Malahide Rugby Football Club
Data Protection Policy
Malahide Rugby Football Club may collect, process and store sensitive, and personal sensitive data, on an on-going basis. The Data Protection Acts 1988, 2003 & the General Data Protection Regulation EU/2016/679 confer rights on individuals as well as additional responsibilities on those persons and organisations processing any personal data.
This policy applies to all data held by Malahide Rugby Football Club. This includes electronic and paper records; it also includes all CCTV images.
This Data Protection Policy is maintained by Malahide Rugby Football Club Data Protection Officer (DPO) and is approved by the Club’s executive committee. The policy will be reviewed at least annually by the DPO to ensure alignment to appropriate risk management requirements and its continued relevance to current and planned operations, or legal developments and legislative obligations.
Further comments or questions on the content of this policy should be directed to the DPO. Any material changes to this policy will require approval by the Executive Committee.
3. SCOPE OF POLICY
This policy has been drawn up by Malahide Rugby Football Club and as such is applicable to all Malahide Rugby Football Club employees (i.e. staff and contractors), mentors, and relevant third parties. All employees and mentors have a personal responsibility to ensure compliance with the principles of all the Data Protection Acts and to adhere to Malahide Rugby Football Club Data Protection Policy.
Malahide Rugby Football Club Executive Committee are responsible for ensuring compliance with Malahide Rugby Football Club Data Protection Policy. They are also responsible for ensuring that all staff and mentors in the club are fully aware of the policy. The Malahide
Rugby Football Club Data Protection Policy applies to data records of all types regardless of the medium on which they are held.
The following list highlights the type of data that constitutes as personal data and is covered by the Data Protection legislation (this list in indicative only, and is not intended to be exhaustive):
- Personal data is defined as “Any information relating to an identified or identifiable natural person (data subject)” i.e.
- Name, date of birth, PPSN, private address, employer, business address, qualifications, work experience, contact details, marital/family status, employer information/self-employed information, bank details, income, creditors details, benefits, details of assets and property, investments, liabilities, IPS address, Personal Image.
- Sensitive personal data including:
- Details of convictions relating to fraud, tax offences and settlements, dishonesty, medical information etc.
4. MALAHIDE RUGBY FOOTBALL CLUB SAFEGUARDING PRINCIPLES, MEASURES & PROMISES
4.1 Obtain and Process Information fairly:
a) Malahide Rugby Football Club is committed to collecting information fairly and ensuring that it is processed fairly. Malahide Rugby Football Club is committed to only collecting personal data necessary to allow it to carry out its functions as set out in legislation.
b) At the time when personal data is obtained, Malahide Rugby Football Club will ensure that the data subject is provided with the following information;
i. Period for which the personal data will be stored
ii. The existence of their right to request access, rectification, to object to processing and or erasure of their personal data or the restriction of processing their data, as well as the right to data portability
iii. The existence of their right to place a complaint with the Supervisory Authority
iv. Whether the provision of personal data is a statutory or contractual requirement
v. The existence of any automated decision-making, including profiling
4.2 Keep it only for specified, explicit & lawful purposes:
a) Malahide Rugby Football Club will only keep personal data for the purposes that are specific, lawful and clearly stated at the time of collection and under the consent of the data subject, where applicable
4.3 Use & disclose it only in ways compatible with these purposes:
a) If data such as “personal data” is obtained by Malahide Rugby Football Club for a particular purpose then, subject to limited exceptions, the personal data will not be used or disclosed for any other purpose other than that for which it was obtained
4.4 Keep it Safe & Secure:
a) Malahide Rugby Football Club implements appropriate physical, technical and organisational security measures against unauthorised access to, alteration, disclosure, destruction, or unlawful processing of data and against the accidental loss or destruction of such data. Malahide Rugby Football Club employees and mentors access to certain data held by Malahide Rugby Football Club is restricted on a need to know basis and is reviewed periodically
4.5 Ensure that it is adequate, relevant & not excessive
a) Personal or Sensitive Data will not be collected or retained if it is not needed and / or on the basis that it might be required in the future. The types of information about individuals that Malahide Rugby Football Club collects will be reviewed periodically to ensure compliance with this requirement
4.6 Keep it accurate & up to date
a) Malahide Rugby Football Club will ensure that all Personal data is accurate, complete and up to date. Any inaccuracies will be remedied as soon as possible
4.7 Retain it for no longer than is necessary
a) Personal and or Sensitive data will not be retained for no longer than is necessary for the purpose(s) for which it is acquired. Data may not be retained indefinitely
4.8 Right of Access, Rectification, and or Deletion to Personal Data
a) Individuals (including Malahide Rugby Football Club employees and mentors) have the right to access, request rectification, object to processing of their information, restrict the processing of their information and or deletion to any personal data held within Malahide Rugby Football Club. Malahide Rugby Football Club will endeavour to ensure that a response to such requests is given, no later than 30 days from the receipt of request
b) The right to access, request rectification, object to the processing of their information, restrict the processing of information and or deletion to any personal information does not include a right to see any personal data about any other individual(s), without that other persons consent, to protect their personal rights. Malahide Rugby Football Club will not disclose any information about any other person during such requests
c) Malahide Rugby Football Club will execute and exercise the rights of all data subjects to the fullest in accordance with legislation
4.9 Transfer to third countries or International organisations
a) Malahide Rugby Football Club, nor any Malahide Rugby Football Club employee or mentor, will not transfer any personal data to any third country or any other international organisation outside of Malahide Rugby Football Club except in limited circumstances as set out in the Record of Processing
4.10 Record of Processing
