Privacy Policy

Metcalf Multisports is committed to conducting its business in accordance with all applicable data protection laws and its ethical and moral obligations.

This policy sets out how we, at Metcalf Multisports will meet data protection obligations and how the third parties we work with will meet their obligations to our business and the personal data they process on our behalf or because of the business relationship with them.

We recognise there are changes to data protection laws, codes of practice and the outcome of case law may, depending on what it is, have an impact on what and how we do things. We intend to stay abreast of any such changes and make necessary adjustments to our processing activities or documentation as a result.

All documentation will be reviewed at least annually and shall be supported by, where applicable the results of risk assessments, privacy impact assessments or changes to the way we do business which in turn change the nature of what and how we do things where personal data are concerned.

2 Scope

This policy applies to the personal data that are processed by Metcalf Multisports, whether that be for employees, consultants, pupils, teachers, parents, members of the public or of any third parties which we work with.

This data protection policy shall set out the reasons why data protection is important, what the Metcalf Multisports stance is on meeting data protection obligations, contacts, and responsibilities and how violations are dealt with.

This data protection policy shall be supported by further documentation that shall include:

· How to deal with a subject access request

· Breach notification policy

· Privacy impact assessment template for use and guidelines on how to conduct

· Supplier due diligence process

· Business Continuity plan

Our privacy notice sets out the personal data we process.

3 Importance of data protection

We all as individuals have the right to have our personal data managed in a manner which is compliant with law. Law that protects our rights to privacy.

The Data Protection Act describes how organisations, including the Metcalf Multisports must collect, handle, store, share, dispose of personal data. These rules apply whether the data is electronic, hard copy or other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Data Protection Act is underpinned by Data Protection Principles.

4 Principles relating to processing

We will in all instances be completely fair and transparent in the processing we do, act in accordance with all laws, not just data protection laws. It’s our duty to provide those individuals whose data we process with a privacy notice prior to the processing of their data, setting out what we intend to do with their data, why it will be processed along with other important information such as how long it will be retained for, which other parties may have access to it.

Metcalf Multisports are the data controller or the data processor depending on the nature of the data being processed and depending on the data, the legal condition for processing that data may differ. We have set out in our privacy notice the different sets of data, what the purposes are for processing and the legal condition for processing. Please ask for a copy.

As far as employee’s data is concerned, they are processed legally as part of their employment contract, there will also be categories which we have to share with HMRC (and ***** Pension for staff pension), it’s a statutory obligation.

There are also special category data which are processed in relation to your employment with Metcalf Multisports and are processed in relation to sickness or injury. We don’t process this data for any other reason.

We understand the importance of keeping your information up to date, after all, if you’re processing personal data, we need to make sure it’s accurate, no point in having it otherwise. Naturally, we want to make those changes as quick as possible, just let us know any changes so we can make this happen. Don’t worry, well remind you annually on your renewal form but we’d prefer to capture it as soon as possible.

It is important to us and to you, that we only process the data that is absolutely necessary for the purpose that we have set out. You will find that the forms we use for data capture along with data we hold is kept to an absolute minimum and will be retained only as long as necessary to achieve the purpose for which it was obtained in the first place, again this is set out in our privacy notice.

We also want to make sure that only those people who need to see your personal data are those that need to see it for the purpose of their employment, the administration of the business and our schools and courses.

Access to personal data is tightly controlled with both the minimum processed and where we act as a processor on behalf of our schools, data is stored with them in order to maintain a high level of security. Furthermore, internal processing is carried out in a controlled environment by one member of the team.

We have assessed the risks associated with the personal data we hold and have taken a risk-based approach to its processing. Those risks are to the confidentiality, integrity and availability of our information. For example:

Confidentiality: For example - Information not been secured and given out inappropriately.

Integrity: For example – Allowing data to be changed when it shouldn’t be.

Availability: For example – Not having the access to information when it is needed.

Our technical measures are robust, assessed at least annually or as the risks to our business changes and are updated accordingly. The measures we have chosen are both appropriate and proportionate to the personal data in our control and the nature of the processing carried out.

Similarly, our organisational measures are reviewed at least annually (or with changes to the business, codes of practice, case law that might influence change) and should changes be necessary they are made.

As part of that risk-based approach, ethical, moral obligations and desire to keep privacy at the core of how we behave, where there are changes to, or new, systems, technology, process we will consider the necessity of conducting a privacy impact assessment and take onboard the outcome prior to progressing with any of those changes.

