Data Protection Policy
V1.5 [Updated 11/9/2019]
GDPR came into force on the 25th May 2018, it gives increased privacy rights to individuals whose data is being collected.
Ultimate Cheer is committed to a policy of protecting the rights and privacy of individuals, members, volunteers staff and others in accordance with The Data Protection Act 1998. The policy applies to all voluntary, members and staff at Ultimate Cheer.
Data are protected by the Data Protection Act 1998, which came into effect on 1 March 2000. Its purpose is to protect the rights and privacy of individuals and to ensure that personal data are not processed without their knowledge, and, wherever possible, is processed without their consent.
The Act requires us to register the fact that we hold personal data and to acknowledge the right of ‘subject access’ – voluntary and Ultimate Cheer members and staff must have the right to copies of their own data.
Requests can be made by emailing firstname.lastname@example.org
Purpose of data held by the Community Association
Data may be held by us for the following purposes:
There are many reasons why Ultimate Cheer will need to store members personal data.
- Ultimate Cheer will need to take registers of all members that attend each session for safety reasons.
- We will also need all members to fill out an emergency contact form which will be kept on file for the duration of your time at Ultimate Cheer, and destroyed after one year of non-membership.
- Your details will also be registered with each event we attend purely for the event providers to know who is attending and which age category you fall into, the information they will need is minimal.
- Ultimate Cheer will also take photographs/videos for the website, social media and promotional materials such as flyers and posters. Ultimate Cheer may also include athlete names or age in promotional materials, including on social media.
- Ultimate Cheer will need to keep in touch with members or their guardians for example via email or Whatsapp, in order to organise team training and events
- Ultimate Cheer may store personal data provided by prospective new members for communication purposes for example, regarding becoming a member of the club
- Ultimate Cheer will store medical information for safety reasons and in case of an emergency.
- Ultimate Cheer will share photos/videos of training, performances or Ultimate Cheer-related activities with external coaches, for example if an external coach is coming to work with Ultimate Cheer, or an external coach is providing advice relating to Cheerleading skills.
- Ultimate Cheer may share contact details, names and age for hotel reservations
- Ultimate Cheer stores website cookies and visitor tracking information, including “visitor action pixels” from Facebook, in order to track and monitor user engagement, usage of the website and for market research.
- Ultimate Cheer email marketing messages may record a range of subscriber data relating to engagement, geographic, demographics and already stored subscriber data, in order to track subscriber activity.
- Financial records, including but not limited to athlete/parent/guardian names, dates, amounts & transfer reference may be shared with accountants
- Athlete’s size, age, photos and name may be shared with merchandise suppliers/manufacturers
- Athlete names and contact details may be shared with external activity providers for Ultimate Cheer-related social events, for example to reserve an athlete’s space.
Members/guardians contact details may be shared with other members/guardians for communication purposes, for example being added to team social media groups/pages. Photographs taken, and/or footage filmed during practices and performances may be shared with other members/guardians in social media groups/pages, for example a team Whatsapp group.
A. Data Protection Principles
In terms of the Data Protection Act 1998, we are the ‘data controller’, and as such determine the purpose for which, and the manner in which, any personal data are, or are to be, processed. We must ensure that we have:
1. Fairly and lawfully processed personal data
We will state our intentions on processing the data and state if, and to whom, we intend to give the personal data.
2. Processed for limited purpose
We will not use data for a purpose other than those agreed by data subjects (members, staff and others). If the data held by us are requested by external organisations for any reason, this will only be passed if data subjects (members, staff and others) agree. Also external organisations must state the purpose of processing and abide by The Data Protection Act 1998.
3. Adequate, relevant and not excessive
Ultimate Cheer will monitor the data held for our purposes, ensuring we hold neither too much nor too little data in respect of the individuals about whom the data are held. If data given or obtained are excessive for such purpose, they will be immediately deleted or destroyed.
4. Accurate and up-to-date
We may ask members to complete forms from year-to-year in order to maintain accurate and up-to-date records. All amendments will be made immediately, and data no longer required will be deleted or destroyed. It is the responsibility of individuals and organisations to ensure the data held by us are accurate and up-to-date. Completion of an appropriate form (available on our website) will be taken as an indication that the data contained are accurate. Individuals should notify us of any changes, to enable personnel records to be updated accordingly. It is the responsibility of the Association to act upon notification of changes to data, amending them where relevant.
5. Not kept longer than necessary
We discourage the retention of data for longer than it is required. All personal data will be deleted or destroyed by us after one year of non membership has elapsed, please note this does not include photographs and videos, personal contact details on our email marketing lists and financial records. Member medical records will be kept for up to 3 years after the member has left and will then be destroyed.
Data collected from prospective new members is kept private and stored securely until a time it is no longer required or has no use.
6. Processed in accordance with the individual’s rights
All individuals that the Association hold data on have the right to:
- Be informed upon the request of all the information held about them
- Prevent the processing of their data for the purpose of direct marketing.
- The removal and correction of any inaccurate data about them.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data.
All electronic data is password protected. Data provided on paper will be electronically uploaded then destroyed.
8. Not transferred to countries outside the European Economic Area, unless the country has adequate protection for the individual.
Data must not be transferred to countries outside the European Economic Area without the explicit consent of the individual.
B. Processing Data
GDPR requires Ultimate Cheer to document why we need to lawfully process people’s data. This includes the information we keep, what it is being used for and our reasons for needing it.
We have the following reasons for processing people’s data:
- Legal – we have the following legal obligations for processing data which include but are not limited to health and safety, insurance and child protection.
- Contractual – which allows Ultimate Cheer to provide members with the services associated with our programme such as sending requests for payment, registers, and entrance to events.
- Legitimate interests – which is when the processing is necessary for the Ultimate Cheer’s legitimate interests such as but not limited to marketing.
- Consent – Is when the individual has given clear consent for you to process their personal data for a specific purpose. For example taking photographs for the Ultimate Cheer website.
Data collected by members, parents/guardians includes the following:
- Name, address, date of birth, age, gender, telephone numbers, next of kin details and email address.
- Family Doctors details.
- Health Records
- Pre-existing medical conditions.
- Ongoing medical conditions
- Any medication currently being taken.
- Various communications where members may be mentioned by name.
- Emails, text, phone calls, post.
- Personal calendars/availability/attendance
- Merchandise/kit sizes
- Financial records
- Individual progress monitored via progress trackers.
- Website cookies and visitor tracking information collected
- Email marketing subscriber data
- Records of Financial Transactions that have taken place.
- IP address
The reasons for needing the above information is covered in section B under Processing Data. The data will be collected directly from members and/or parents/guardians. The data collected will be shared with staff at Ultimate Cheer, Event Providers, Hotels at which the team will be staying at for competitions, external coaches, merchandise suppliers/manufacturers, activity providers or platforms used for Ultimate Cheer-related socials, any external company that Ultimate Cheer works with (for example companies providing technical website assistance), accountants and for promotional materials relating to Ultimate Cheer, including use on social media. Members/guardians contact details may be shared with other members/guardians for communication purposes, for example being added to team social media groups/pages. Photographs taken, and/or footage filmed during practices and performances may be shared with other members/guardians in social media groups/pages, for example a team Whatsapp group.
Data Breach Procedure
In the event of data being lost or shared inappropriately, it is vital that appropriate action is taken to minimise any associated risk as soon as possible. This breach procedure sets out the course of action to be followed by all staff at Ultimate Cheer if a data protection breach takes place.
- In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
- The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
- The notification referred to in paragraph 1 shall at least:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
- The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
In most cases, the next stage would be for the Programme Director to fully investigate the breach. The Programme Director should ascertain whose data was involved in the breach, the potential effect on the data subject and what further steps need to be taken to remedy the situation. The investigation should consider:
• The type of data;
• Its sensitivity;
• What protections were in place;
• What has happened to the data;
• Whether the data could be put to any illegal or inappropriate use;
• How many people are affected;
• What type of people have been affected (athletes, staff members etc) and whether there are wider consequences to the breach.
A clear record should be made of the nature of the breach and the actions taken to mitigate it. The investigation should be completed as a matter of urgency due to the requirements to report notifiable personal data breaches to the Information Commissioner’s Office. A more detailed review of the causes of the breach and recommendations for future improvements can be done once the matter has been resolved.
Some people may need to be notified as part of the initial containment. However, the decision will normally be made once an initial investigation has taken place. The Programme Director should decide whether anyone is notified of the breach. In the case of significant breaches, the Information Commissioner’s Office (ICO) must be notified within 72 hours of the breach. Every incident should be considered on a case by case basis.
When notifying individuals, give specific and clear advice on what they can do to protect themselves. The notification should include a description of how and when the breach occurred and what data was involved. Include details of what you have already done to mitigate the risks posed by the breach
Review and Evaluation
Once the initial aftermath of the breach is over, the Programme Director should fully review both the causes of the breach and the effectiveness of the response to it. If systemic or ongoing problems are identified, then action must be taken to put these right.
If after review action is required, the necessary steps to complete this must be taken.
Data Processing Consent
In accordance with our Data Protection Policy and in compliance with GDPR and the Data Protection Act of 1988. We will not process any form of data without consent of the parents/guardians or athlete (if over 18 years). Ultimate Cheer will take steps to ensure any data provided to us is used solely for the purposes it was intended.
- I (parent or guardian if under 18 years) can confirm that I have read and understood why Ultimate Cheer has to process certain types of data.
- I (parent or guardian if under 18 years) can confirm I understand who this data will be shared with and the reasons for sharing this data.
- I (parent or guardian if under 18 years) understand that I also have right to withdraw consent at any time by outlining my request in an email to the Data Controller.
If the athlete is 16 years of age or older:
- I (the athlete) can confirm that I have read and understood why Ultimate Cheer has to process certain types of data.
- I (the athlete) can confirm I understand who this data will be shared with and the reasons for sharing this data.
- I (the athlete) understand that I also have right to withdraw consent at any time by outlining my request in an email to the Data Controller.