PROTECTING YOUR PERSONAL DATA.
We exist to serve people with the compassion of Christ. The protection of information about people is not only imperative for us by law, but also by nature. Without it, there is no trust, no integrity, no accountability. Without this, we cannot help lives change.
WHAT IS IT?
“PERSONAL DATA” is information about “YOU” (or “YOUR” information, whether an individual employee, volunteer, visitor, service-user, or the general public, but not a whole organisation such as a church, school, or company, for example). This information will either directly identify you, or indirectly; when combined with other information.
Even where your name is replaced with a ‘fake’ name for example, it is still personal. If information is truly anonymised, about a deceased person, or about a company or public authority at the corporate (non-individual) level, it is not subject to GDPR.
WHY DO WE NEED IT?
We keep your personal data to:
- Grow in number.
- Keep in touch.
- Know what we need to know about you to help do what we aim to do – safely and effectively.
- Learn about and share our impact
- Improve what we do.
HOW IS IT PROTECTED?
As covered in more detail in our “GDPR PLAN”, your data is protected at each stage of “DATA PROCESSING”, including collecting, storing, transmitting, releasing, checking, and removing data.
The “DATA CONTROLLER” decides whose personal data is processed and why, what it includes, what it is used for, who it is shared with, and how long it is kept. The Data Controller is either:
- SPIRIT IN SPORT (registered charity number: 1161773, registered address: Immanuel Baptist Church, 109 Victoria Road North, Southsea, PO5 1PS), when we provide the activity or service directly and your data is needed to make that happen.
- A THIRD PARTY PARTNER AGENCY such as a school, church, local authority or charity who would refer information about you to us when we work in partnership with them.
The “DATA PROCESSOR” is anyone providing a service to us and needs our data to do it. This could be a consultant, such as a web developer building our website for example, and needs access to images and audience analytics. They would only use the data with consent and when they’re trained to handle it well.
The “DATA PROTECTION OFFICER” (DPO) acts independently, but is in direct contact with the boss and board, and is here to help us all understand GDPR and make sure we’re getting it right, and be here for you to get in touch with. The DPO in Spirit in Sport is ANDY BULLOCK.
THE SIS PERSONAL DATA SYSTEM.
We capture and record what personal data we have about you and what we do with it through our “INFORMATION ASSET REGISTER” (IAR). This tells us:
- Who you are
- What information you’ve given us
- Where it came from
- When and how you gave us permission to have it
- What you’ve given us permission to do with it
- How we have used it
- If it is at risk
- If you’ve used any rights to make a request and how we responded to that
- Where this is all documented.
The IAR is updated at least once a month and reviewed and improved every six months as part of our auditing process.
We may collect your data at different “CONTACT POINTS” whether you are an employee, volunteer, regular service-user, one-off visitor, website user, social media page user/follower, or have been referred to us by another agency while using their service. We will always try to do it in a way that makes sense, is convenient, and transparent.
You have a “RIGHT” to know everything about our data processing when agreeing to it – why, who will may see it, and how long we’ll have it for. In asking for your consent, we do it in a concise way that is transparent, easy to read and access, clear, and in plain English. We’ll do it in a way that is positive and not misleading (you have to ‘opt-in’ not ‘opt-out’), specific (not vague), and ‘granular’ (meaning you have control to agree to some things but not others). You don’t have to agree before working or volunteering with us or using our services.
PRIMARY COLLECTION SOURCES
Your consent may be requested through, for example,:
- Registration forms
- Sign-in register
- Email consent
- Media consent form
We will keep a copy in our Cabinet and/or The Cloud.
If for some reason we don’t get your consent, we must make all reasonable attempts to do so within one calendar month, and record our evidence of doing so.
Further information on our website and social media accounts, and where your personal data may be used in them, is available on request.
On occasions, your consent may not be necessary or possible to obtain, although we may still be able to process it as a legal obligation, if it’s vital for protection and safety, be in the public interest, or relate to legitimate interests. We will always record our justification.