Our Privacy Impact Assessment template and guidelines for use support this policy along with our approach to privacy by design (keeping privacy at the core of what we do).

5 Contacts and Responsibility

Who does what and who’s responsible for, it’s a great question and were all responsible for it. As a business we all have access to, and process varying degrees on personal data. As a result, we must all understand what our responsibilities are to confidentiality and the data protection principles.

Our collective knowledge and understanding along with our approach to privacy by design is what will give our customers, employees and other stakeholders confidence in what and how we do things.

Whilst Ashley Metcalf is responsible for ensuring that the Metcalf Multisports meets its data protection obligation on a day to day basis, he is supported by the team and have the engagement of a data privacy specialist.

It is Ashley’s responsibility to:

· Ensure the business are kept updated with data protection responsibilities, risk and issues.

· Review and update where necessary data protection procedures and policies in line with an agreed annual schedule.

· Arrange data protection training and advice for all employees of Metcalf Multisports.

· Handling any data protection related questions

· To deal with any individual that wishes to exercise their data subject rights

· Carrying out due diligence, contract review with data processors and potential data processors.

· Ensuring that the IT systems are fit for purpose and any security controls in place are based on risk and proportionality.

Collective general expectations of staff at the Metcalf Multisports are:

· The only people that are able to access data covered by this policy should be those who need it for their work.

· Data should not be shared informally. Should access to confidential information be necessary, this should be sought from Ashely Metcalf.

· Metcalf Multisports will provide all employees training on an annual basis to help them understand and stay on top of their responsibilities when handling data.

· Employees should keep all data secure, by taking sensible precautions and following the guidelines below (under security of processing).

· Personal data should not be disclosed to unauthorised people, either within the company or external.

· Opinion should be sought of Ashley Metcalf if one is unsure of any aspect of data protection and how it should be handled.

· Data should be held in as few places as necessary. Unnecessary copies should not be made.

· Text messages sent or received of names should be deleted when all relevant information is obtained by both parties.

6 Retention

As a business we don’t like to keep hold of personal data that we don’t need. When it’s time to destroy documents containing personal data we check them to make sure we don’t need to retain them any longer. If they do not need to be retained, then we’ll shred them confidentially on the premises (using one of the office shredders or an external service). If they do need to be kept for any reason, we’ll make a note and set a new date.

As a rule of thumb, records that help us meet our statutory requirements will be kept for 7 years.

You can see below an outline of how long we keep certain data sets for.

Type of Data

Length of time it will be retained for

Registers

7 years

Class For Kids registers and parent information (online)

Child year groups and number of years data retained

6 - 1 year

5 - 2 years

4 - 3 years

3 - 4 years

2 - 5 years

1 - 6 years

EYFS - 7 years

(If the parent decides to withdraw their data then this will be done upon request)

Emails

6 months

Employee records

Duration of their employment

Recruitment records

Duration of the recruitment process

Text messages (Metcalf Multisports phone)

Half term

Text messages (Coaches phone)

Straight after the message has sent

6.1 Class for kids data

Data reference

Type of data

Purpose of data

Parent

Name and contact details

Clubs need to know who parents are and communicate with them

Location

Parent/child address

Clubs understanding the location of their customers; ClassForKids understanding the location of platform users

Child

Child name, DOB and gender

Clubs need to know each child and may make class or facility choices based upon age or gender

Emergency

Name, telephone number and relationship to child for emergency contacts

Clubs need to have instant access to direct contacts in case of emergency

Medical

Any medical information that a parent deems relevant to their child’s participation in classes

Clubs may make specific arrangements depending on the medical needs of children

Custom

Answers to any additional questions that a specific club deem relevant to their club or activity

Clubs may use the answers to these questions to make business or activity related decisions

Club notes

Notes taken by a club connecting to a specific child

Internal notes connecting to a specific child that help the club to make business or activity related decisions

Technical

Technical activity tracking during platform use

To understand platform usage for the purpose of improving the platform; To diagnose and correct technical issues arising through platform use

7 Security of processing

It stands to reason that we and you don’t want people accessing your personal information unless it is authorised or necessary for the purpose we have gathered it for. This is the same for our commercial information also and have conducted a risk assessment which has helped us determine how we will protect your personal information and the businesses commercial information.

Appropriate organisational and technical measures have been employed by Metcalf Multisports to stop unauthorised access, protect the confidentiality and integrity of the information we hold.

