1. Data protection principles

The West Midlands Junior Squad (WMJS) is committed to processing data in accordance with its responsibilities under the General Data Protection Regulations (GDPR).

Article 5 of the GDPR requires that personal data shall be:

a. Processed lawfully, fairly and in a transparent manner in relation to individuals.

b. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.

c. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

d. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

e. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

2. General provisions

a. This policy applies to all personal data processed by WMJS.

b. WMJS is exempt from registering with the Information Commissioner’s Office (ICO) as an organisation that processes personal data.

c. WMJS is not required by the regulations to appoint a data protection officer, and we have chosen not to do so. However, we have appointed our Coordinator to be the "Responsible Person" for overseeing our compliance with data protection.

d. All our members and volunteers are responsible for data protection. Everyone has their role to play to ensure that we remain compliant with data protection laws. Detailed practical steps that members and volunteers should follow are listed in section 10 of this policy.

3. Lawful, fair and transparent processing

a. To help ensure its processing of data is lawful, fair and transparent, WMJS shall maintain a register of all systems or contexts in which personal data is processed by WMJS (the "Register of Systems").

b. Individuals have the right to access their personal data and any such requests made to WMJS shall be dealt with timeously.

4. Lawful purposes

a. All data processed by WMJS must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).

b. WMJS shall note the appropriate lawful basis in the Register of Systems.

c. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.

d. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in WMJS’s systems.

5. Data minimisation

WMJS shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

6. Accuracy

WMJS shall take reasonable steps to ensure personal data is accurate and kept up to date.

7. Archiving / removal

WMJS shall archive and remove data as shown in WMJS’s data privacy statement and as detailed below in section 10.

8. Security

a. WMJS shall ensure that personal data is stored securely using modern software that is kept-up to date.

b. Access to personal data shall be limited to members who need access to data.

c. When personal data is deleted this should be done safely such that the data is irrecoverable.

d. Appropriate back-up and disaster recovery solutions shall be in place.

9. Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, WMJS shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website)

10. Practical Day to Day steps for members and volunteers

a. Treat all personal data with respect and how you would want your own personal data to be treated.

b. Immediately notify the Responsible Person if you become aware of or suspect the loss of any personal data or any item containing personal data.

c. Files containing personal data which are held on laptops, mobile devices or removable storage devices (such as usb sticks) should be password protected and/or encrypted.

d. If you email a file containing personal data it should be encrypted or password protected. The decryption key or password should be forwarded separately from the email.

e. If you are responsible for maintaining a set of personal data for WMJS, then you should ensure that old data is removed in the timescales set out in WMJS's Data Privacy Notice. In particular:

· data shall be securely deleted when a member leaves the squad;

· accident forms shall be securely deleted four years after the accident and

f. If the Responsible Person receives a subject access request, the Responsible Person shall promptly ask each of the people responsible for maintaining the different sets of personal data to timeously gather the required information, so that WMJS can respond to the request.

g. The Responsible Person may receive requests to correct or delete personal data. If the request is in respect of correction then person responsible for maintaining the data set should ensure the correction of the data. If the request is in respect of deletion, then WMJS should discuss the request and delete the data if it is appropriate to do so.

g. If you hold an extract of a set of personal data; then you should ensure that old copies of such data extracts are securely deleted if you are provided with an updated set of personal data. You should also ensure that you securely delete such data extracts if you no longer need to process them on behalf of WMJS.

h. Do not transfer personal data outside the European Economic Area (EEA) unless such transfer is in compliance with our Data Privacy Statement. In particular, this affects both:

· cloud storage of data; and

· The use of cloud e-services. If you have a need to use such a service, notify the Responsible Officer so that WMJS can consider and amend its Data Privacy Policy appropriately.

j. If you become aware of the squad use of personal data which is not described in the Register of Systems or in the squad Data Privacy Notice, or become aware of a new usage of personal data which is needed for the squad to undertake its activities, the please promptly notify the Responsible Officer.