Data Protection Policy


This Data Protection Policy explains how County Antrim Harriers (“CAH”, “we”, “us”, “our”, or “the Club”)
protects your data, how we process your data, and your rights under UK law.

Work refers to tasks and activities executed by or on behalf of Club members as directed by
the Chairperson,
Office Bearers, committee, and law enforcement for purpose of managing the Club.

Past and present Club Members – this policy applies to both.

Sections


Section A – Our data protection policy

  1. Policy Statement
  2. Why this policy is important


Section B – Our data protection responsibilities

  1. What personal information do we process?
  2. When we need consent to process data
  3. Data will be adequate, relevant and not excessive
  4. Accurate data
  5. Keeping data and destroying it
  6. Security of personal data
  7. Keeping records of our data processing


Section C – Working with people we process data about (data subjects)

  1. Data subjects’ rights


Section D – working with other organizations & transferring data

  1. Sharing information with other organizations
  2. Data processors
  3. Transferring personal data outside the United Kingdom (UK)


Section E – Managing change & risks

  1. Data subjects’ rights
  2. Data protection impact assessments
  3. Dealing with data protection breaches


Section F – Your rights in relation to the data we hold

  1. Your Rights and Exemptions
  2. Data Protection Officer/Contact
  3. Your right to complain to the Information Commissioner
  4. Feedback or complaints


Data Protection Officer

Section A – Our data protection policy

1. Policy Statement

  1. County Antrim Harriers (CAH) is committed to protecting personal data and respecting the
    rights of our data subjects;
    the people whose personal data we collect and use. We value the personal information
    entrusted to us and we respect that trust, by complying with all relevant laws,
    and adopting good practice.
  2. We process personal data to help us:
    • maintain our list of Club members [and regular runners];
    • provide coaching support for members and others connected with our Club;
    • safeguard children, young people and adults at risk;
    • maintain our accounts and records;
    • promote our events and training programme, such as May Fair Races and Couch to 5K (C25K);
    • respond effectively to enquirers and handle any complaints
  3. This policy has been approved by the CAH Committee who are responsible for ensuring that
    we comply with all our legal obligations. It sets out the legal rules that apply whenever
    we obtain, store or use personal data.

2. Why this policy is important

  1. CAH is committed to protecting personal data from being misused, getting into the wrong
    hands as a result of poor security or being shared carelessly, or being inaccurate,
    as we are aware that people can be upset or harmed if any of these things happen.
  2. This policy sets out the measures we are committed to taking as an organization and,
    what each of us will do to ensure we comply with the relevant legislation.
  3. In particular, we will make sure that all personal data is:

    • processed lawfully, fairly and in a transparent manner;
    • processed for specified, explicit and legitimate purposes and not in a manner that is incompatible with those purposes;
    • adequate, relevant and limited to what is necessary for the purposes for which it is being processed;
    • accurate and, where necessary, up to date;
    • not kept longer than necessary for the purposes for which it is being processed;
    • processed in a secure manner, by using appropriate technical and organizational means;
    • processed in keeping with the rights of data subjects regarding their personal data.

Top

3. How this policy applies to you & what you need to know

3.1

As an Officer Bearer of County Antrim Harriers or Committee Member processing personal information on behalf of the Club,
you are required to comply with this policy. If you think that you have accidentally breached the policy,
it is important that you contact our Data Protection Officer
immediately so that we can take swift action to try and limit the impact of the breach.

3.2

Anyone who breaches the Data Protection Policy may be subject to review by the Chairperson, and where that individual
has breached the policy intentionally, recklessly, or for personal benefit they may also be liable to
prosecution or to regulatory action by appropriate UK authorities.

3.3

As an Officer Bearer or Committee Member, you are required to make sure that any procedures that
involve personal data, that you are responsible for in your area, follow the rules set out in this Data Protection Policy.

3.4

As a Club member, it is your responsibility to protect your data. Further, it is your
responsibility to inform the Club if you are aware of any breach that has been or may
be the fault of the Club.

3.5

Companies who are appointed by CAH as a data processor are required to comply with this policy. Any breach of the policy
will be taken seriously and could lead to us taking contract enforcement action against the company, or terminating the contract.

Data processors have direct obligations under the UK GDPR, primarily to only process data on instructions
from the controller (CAH) and to implement appropriate technical and organizational measures to ensure a level of
security appropriate to the risk involved.

3.6

Our Data Protection Officer is responsible for advising County Antrim Harriers and its Committee and Club members
about their legal obligations under UK data protection law, monitoring compliance with data protection law,
dealing with data security breaches and with the development of this policy. Any questions about this policy or
any concerns that the policy has not been followed should be referred to them at CAHinfo@gmail.com

3.7

Before you collect or handle any personal data as part of your Club Volunteer role (paid or otherwise) for County Antrim Harriers
,
it is important that you take the time to read this policy carefully and understand what is
required of you, as well as the Club’s responsibilities when we process data.

