GDPR for Welsh Curling Association and First Province of Wales
What is the GDPR?
The General Data Protection Regulation (GDPR) is a law which replaced the Data Protection Act. GDPR governs how personal data is used and will increase the protection of individual’s privacy.
Does the GDPR apply to the First Province of Wales and any other Welsh provinces?
The provinces are “controllers” of personal data of their members (for example, name, address, telephone number, date of birth, gender, emergency contact details or medical information (i.e. knowing that someone has an allergy) etc. that they collect, store, use, share and delete (this is known as “processing” of personal data).
Data protection principles
The GDPR includes six data protection principles that the Provinces need to be aware of whenever they collect or use personal data (for example, signing up a new member, sending an email to a member or volunteer, etc.).
The six principles of the GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
In order to comply with these principles, Provinces need to:
- ensure they identify a lawful basis to process the personal data and provide a privacy notice to the individual, which tells individuals how the club uses their personal data (WCA have provided a template);
- only collect, use and keep personal data for specific purposes – i.e. only use a member’s personal data for membership purposes;
- only collect, use and keep personal data that clubs actually need;
- keep personal data up-to-date where possible;
- only keep personal data for as long as clubs need it – i.e. when a member leaves a club, clubs should review all the member’s personal data held to see whether they still need it after a specific period of time (for example, three years); and
- protect personal data and keep it secure.
Paper or electronic records?
The GDPR is mainly concerned with electronic personal data. However, if the Province uses a paper filing system that allows information to be picked from specific criteria then the GDPR will apply to this paper filing system.
Lawful basis for processing
There is a specific list of “lawful bases” for processing personal data in the GDPR, and Provinces will need to identify which one applies before collecting and/or using personal data.
Once Provinces have identified their lawful basis, they must explain this to individuals in privacy notices.
What is the lawful basis for members’ personal data?
When processing members’ personal data (for example, membership admission, membership fee payments, AGMs, etc.) Provinces will have a “contractual” lawful basis.
This is because the Provinces need to use members’ personal data to comply with the terms of their membership, and the Provinces should only use such personal data for this purpose.
The Provinces may also be legally required to process members’ personal data for specific purposes, e.g. health and safety or equality monitoring. This lawful basis is known as the “legal obligation” lawful basis, as it applies when a “controller” needs to use personal data to comply with a legal obligation.
What are “legitimate interests”?
Another lawful basis is where a Province has legitimate interests for processing personal data. However, the catch with this lawful basis is that any such legitimate interests cannot be outweighed by the interests of the relevant individual.
This might apply where Provinces issue newsletters to members / other individuals or communications promoting upcoming events / competitions, which is seen as ‘direct marketing’. Provinces should always make sure that individuals can stop receiving such newsletters or communications by contacting the Province.
What about asking for consent?
Asking individuals if they consent to the Province using their personal data is a lawful basis under the GDPR. However, there are specific requirements for asking for consent, which means it will be more difficult going forward and Provinces should use one of the other lawful basis if more appropriate.
If Provinces do want to ask individuals for consent then they must use a consent statement that:
- is a clear affirmative action: opt-in rather than opt-out and no pre-ticked boxes;
- is separate from other terms and conditions and not a precondition of signing up to a service;
- provides granular options for different processing operations; and
- is easy to withdraw.
Where Provinces use social media pages, it is likely that social media websites will have updated privacy policies as the providers will consider that they are “controllers”. Provinces should hopefully not notice much of a difference. However, Provinces are advised to check these privacy policies.
What about “special category personal data”?
Special category personal data, is a separate category of personal data under the GDPR and includes data revealing a person’s disability (if any), racial or ethnic group; health; sex life or sexual orientation; or religious or philosophical beliefs.
Where Provinces process special category personal data they must have a lawful basis and meet at least one condition for processing special category personal data.
Privacy notices
A “privacy notice” is a statement by a “controller” (Province) explaining to individuals what they do with personal data.
When do we need to give people privacy notices?
When collecting or receiving personal data from anyone, Provinces must give a privacy notice to the individual whose personal data the Province is processing. For example, the privacy notice should be included in applications for membership, membership renewal forms, booking forms, and employment / volunteer forms.
Provinces should also put their privacy notice(s) on their website (if they have one) and provide individuals with the link to the relevant page or send an attached document.
What needs to be included in a privacy notice?
It is important for Provinces to cover all of their data processing activities in privacy notices.
Provinces will pass membership data or other personal data to Welsh Curling Association, so Welsh Curling Association will become a “controller” of that personal data. Each Provinces’ privacy notice must tell individuals that Welsh Curling Association will receive their personal data and become a “controller” of it. This could also apply to other third parties;
If Provinces publish any personal data on a website or within a clubhouse then this must be stated within the privacy notice. An example of this is that the Annual produced by Welsh Curling Association contains the names of every clubs’ members and contact details for office bearers of Provinces.
