GBA Policy on General Data Protection Regulations (GDPR)

Introduction

This Policy concerns the personal information (data) held by the Gloucestershire Bowls Association (GBA), its security and use.  The Policy applies to both the Men’s and Women’s Divisions.

The Policy is written in response to the GDPR, in force from 25 May 2018.  It defines the people involved in data collection in the GBA, how it is stored and used internally and externally, and members’ rights over their data.

The GBA uses this data solely for the purposes of the effective running of the Association and it does not share the data externally with anyone except Bowls England (BE).   Information on Club Secretaries (name, address, email address and phone number) will be used for publication in GBA handbooks’ on GBA Websites and in the GBA’s Management System).  The GBA requires that BE does not share data with anyone else. 

There are a number of Data Processors who are responsible for the collection and use of data but a single Data Controller.

Review of Data Collection

There are a number of Association and divisional officers who hold and use personal data.  This information falls into four broad categories:

  • Club Information – which might include some or all of name, address, e-mail address and phone number(s) for a Club Secretary, GBA Delegate and Club Fixture Secretary, which may be published in a Handbook, on a Website or on the GBA’s Management System, depending on the division and individual’s role;
  • GBA members who are GBA Officers and Officials – again information for publication as above;
  • Players who represent the County in matches – e-mail and/or phone number(s) for communication uses only;
  • Individual club members who enter County Competitions.  This information will be restricted to a member’s phone number for publication in a Handbook, on a Website or on the GBA’s Management System, Gloucestershire Bowls Online.

Data Security

To ensure the security of the data held, the GBA requires that all officers who hold personal data do so on a secure computer and, in addition, that any file holding personal information is individually password protected.

Joint Executive Committee

The Data Controller for the purposes of the GDPR will be the GBA through the Joint Executive Committee (JEC).  The JEC will be responsible for the implementation and review of this policy.  The appointment of a separate Data Protection Officer is not seen as required; any concerns relating to data protection or security should be addressed to the JEC Secretary who will fulfil this role.

The Data Processors will be the appropriate Officers who holds the relevant data.  The Officers will be responsible for the collection of the data, ensuring that permission for the data to be held, used, and shared as described is given, updating and deleting records where required and the security of the data.

Member’s Rights to their Personal Data

All members have the right to be provided with a copy of the data held on them by the GBA.  Any request for this should be made in writing (including e-mail) to the JEC Secretary.  The JEC has one month to reply to any such request.  There will be no charge for such access to data.  The data held on a member will be deleted within one month of notice that the record is no longer relevant.

Young People’s Data

In the case of any young person under 18 as at 1 April, permission for the collection and use of their data will be sought from the parents/guardians of the young person.  Only the name of a young person will be published in any handbook or on a website.

Breaches of Data Security

If at any point a breach of data security is suspected or identified, then that suspicion or fact must be reported immediately (verbally if necessary and confirmed in writing or e-mail) to the JEC Secretary.  The JEC Secretary, following discussion with the JEC Chairman, will appoint an independent member of the JEC to investigate the position and report back to the JEC on the position at the earliest possible opportunity.  The JEC will determine any subsequent actions as necessary.  Should the initial report involve the JEC Secretary, the initial report should be made to the JEC Chairman who will independently appoint a JEC member to investigate as above.

Where a breach is likely to result in a serious risk to the rights and freedoms of individuals (say involving health or financial issues), the JEC Secretary (or Chairman if the Secretary is involved) has 72 hours from notification to report the incident to the Information Commissioners Office (ICO).

The GBA recognises that the requirements of the GDPR apply as much to paper files and records as they do to digital based ones and will ensure that any paper records are securely treated.  As security issues are much more problematic for paper records, the GBA will seek to reduce the use of paper files to the minimum possible.

Reviews

It is hoped that members will update their personal information if it changes during the year.  All of the personal information collected by the GBA and noted above is subject to annual confirmation either through the publication of the Handbooks or the establishment of County Fixtures and Competitions.

The Policy itself will be reviewed by the JEC at least every four years.

November 2023