a) Malahide Rugby Football Club shall maintain a record of its processing activates under its responsibility. The record shall contain all of the following information;
i. Name, contact details of Malahide Rugby Football Club, and the details of the Malahide Rugby Football Club Data Protection officer
ii. The purpose of processing
iii. A description of the categories of data subject and the categories of personal data held
iv. The categories of recipients to whom personal data has been or will be disclosed, including, recipients in third or international organisations
v. Where possible, a general description of the physical, technical
4.11 Data Breach & Communication
a) In the unlikely event of a Personal data breach, and unless Malahide Rugby Football Club can demonstrate, in accordance with the accountability principle, that the personal breach is unlikely to result in a risk to the rights and freedoms of person affected, Malahide Rugby Football Club, as soon as have become aware that a personal data breach has occurred, shall notify the Supervisory Authority without any undue delay and will do so in a 72 hour timeframe or less
b) All Malahide Rugby Football Club employee’s/mentors must upon discovery, and or suspicion of a potential personal data breach notify the Malahide Rugby Football Club Executive Committee and the appointed DPO in writing within a 30 minute timeframe
4.12 Compliance & Monitoring
a) Malahide Rugby Football Club shall appoint a designated Data Protection Officer (DPO) for the purposes of monitoring compliance with all Data Protection legislation
b) The responsibilities of a DPO in accordance with the GDPR (EU/2016/679) are to “assist the controller or the processor to monitor internal compliance with this regulation”. As such, the DPO’s responsibilities will include, but is not limited to the monitoring the on-going data processing and storage of personal data via;
Collection of Information to identify processing activities
ii. Maintaining a record of processing operations
iii. Analysing and monitoring compliance of processing activities with all Data Protection legislation, GDPR & internal Policies and procedures
iv. Conducting Data Audits
v. Conducting Privacy Impact Assessments as necessary
c) All Malahide Rugby Football Club employees and mentors will facilitate, comply and adhere to all Malahide Rugby Football Club internal policies and procedures to ensure the compliance and monitoring framework of the DPO functions efficiently
5. DATA PROTECTION BREACH
Any loss of personal data in paper or digital format will be responded to and managed in accordance with Malahide Rugby Football Club Data Security Breach Policy & Procedures and in compliance with the provisions set out all applicable Data Protection Legislation
In order for Malahide Rugby Football Club to be able to comply, it is essential that all incidents (including suspected incidents) which give rise to the risk of unauthorised disclosure, loss, destruction or alteration of personal data are reported without delay to the DPO within a 30 minute timeframe.
Incidents can include:
- Minor incidents which do not actually result in unauthorised disclosure, loss. Destruction or alteration of personal data
- Major incidents for example: Loss or theft of devices such as laptops; unauthorised access to Malahide Rugby Football Club environment
A Data Protection breach can happen for a number of reasons, e.g.:
1. Loss or theft of data or equipment on which data is stored (including break-in to an organisation’s premises)
2. Loss or theft of documents
3. Inappropriate access controls allowing unauthorised use
4. Equipment failure
5. Human Error
6. Unforeseen circumstance such as a flood or fire
7. Cyber-attacks (hacking)
8. Obtaining information from the organisation by deception
9. Misaddressing of e-mails
10. Improper dissemination of information
In the event of a data breach happening, the DPO must be notified immediately and within a 30 minute timeframe. It must not be assumed that someone else has already notified of a breach.
The breach should be notified using the official Personal Data Security breach form set out in Appendix 1 of the Personal Data Security Breach Procedures.
The DPO will assess the breach and make a decision on the next steps to be taken in accordance to the Malahide Rugby Football Club Data Breach Response Policy.
Following review of a breach by the DPO, if the data breached affects the rights and freedoms of a data subject, the DPO will inform the Office of the Data Protection Commissioner within a 72 hour timeframe of Malahide Rugby Football Club becoming aware of the breach.
Data Protection Training will be provided through staff / mentor presentation during inductions when employees commence employment with Malahide Rugby Football Club. Refresher Data Protection training will be delivered on an at least annual basis to all employees and will be augmented by online material and information notices where appropriate.
7. MALAHIDE RUGBY FOOTBALL CLUB EMPLOYEE AGREEMENT
All Malahide Rugby Football Club employees agree to adhere fully to the Malahide Rugby Football Club Data Protection Policy and all additional policies and procedures. Failure to comply with any of the safeguards, policies, procedures or directions from management or the DPO may follow an investigation and may lead to disciplinary action in accordance to Malahide Rugby Football Club disciplinary procedures
APPENDIX 1 – GLOSSARY
|Data||Information in a form that can be processed. It includes both automated and manual data|
|Automated Data||Any information on computer or information recorded with the intention of putting it on a computer. It includes not only structure databases but also emails, office documents and or CCTV footage / images|
|Manual Data||Information that is kept as part of a relevant filing system, or with the intention that it should form part of a relevant filing system – this includes temporary folders.|
|Data Controller||A person who (either alone or with others) controls the contents and use of personal data. A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer Or, in structured manual files.|
|Data Processor||A person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment. If an organisation or person holds or processes personal data, but does not exercise responsibility for or control over the personal data, then they are deemed to be a “data processor”.|
|Data Protection Officer (DPO)||An ISI appointed officer with responsibility for the Data Protection compliance of the organisation.|
|Data Subject||A data subject is an individual who is the subject of personal data that is held by a data controller or processed by a data processor.|
|GDPR||The new EU General Data Protection Regulation (GDPR) – Regulation 2016/679 which comes into effect in May 2018 and replaces the current Data Protection Directive 95/46/EC and the Irish Data Protection Act(s).|
|Personal Data||Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller|
|Sensitive Data||Any personal data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence; trade union membership|
|Processing||Processing means performing any operation or set of operations on data, including: