Data protection policy

Data protection Policy

Effective Date: 15/7/24

1. Introduction

Spokey Dokey Badge Club ("Badge Club") is committed to protecting the privacy and security of personal data. This policy outlines our approach to data protection and the procedures in place to ensure we comply with data protection laws, including the General Data Protection Regulation (GDPR).

2. Scope

This policy applies to all staff, volunteers, and any other individuals who handle personal data on behalf of Badge Club. It covers all personal data we process, including staff details, child details (including health information), parent/guardian details, and volunteer information.

3. Principles of Data Protection

We adhere to the following principles:

  • Lawfulness, fairness, and transparency: Data is processed lawfully, fairly, and in a transparent manner.

  • Purpose limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

  • Data minimization: Data collected is adequate, relevant, and limited to what is necessary.

  • Accuracy: Data is accurate and kept up to date.

  • Storage limitation: Data is kept in a form that permits identification of data subjects for no longer than necessary.

  • Integrity and confidentiality: Data is processed in a manner that ensures appropriate security.

4. Data Collection and Processing

We collect and process the following types of personal data:

  • Staff Details: Name, contact information, employment records, qualifications, DBS checks.

  • Child Details: Name, contact information, health information, emergency contact details, attendance records.

  • Parent/Guardian Details: Name, contact information, relationship to the child.

  • Volunteer Details: Name, contact information, volunteer agreement, DBS checks.

5. Legal Basis for Processing

We process personal data based on the following legal grounds:

  • Consent: Explicit consent obtained from parents/guardians for processing children's health information.

  • Contract: Processing necessary for the performance of a contract with staff and volunteers.

  • Legal Obligation: Compliance with legal obligations (e.g., safeguarding laws).

  • Legitimate Interests: Processing necessary for the legitimate interests of Badge Club, balanced against the rights of data subjects.

6. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Access Controls: Restricted access to personal data to authorized personnel only.

  • Encryption: Encryption of sensitive data where applicable.

  • Training: Regular training for staff and volunteers on data protection principles and practices.

  • Incident Response: Procedures in place to detect, report, and investigate data breaches.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected. Specific retention periods are defined as follows:

  • Staff and Volunteer Data: Retained for the duration of employment/volunteering and a period of 6 years thereafter.

  • Child and Parent/Guardian Data: Retained for the duration of the child's participation in the club and a period of 2 years thereafter.

8. Data Subject Rights

Individuals have the following rights regarding their personal data:

  • Access: Right to access their data and receive information about its processing.

  • Rectification: Right to request correction of inaccurate or incomplete data.

  • Erasure: Right to request deletion of their data under certain conditions.

  • Restriction: Right to request restriction of processing under certain conditions.

  • Portability: Right to receive their data in a structured, commonly used format.

  • Objection: Right to object to data processing based on legitimate interests.

9. Data Breach Management

In the event of a data breach, we will:

  • Notify the relevant supervisory authority within 72 hours if the breach is likely to result in a risk to the rights and freedoms of individuals.

  • Inform affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

  • Document all breaches, including the facts, effects, and remedial actions taken.

10. Contact Information

For any questions or concerns regarding this policy or data protection practices, please contact:

  • Rob Dalby

  • Email: rob@badgeclub.org

11. Review and Updates

This policy will be reviewed annually and updated as necessary to ensure ongoing compliance with data protection laws and best practices.

End of Data Protection Policy