Mudeford Phoenix as a club is are aware of the sensitive data they hold on player's, parent's/
and guardian's involved with the club. To his end this policy will lay out the procedures which are in place to make sure this information is stored securely and protected from misuse.
Definition "personal data"
Data is any information that relates to an identifiable individual. This isn't limited to 'obvious' information, such as a person's name, address or bank details, but also includes information such as their FAN number, their dietary requirements and their photograph. Data does not have to be factual – opinions that a person holds, or opinions that other people hold about them, are also considered personal data. General Data Protection Regulation 2018(GDPR) legislation lays out six principles for processing of personal data. These are:
Lawfulness, fairness and transparency
This covers the primary areas of concern that data should be gathered and used in a way that is legal, fair and understandable. The players/parents/guardians and volunteers have the right to know what is being gathered and have this information corrected or sections removed.
Mudeford Phoenix should only use data for a legitimate purpose specified at the time of collection. This data should not be shared with third parties without permission.
The data collected by Mudeford Phoenix should be limited only to that which is required is required for the purpose stated.
The personal data held by Mudeford Phoenix should be accurate, kept up to date, and, if it is no longer accurate, should be rectified or erased.
Personal data should only be stored for as long as is necessary.
Integrity and confidentiality
Personal data should be held in a safe and secure way that takes reasonable steps to ensure the security of this information and avoid accidental loss, misuse or destruction. Consent from individuals must be affirmative, freely given, specific, informed and unambiguous. This means that they must actively give consent for their data to be processed. Silence, inaction and pre-ticked boxes are not valid as consent.
Mudeford Phoenix require certain information to be supplied by individual players and parents/ guardians'. This is acquired by the filling out of a registration form on joining the club.
this information is used;
so players and parents/guardians can be contacted to inform them of changes to training or matches or to contact Parents/guardians in an emergency.
So medical information is available if a player needs treating or has an allergy.
so proof of consent can be established.
Also the Football Association requires photographic and some personal details to register players to the "whole game portal" Once this information is passed to the Football Association the information they hold Falls under the Football Association's data protection policy.
All data will be held by the Data controller and authorised personal and stored in a secure manner. Managers will carry contact details of parents/guardians and relevant medical information only on match/training days. This will be kept secure at all other times.
Mudeford Phoenix will not release any data to a third party without the consent of the player or their parent/guardian.
All information held online will be held on a secure server with password access, this will be held with authorised individuals appointed by Mudeford Phoenix.
All information used in press releases or multimedia activity will be carefully monitored and will not identify individuals to photographs for those participating in activities relating to Mudeford Phoenix.
Information held by Mudeford Phoenix will be updated every year.
Mudeford Phoenix will only hold data on players as long as they are involved with the club and will request removal from the "whole game portal" once they leave.
Children GDPR enhances the protection of children’s personal data. Any notices for services offered directly to a child must be written in clear, simple language to be taken as valid. A child under 16 cannot give consent themselves. This is required from a person holding ‘parental responsibility.
RIGHTS AND REQUESTS
Individuals have several rights under GDPR which Mudeford Phoenix will adhere to and respond to requests within a specified time. Mudeford Phoenix will request valid proof of identification from the individual before proceeding with the request. If data has been shared with a third party, we will notify them of changes or deletion. Similarly, a third party may pass on a request from an individual instructing us to alter or delete shared data. The rights of individuals are detailed below.
Right to be informed
Individuals should be informed of how their data is collected, stored and processed in a clear, accessible way. (as set out in the privacy statement).
Right of access
Individuals can request access to a copy of their data in electronic form.
Right to rectification
Individuals are entitled to have their data corrected if it is inaccurate or incomplete.
Right to erasure
Also known as ‘the right to be forgotten’, this permits individuals to request the deletion of their data once they have left the club.
All requests must be resolved within a month of the request.
Photography & filming
Photographed & filmed Images of people are considered personal data as they can be identified by these images. This means that photographing and filming at training/matches is a form of personal data collection. If you want to store, use or share these images, then you must have clear, active consent.
With the growing use of mobile telephone cameras any photos taken by members of Mudeford Phoenix committee for use in multimedia activities must be uploaded to either the Mudeford Phoenix website or a social networking site then deleted from their personal device once the image is uploaded. Parts of our training and playing areas are covered by CCTV used by E.C.S.S.C. These images will be store or deleted in accordance with E.C.S.S.C. data protection policy. Publication of photographs and film It is important to be aware that when photographs and films are put into the public domain they are carefully controlled. It is important that no person is named in direct relationship to a photograph or film. It is important to be aware that naming a person by association is not acceptable, examples of this are;
"The goalkeeper ( name) had a great match" when the photo supplied with the article has a squad where only the goalkeeper is wearing a goalkeeper top.
"(name) had a great game as captain" when the photo clearly shows a girl wearing the captain's arm band.
"(name) lifted the cup in celebration" when the photo shows clearly who is lifting the cup.
These are just a few examples of what would be classed as a data breach.
Transmission of Information
Information is readily transferred by e-mail and through cross-platform instant messaging apps. We must be aware that the information on these platforms is not 100% secure. All information transferred through these mediums must abide by our data protection policy. When using cross-platform instant messaging apps, avoid putting private details of an individual with photographs. If you are sending registration details to the club secretary only use encrypted e-mails. Any information must be removed from personal 'phones and computers and transferred to the appropriate data storage medium or platform as soon as it is received. Under no circumstance should photographs of individuals be kept on personal computers or mobile 'phones.
A personal data breach can be broadly defined as an incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted, disclosed or passesd on without proper authorisation. Recital 87 of the GDPR makes clear that when an incident takes place, we should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the Information Commissioners Office if required.
Data breaches can take the form of; Loss of match day information by managers. Loss of registration information. Identification of children in photographs (in press publications, website and social media sites). The releasing of information to a third party without consent. Not removing photographs from personal devices. The data held by Mudeford Phoenix is low level information, data breaches will be dealt with by the Mudeford Phoenix committee in the form of an internal enquiry. The individual or individuals who's information is effected by a breach will be informed by the data controller. Any individual who is involved with Mudeford Phoenix who is identified as the cause of a data breach will be requested to attend a hearing of the Mudeford Phoenix committee. Only if the data breach is found to be of a more serious or sinister nature then the relevant authorities will be informed.