Rights of data subjects
Provinces need to consider requests from data subjects and respond within one month.
We would recommend that if a Province receives a request from an individual and it is unsure how to respond, it should take advice. Provinces need to be aware of the one-month timescale and make sure that they comply.
Data subjects (individuals) can ask Provinces to:
1. provide a copy of their personal data and information on how the Province processes the data (basically what is included in a privacy notice – a “subject access request”);
2. correct or complete any incorrect/incomplete personal data held– the “right to rectification”;
3. delete all personal data held by the Province (in some circumstances) the “right to erasure”;
4. stop or limit the processing of their personal data (only in some circumstances) – the “right to restrict processing”; and
5. provide all personal data in a particular format for their re-use (only in some circumstances) – the “right to data portability”.
Data subjects (individuals) can also object to a Province processing their personal data, which is known as the “right to object”. This right only applies in some circumstances – for example, members can object to receiving the Province’s newsletter and the Province should stop sending the newsletter to the member immediately.
Data processing
If Provinces use any third party suppliers they should check if they are given or have access to any personal data held by Provinces, as such suppliers are defined as “processors” under the GDPR. Provinces may use suppliers to send mailshots, administer online systems, process payments, host websites, online surveys, etc.
Accountability
Accountability and governance are important principles of the GDPR. What this means is that Provinces have an overall duty to demonstrate that they are complying with the requirements of the GDPR.
What information do Provinces need to keep?
Provinces should keep a document recording (such as a spreadsheet or table) the following:
- the purposes of processing – for membership, competitions, lessons, etc.;
- the categories of individuals and personal data – members, volunteers, etc. and name, address, date of birth, etc.;
- the categories of recipients – details of who the Province shares personal data with, such as Welsh Curling Association, Province, etc.;
- details of any personal data if transferred or hosted outwith the UK safeguards – for example, MailChimp, which has Privacy Shield certification;
- retention periods – how long different records of personal data are kept; and
- details of security measures in place to keep personal data secure – for example, passwords, locked cabinets, restricted accounts, etc.
Provinces should also keep copies of privacy notices and consent statements, so they can evidence that these have been provided to individuals.
Breaches
If a Province loses personal data or suffers a data security incident, then this would result in a personal data breach. Examples of breaches include: access to personal data by an unauthorised person; sending personal data to the wrong person; or losing computer or mobile equipment containing personal data.
If the breach is severe and could affect individuals (i.e. – risks their rights and freedoms) then Provinces will be under an obligation to notify the Information Commissioner’s Office (the ICO) within 72 hours of becoming aware of a breach. Provinces will also have to notify the affected individuals if there is a risk to their rights and freedoms.
If a Province fails to notify either the ICO or affected individuals of a breach when required to do so, they could suffer a significant fine.
Sanctions
If a Province loses personal data or suffers a data security incident, then this would result in a personal data breach. Examples of breaches include: access to personal data by an unauthorised person; sending personal data to the wrong person; or losing computer or mobile equipment containing personal data.
If the breach is severe and could affect individuals (i.e. – risks their rights and freedoms) then Provinces will be under an obligation to notify the Information Commissioner’s Office (the ICO) within 72 hours of becoming aware of a breach. Provinces will also have to notify the affected individuals if there is a risk to their rights and freedoms.
If a Province fails to notify either the ICO or affected individuals of a breach when required to do so, they could suffer a significant fine.
Suggested action plan for Provinces
1. Identify all personal data that is held by the club and what it is used for – create a table or spreadsheet, which can be used to maintain the required records of processing activities.
2. Use the template sample wording to create privacy notices and update club forms, websites, etc. to include the new privacy notices and issue these to current members, employees, etc.
3. Ensure that everyone within the club with access to personal data held by the club has a basic understanding of data protection and the club’s obligations under the GDPR.
4. Adopt higher standards of data security – for example, good practice would be to create specific club email accounts to limit the use of personal email accounts for club business.
5. Use the template wording to get suppliers to sign up to written data processing contracts.
Whilst WCA have tried to provide relevant information about the GDPR to help Provinces comply with the legislation, they are ultimately responsible for ensuring their compliance. We would recommend Provinces seek alternative advice should they require further guidance or clarification of their responsibilities.
Should you have a question about any of the information provided on this page and subsequent links to relevant documents please email The WCA President stating your name, Province, position in the Province and your question. We aim to answer questions within one week.
Update: 01/04/2020