal data (including automated operations),
Special categories of personal data means data revealing a natural person’s:
Racial or ethnic origin
Political opinions, religious or philosophical beliefs
Trade union membership
Genetic or biometric data for the purpose of uniquely identifying a natural person
Data concerning health
Data concerning a natural person’s sex life or sexual orientation
Controller means the person who determines the purposes and means of processing personal data - this is EKC.
Where an organisation is required by law to process personal data, it must retain
Processor means the person who processes personal data on behalf of the controller. For example, any suppliers who administer any systems for EKC such as IT/other service providers
4. Data Protection Principles
Anyone processing personal data must comply with the eight principles of good practice. These provide
that personal data must be:
1. Processed fairly and lawfully
2. Processed for limited purposes and in an appropriate way
3. Adequate, relevant and not excessive for the purpose
5. Not kept longer than necessary for the purpose
6. Processed in line with data subjects' rights
8. Not transferred to people or organisations situated in countries without adequate protection
5. Dealing with Subject Access Requests
Data subjects can raise a Subject Access Request in respect of data that an organisation holds
concerning them. The GDPR allows a month to comply with this request and there is normally no charge although there is a right to refuse or charge for requests that are manifestly unfounded or excessive.
Data subjects can request information to be supplied electronically in a commonly used format rather than in printed form.
If a request is refused the individual must be told the reason for refusal.
6. Dealing with requests to be forgotten
Under the GDPR, subject to certain conditions being met, an individual has the right to have their data erased. If such a request is received from an individual, the EKC as the Data Controller, must assess the request in the context of the personal data that is held and the needs that exist to retain data including legal, commercial, contractual and other factors. In some circumstances, whilst it will be possible to erase some data it may not be possible to erase all data about an individual due to these considerations.
7. Dealing with breaches of personal data
Under the GDPR, the EKC, as a Data Controller, is under obligation to maintain a breach register where all data breaches, no matter how trivial, are recorded and monitored.
For serious data breaches, where the breach is likely to result in a ‘risk to the rights and freedoms of individuals’, the breach must be reported to the ICO within 72 hours of becoming aware of the breach and the data subject notified without undue delay.
If a volunteer or employee becomes aware of a loss of personal data or a potential breach of security of data they have a legal responsibility to report this to the EKC Data Protection champion immediately by emailing email@example.com
Any complaints should be raised with the EKC’s Data Protection Champion immediately by emailing firstname.lastname@example.org
This policy will be reviewed periodically should circumstances require in order to maintain its currency and relevance.