3.8

Our procedures will be in line with the requirements of this policy, but if you are unsure about whether
anything you plan to do, or are currently doing, might breach this policy you must first speak to the Data Protection Officer.

Top

Section B – Our data protection responsibilities

1. What personal information do we process?

  1. In the course of our work, we may collect and process information (personal data)
    about many different people (data subjects). This includes data we receive straight
    from the person it is about, for example, where they complete forms or contact us.
    We may also receive information about data subjects from other sources including,
    for example, other athletics clubs and Organizations.
  2. We process personal data in both electronic and paper form and all this data is
    protected under data protection law. The personal data we process can include
    information such as names and contact details, gender, age, disabilities,
    visual images of people, race results and race reports.

2. When we need consent to process data

  1. Where none of the other legal conditions apply to the processing, and we are required
    to get consent from the data subject, we will clearly set out what we are asking consent
    for, including why we are collecting the data and how we plan to use it. Consent
    will be specific to each process we are requesting consent for and we will only ask
    for consent when the data subject has a real choice whether or not to provide us with
    their data.
  2. Consent can however be withdrawn at any time and if withdrawn, the processing will stop.
    Data subjects will be informed of their right to withdraw consent and it will be as
    easy to withdraw consent as it is to give consent.

3. Data will be adequate, relevant and not excessive

  1. We will only collect and use personal data that is needed for the specific purposes
    described above (which will normally be explained to the data subjects in privacy notices).
  2. We will not collect more than is needed to achieve those purposes.
  3. We will not collect any personal data “just in case” we want to process it later.

4. Accurate data

  1. We will make sure that personal data held is accurate and, where appropriate,
    kept up to date. The accuracy of personal data will be checked at the point of
    collection and at appropriate points later on.

5. Keeping data and destroying it

  1. We will not keep personal data longer than is necessary for the purposes that it
    was collected for. We will comply with official guidance issued similar Organizations
    about retention periods for specific records.
  2. Information about how long we will keep records for can be found in our Data Retention
    Schedule.

6. Security of personal data

  1. We will use appropriate measures to keep personal data secure at all points of the
    processing. Keeping data secure includes protecting it from unauthorized or unlawful
    processing, or from accidental loss, destruction or damage.
  2. We will implement security measures which provide a level of security which is
    appropriate to the risks involved in the processing.
  3. Measures will include technical and organizational security measures. In assessing
    what measures are the most appropriate we will take into account the following,
    and anything else that is relevant:

    • the quality of the security measure;
    • the costs of implementation;
    • the nature, scope, context and purpose of processing;
    • the risk (of varying likelihood and severity) to the rights and freedoms of data subjects;
    • the risk which could result from a data breach.
  4. Measures may include:

    • technical systems security;
    • measures to restrict or minimise access to data;
    • measures to ensure our systems and data remain available, or can be easily
      restored in the case of an incident;
    • physical security of information and of our premises;
    • organizational measures, including policies, procedures, training and audits;
    • regular testing and evaluating of the effectiveness of security measures.

7. Keeping records of our data processing

  1. To show how we comply with the law we will keep clear records of our processing
    activities and of the decisions we make concerning personal data (setting out our
    reasons for those decisions).

Top

Section C – Working with people we process data about (data subjects)

1. Data subjects’ rights

  1. We will process personal data in line with data subjects’ rights, including their
    right to:

    • request access to any of their personal data held by us (known as a Subject Access Request);
    • ask to have inaccurate personal data changed;
    • restrict processing, in certain circumstances;
    • object to processing, in certain circumstances, including preventing
      the use of their data for direct marketing;
    • data portability, which means to receive their data, or some of their data,
      in a format that can be easily used by another person (including the data subject
      themselves) or organization;
    • not be subject to automated decisions, in certain circumstances; and
    • withdraw consent when we are relying on consent to process their data.
  2. If a Club Office Bearer or Committee Member receives any request from a data subject
    that relates or could relate
    to their data protection rights, this will be forwarded to our
    [Data Protection Officer/Trustee] immediately.
  3. We will act on all valid requests as soon as possible, and at the latest within one
    calendar month from the date of receipt of the request, unless we have reason to,
    and can lawfully extend the timescale. This can be extended by up to two months in
    some circumstances.
  4. All data subjects’ rights are provided free of charge.
  5. Any information provided to data subjects will be concise and transparent, using
    clear and plain language.