Ourl “DATA PROCESSING FILING SYSTEM” , which is subject to routine and regular security testing and monitoring, includes “THE CABINET” located in the Spirit in Sport office under a three-lock system, and “THE CLOUD”, which is a Google Drive secured by “Two Factor Authentication” (2FA).
Only the Data Controllers have access to these and no personal data is stored on personal devices or local drives.
PERSONAL DATA GATEWAYS
Personal Data can be accessed via other “GATEWAYS” such as email, the website, and social media accounts, as well as hardware such as personal devices including laptops, tablets, and mobile phones. They are not official storage spaces, but are paramount to our Data Protection System and are secured accordingly, including with password protection and 2FA.
Data is stored for the shortest time possible according to its purpose, and in a form that permits an individual’s identification for no longer than is necessary. This includes, for example:
- Employee data only being kept in internal filing system while actively employed, with records of data destroyed within 6 MONTHS after termination of employment
- Volunteer data only kept in internal filing system while actively volunteering or having registered as a volunteer within the LAST 3 YEARS
- Service user data only kept in internal filing system within 5 YEARS of last using the service
- Emails of more than 2 YEARS are archived, emails older than 10 YEARS are deleted.
- Photographs may be kept in secure internal filing system storage (not personal devices or local drives) INDEFINITELY in the interest of recording the charity’s progress. Individual photographs can be deleted from all records on request.
Subject to consent, we may use your personal data for:
- Vital operational safeguarding information relating to health, safety and well-being of all stakeholders;
- Building ‘membership’, including employee, volunteer and general public participants;
- Publicising updates to the general public and service users, include upcoming events, changes to services and policies;
- Communicating about voluntary opportunities and notifications on events;
- Making character references; assessing suitability to the role;
- Payment of employee or volunteer stipends, expenses, or wage/salary, and;
- Internal monitoring & evaluation for service improvement and development;
Subject to consent, your data may be transmitted externally for:
- Sign-posting or referral to other external Christian and non-Christian based service providers
- General publicity purposes (e.g. general volunteer photos on social media/ newsletters/banners);
- Service improvements undertaken by third parties, such as website development
- Personalised publicity purposes (e.g. specific newsletter features including personal stories/case studies);
- Presentations or application forms, to display impact trends and case studies to external bodies including for funding or research purposes, and;
- To third parties if we are under a duty to disclose or share personal data in order to comply with any legal obligation, and;
Where data is fully anonymised and identification of individuals is therefore not possible, it is not subject to GDPR and can be shared freely.
These lists are not exhaustive, and the justification for use of each data is recorded in the IAR.
GDPR gives you certain data processing “rights” which our relevant to our work, including:
- To be informed
- To access your data
- To correct or complete your data
- To erase your data
- To restrict its use to storage only
- To obtain it from us to use elsewhere
- To object to its use
You can make a request any time verbally or in writing, and expect a written response within one month. We will not charge you at any point of the request but we may object if we believe this is an abuse of the rights, or may continue if there is a compelling reason to do so. We will record all requests relating to these rights and our response and resulting actions. We reserve the right to remove your data.
For all requests and questions, please contact the Data Protection Officer:
Name: Andy Bullock
Organisation: Spirit in Sport
Contact Email: email@example.com
Are you between aged 13-18 and reading this?
You as a “CHILD” are really important to us. If you are a volunteer or use our services, then you need to know that:
- You have the same GDPR rights as adults.
- We may need to collect information about you.
- We will need your consent – to agree to us collecting it and how we want to use it. (There may be some reasons we won’t or can’t ask for your consent but can still use the data).
- That you are happy with how we store it.
- That you know what we use it for.
- That you have rights and can ask us to remind you what we have, change it, or remove it.
Under 13s need a parent or carer to give us this permission and we will need to confirm their age as well as yours. Thank you.
This is not a one-off tick box exercise but an opportunity to build trust and accountability with you and continue to improve our service in the spirit of excellence. We have “QUALITY MANAGEMENT” in place to be effective and prevent, detect, report and investigate any security breaches through Data Protection Impact Assessments where necessary, bi-annual audits, and will be in touch at least once a year, where possible, to make sure you are still satisfied and fully aware about our data processing.