Croquet England Logo

Data Protection - Information for Clubs


The substance of this page derives from an article, by Ian Vincent, which was published on page 4 of issue 371 of the Croquet Gazette in December 2017. It has been edited to bring it up to date.

Introduction

Data protection legislation changed in 2018, with the introduction of the European General Data Protection Regulation (GDPR) on 25th May 2018. This applied to the UK irrespective of Brexit. The Data Protection Act 2018 implemented the Regulations. After Brexit the provisions of the EU GDPR were incorporated directly into UK law as the UK GDPR.

This is a brief introduction to the regulations as they might affect a typical croquet club. It does not pretend to be definitive.

Note that the legislation applies to clubs that hold membership or tournament records in any form: spreadsheets, word documents, e-mails, or even on cards or paper, not just a database. In the terms it uses, the club is a data controller, which either processes its own data or contracts with one or more separate persons or organisations, who are data processors, to do so on its behalf.

Note also that GDPR regulations also apply to images. Clubs installing CCTV systems for security and for streaming events also need to ensure that this data is properly controlled. Players consent to events being photographed or videoed is a condition of entry into Croquet England events.

Overall Impact

The overall message was that 2018 was an evolution, rather than revolution, in data protection requirements. Similar basic principles apply as before. Personal data must be processed lawfully, fairly and in a transparent manner. It must be used for specified, explicit purposes. It may must be used in a way that is adequate, relevant and limited only to what is necessary. The data must be accurate and, where necessary, kept up-to-date. It must be kept for no longer than is necessary. It must be handled in a way that insures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage.

Data controllers are required to be able to demonstrate compliance with the principles and individuals have a few new rights and protections. Hopefully, the practical impact on clubs will be relatively small, as some of the more onerous ones apply only to processing on a large scale or of sensitive data, though the core provisions apply to organisations of any size.

Basis of Processing and Consent

In 2018 the emphasis shifted from consent as the primary condition for processing personal data to one of the other conditions for doing so, such as that it is "necessary for the performance of a contract with the data subject", e.g. club membership or accepting an entry into a tournament. If consent is required, e.g. to pass members' details on to a sponsor for marketing purposes, then it will have to be given on the basis of full information, positive (just offering an opt-out is not sufficient), optional, revocable and recorded.

Individual Rights

Individuals (your club members and tournament players) have the right to:

Unlike the later items in the list, which are rights that only apply if the individual exercises them, the club must be proactive in giving information when data is collected, typically on a membership application form. The information required includes the identity and contact details of the controller; purpose and lawful basis for processing; any recipients of the data; how long the data will be retained and the existence of the above rights.

Data Protection Officers

Although it would be good practice to have someone responsible for overseeing data protection within your club, you are advised not to formally appoint them as a "Data Protection Officer", as there are specific requirements and qualifications for that role. A title such as "Information Manager" could be used instead.

Security and Data Breaches

Personal data must be protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. Should that protection fail, the breach must be notified to the Information Commissioner (within three days) if it likely to result in a risk to the rights and freedoms of individuals (a possible example may be if banking or credit card details were lost), and to the individuals concerned if the risk was high.

Documentation

Data controllers are required to document processing activities that are "likely to result in a risk to the rights and freedoms of data subjects", including information such as: the purpose(s) of processing the data; the categories of the data subjects and data held about them; to whom the data may be disclosed; and an overview of technical and organisational security measures. It is unclear (to the author, at least) how far this requirement will apply to a typical club, but it would be good practice to fulfil it anyway.

Further Information

Further information about these and other issues relevant to small organisations can be found at ico.org.uk. The Information Commissioner's Office provides "Advice for small organisations" which includes a "Beginner's Guide" and a privacy notice template. Croquet England offers a template.