Like every business, what makes us successful is our team, your part of that team now and we need you to do your bit in protecting our business and your colleagues/customers/supplier’s data. If you see something that could compromise any of the above, is contradictory to this or other such supporting data protection and information security policies/processes we’d hope and expect you to bring it to your managers attention. After all, a compromise isn’t good for the individual or the business and we need to do everything within our power to stop it happening.

As we review our internal policies/processes at least annually it’s an ideal opportunity to see what is and isn’t working. If somethings not working we need to identify why and make the changes, your help and support in this process is crucial. Nobody wants to be doing something that doesn’t work, identifying the problem and the solution can only make us more secure and compliant.

Key points to assist in the security of information at the Metcalf Multisports:

· Should you be required to use a PC, a strong passphrase should always be used. This would be a passphrase made up of three or more unconnected words, should not be shared or written down and made available to others. It should also only be used on a single system and shall be changed every 60 day’s.

For example: houserotarywhale17

· When data is stored on paper it should be kept secure and away from where unauthorised people can see it.

· Class For Kids registers (print outs) should be kept in the school office.

· Class For Kids online registers to be used only to mark attendance at the beginning of the club and for emergency medical/contact information if required.

· Coaches may use phones/tablets (if school authorise) to complete register for clubs on

Class For Kids

· All personal data kept in the office shall be retained in a locked cabinet, accessed by only Ashley Metcalf.

· Any printouts and other pieces of paper that has personal data on should be shredded and disposed of securely when it is no longer required.

· Electronic data should only be saved to the locations indicated on One drive and never to the hard drive or desk top of the machine and should not be shared with unauthorised people.

· Backups will be done automatically through Office 365

· Visitors on the premises shall be accompanied at all times.

· Access to systems shall be determined based on role within the business and formally given on first day of employment. Should roles change, access to certain systems and information may change as a result. Access shall be revoked prior to a member of staff leaving the business.

· Removable media is not permitted within the business, there is no need for it.

· Any text messages with confidential information should be deleted when there is no longer use for it (Metcalf Multisports phone)

· Any text messages with confidential information should be deleted as soon as the message has been sent (coaches phone)

8 Classification of data

At the Metcalf Multisports, we operate a data classification policy to enable staff to make the right decisions about how different pieces of personal data are handled. We split personal data into three categories, they are:

Public: This is information that we are happy being in the public domain, information such as marketing material or the information on our website.

There is little control over this.

Strictly Confidential: All other information whether it be commercial or personal.

Access is limited to least privilege, should not be reproduced or shared and shall be shredded.

9 Data subject rights

There are eight rights we all have as individuals.

9.1 The right to be informed

Individuals have the right to be given a “fair processing notice” or “privacy notice”; we all want to know what is going to happen with our personal data and why, how long it’s going to be kept for and what to do if we’re not happy with the way in which it is being used.

A privacy notice will give you a clear picture of what and how we do things with personal data. This notice must be provided either the first time of contact with the individual or within 30 days if we have obtained their data via a third party (such as a producer who may include the owner’s details on entry forms).

9.2 The right top access (Subject Access Requests)

We all have the right to know what personal data a business holds and processes on us. There may be an occasion where you get asked the question or want to know yourself. If this is the case direct the enquiry to Ashley Metcalf immediately. We only have a short amount of time (30 days) in which to respond and want to ensure that we respond in the correct and appropriate manner.

9.3 Right to rectification

Having accurate data is critical, inaccurate data helps nobody. Individuals have the right to amend (rectify) their data if they believe it is inaccurate or incomplete. It’s important that these changes are done immediately. If you find out about any changes that need to be made please make the changes if you’re in a position to do so or notify Ashley Metcalf if your not.

9.4 Right to Erasure

If an individual wishes to exercise this right it will be the businesses decision to assess whether or not to do so and is based on a number of factors. In the first instance, should someone suggest they wish to exercise this right, refer them to Ashley Metcalf.

9.5 Right to restrict processing and Right to object to processing

As with the right to erasure, should an individual wish to exercise these rights, raise the matter immediately with Ashley Metcalf

9.6 Right to portability

Given the nature of how Metcalf Multisports operates this is not something that we would need to comply with.

10 Review and Signature

I have read and understood the content of this Data Protection and Information Security Policy what my obligations are and sign to that affect. Please give this form back to Ashley Metcalf.