Top

Section D – working with other organizations & transferring data

1. Sharing information with other organizations

  1. We will only share personal data with other organizations or people when we have
    a legal basis to do so and if we have informed the data subject about the
    possibility of the data being shared (in a privacy notice), unless legal exemptions
    apply to informing data subjects about the sharing. Only authorized and properly
    instructed members/bearers are allowed to share personal data.
  2. We will keep records of information shared with a third party, which will include
    recording any exemptions which have been applied, and why they have been applied.
    We will follow the ICO’s statutory Data Sharing Code of Practice (or any
    replacement code of practice) when sharing personal data with other data controllers.
    Legal advice will be sought as required.

2. Data processors

  1. Before appointing a contractor who will process personal data on our behalf
    (a data processor) we will carry out due diligence checks. The checks are to make
    sure the processor will use appropriate technical and organizational measures to
    ensure the processing will comply with data protection law, including keeping the
    data secure, and upholding the rights of data subjects. We will only appoint data
    processors who can provide us with sufficient guarantees that they will do this.
  2. We will only appoint data processors on the basis of a written contract that will
    require the processor to comply with all relevant legal requirements. We will
    continue to monitor the data processing, and compliance with the contract, throughout
    the duration of the contract.

3. Transferring personal data outside the United Kingdom (UK)

  1. Personal data cannot be transferred (or stored) outside of the United Kingdom unless
    this is permitted by the UK GDPR. This includes storage on a “cloud” based service
    where the servers are located outside the UK.
  2. We will only transfer data outside the UK where it is permitted by one of the
    conditions for non-UK transfers in the UK GDPR.

Top

Section E – Managing change & risks

1. Data protection impact assessments

  1. When we are planning to carry out any data processing which is likely to result
    in a high risk we will carry out a Data Protection Impact Assessment (DPIA).
    These include situations when we process data relating to vulnerable people,
    trawling of data from public profiles, using new technology, and transferring
    data outside the UK. Any decision not to conduct a DPIA will be recorded.
  2. We may also conduct a DPIA in other cases when we consider it appropriate to
    do so. If we are unable to mitigate the identified risks such that a high
    risk remains we will consult with the ICO.
  3. DPIAs will be conducted in accordance with the ICO’s guidance on Data Protection
    Impact Assessments.

2. Dealing with data protection breaches

  1. Where a Club Office Bearer, Committee Member, or Club Member, [or contractors working for us],
    think that this policy has
    not been followed, or data might have been breached or lost, this will be reported
    immediately to the Data Protection [Officer/Trustee].
  2. We will keep records of personal data breaches, even if we do not report them to the ICO.
  3. We will report all data breaches which are likely to result in a risk to any person,
    to the ICO. Reports will be made to the ICO within 72 hours from when someone
    FROM CAH becomes aware of the breach.
  4. In situations where a personal data breach causes a high risk to any person, we will
    (as well as reporting the breach to the ICO), inform data subjects whose information
    is affected, without undue delay.

    This can include situations where, for example, bank account details are lost or an
    email containing sensitive information is sent to the wrong recipient. Informing data
    subjects can enable them to take steps to protect themselves and/or to exercise
    their rights.

Top


Section F – Your rights in relation to the data we hold

1. Your Rights and Exemptions

Data protection legislation provides you with a number of rights relating to your personal data, including your special category
and criminal conviction etc data. These rights are subject to some specific exemptions. Your rights may include:

  • the right to access your data
  • the right to have your data corrected if it is wrong or incomplete
  • the right to request restrictions to the processing of your data
  • the right to object to your data being processed
  • the right to have your data erased
  • the right to be informed about how your data is processed
  • rights relating to automated decision making and data portability

You should keep us informed of any changes to your information so that we can be confident that the data we hold about you is accurate. To understand more about these rights and how to exercise them please see the Information Commissioner’s Office website: h
ttps://ico.org.uk/.

2. Data Protection Officer/Contact

Mr Brian Cunningham is our Data Protection Officer/Data Protection Trustee and is the person responsible for matters relating to the protection of personal data.

Our Officer can be contacted at the address below or by email at CAHinfo@gmail.com

3. Your right to complain to the Information Commissioner

If you are unhappy with any aspect of the way in which we have processed your personal data, you have the right to make a complaint to the Information Commissioner’s Office:
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
www.ico.org.uk
Tel: 0303 123 1113
casework@ico.org.uk

4. Feedback or complaints regarding County Antrim Harriers (CAH)

If you want to give us feedback or make a complaint in relation to the handling of your personal data, please contact
Email: CAHinfo@gmail.com

Review of this policy
This policy will be regularly reviewed and may be subject to revision. Please visit our website to check for any updates.

Top