Worcester Warriors Supporters’ Society Ltd
Data Protection Policy:
Worcester Warriors Supporters’ Society Ltd may have to collect and use information about people with who we want work with. These will include members and suppliers whose personal information must be handled and dealt with properly, irrespective of how it is collected, recorded and used. That is whether it is on paper or computer records. These are the required safeguards within the Data Protection Act (DPA) and in accordance with UK General Data Protection Regulation (GDPR) 2018.
Worcester Warriors Supporters’ Society Ltd regard the lawful and correct treatment of personal information to be important to the success of our operation and to maintain confidence between us and those we serve. We will ensure that we treat personal information lawfully and correctly. To this end we fully endorse and adhere to the Principles of Data Protection as set out in the Data Protection Act (DPA) and in accordance with UK General Data Protection Regulation (GDPR) 2018.
The Principles of Data Protection
The DPA stipulates that anyone processing personal data must comply with the 7 principles of good practice. These principles are legally enforceable.
The principles require that personal data:
Lawfulness, fairness and transparency: Shall be processed fairly and lawfully in particular, shall not be processed unless specific conditions are met.
Purpose Limitation: Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
Data Minimisation: Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.
Accuracy: Shall be accurate and where necessary, kept up to date.
Storage Limitations: Shall not be kept longer that is necessary for that purpose or those purposes.
Confidentiality: Shall be processed in accordance with the rights of the data subjects under the Act and only people who are processing the data will have access to it. It shall be kept secure i.e., protected by an appropriate degree of security.
Accountability: The Data Processor is responsible for complying with DPA in accordance with UK GDPR. Data will not be transferred to third parties.
The Act provides conditions for the processing of any personal data. It also makes a distinction between personal data and “sensitive” personal data.
Personal data is defined as data relating to a living individual who can be identified from:
(a). that data being only.
Member Name
Contact Address
Email Address
Telephone Number
Year of Birth (for voting purposes at Annual General Meetings)
(b). that data and other information, which is in the possession of, or is likely to come into the possession of the data controller and includes an expression of opinion about the individual and any indication of the intentions of the Data Controller, or any other person in respect of the individual.
Sensitive personal data is defined as personal data consisting of information as to:
racial or ethnic origin.
religion or other beliefs.
trade union membership.
physical or mental health or condition.
sexual life.
criminal proceedings or convictions.
NB: It is the Policy of Worcester Warriors Supporters’ Society Ltd not collect Sensitive Personal Data.
Handling of Personal Information.
We will, through appropriate management and the use of strict criteria and controls observe fully conditions regarding the fair collection and use of personal information. Meet our legal obligations to specify the purpose for which information is used.
collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements.
ensure the quality of information used.
apply strict checks to determine the length of time information is held.
shall be accurate and where necessary, kept up to date.
shall not be kept for longer than is necessary for that purpose or those purposes.
shall be processed in accordance with the rights of data subjects under the Act.
shall be kept secure i.e., protected by an appropriate degree of security.
In addition, we will ensure that everyone managing and handling personal information understands that they are responsible for following good data protection practice and methods of handling personal information are regularly assessed and evaluated.
All Board members are to be made fully aware of this policy and of their duties and responsibilities under the Act.
All Board members must take steps to ensure that personal data is always kept secure against unauthorised or unlawful loss or disclosure and will ensure that paper files and other records or documents containing personal data are kept in a secure environment. Personal data held on computers and computer systems is protected using secure passwords, which where possible have forced changes periodically and. individual passwords should be such that they are not easily compromised.
All contractors, consultants, or partners or must:
Ensure that they and all their staff who have access to personal data held or processed for or on behalf of us, are aware of this policy and are fully aware of their duties and responsibilities under the Act. Any breach of any provision of the Act will be deemed as being a breach of any contract between the Trust and that individual, company, partner or firm.
Allow data protection audits by us of data held on our behalf (if requested).
Indemnify us against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.
All contractors who are users of personal information supplied by us will be required to confirm that they will abide by the requirements of the Act about information supplied by us.
Under the DPA in accordance with GDPR the Data Protection Officer/Controller MUST notify the Information Commissioner Office (ICO) of a Data breach without delay, where that data breach is a result in a risk to the rights and freedom of the data subject.
Data Records Management
The objective of this section is to turn the above policy into practical records management. The 3 issues to be highlighted are:
Accountability- Adequate records being maintained and to account fully and transparently all actions and decisions.
Security-Records will be secure from unauthorised or inadvertent alteration or deletion. Records will behold in a robust format which must remain readable and accessible for as long as information is relevant and/or required.
Records Retention and Disposal
Accountability-Roles and Responsibilities
The following roles have been appointed within the Trust:
Worcester Warriors Supporters’ Society Ltd: Data Controller-the organisation responsible for deciding how and why personal data is to be processed. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Wix.com- Data Processor- the organisation responsible for carrying out data processing on behalf of the controller. processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Trust Secretary- Data Protection Officer- the person responsible for ensuring that the Trust is compliant with the Data Protection Laws. All breaches of Data protection must be reported to the Data Protection Officer who will following investigation, report the matter to the Board.
See point 14 in respect of statutory requirements for reporting data breaches to the ICO.
We take several steps to ensure that both members’ and the Board’s data is protected.
We take steps to minimise the risk of cybercrime through the purchase of a certificate for the domain, so all traffic is encrypted.
We ensure access to the database is strictly restricted to the minimum number of individuals required to manipulate data.
The Board is regularly provided with awareness training on the importance of Data Protection Management and the relevant policies and procedures.
Our terms and conditions include what members need to know about our use of their data, including the purposes for which it is collected and their rights. (Privacy Policy)
Records Creation and Disposal
We hold only the following personal data on our current and past members:
Member Name
Contact Address
Email Address
Telephone Number
Year of Birth (for voting purposes at Annual General Meetings)
We shall not retain information on any individual who is no longer a member of the Trust for more than 7 years after their membership has expired.
Policy Review
This policy will be reviewed periodically (every 3 years) or at any time that the UK national guidance is amended.