The General Data Protection Regulation (GDPR) came into effect on 25th May, when it replaced the Data Protection Act 1998.
Behind the scenes, Badminton England has been doing a lot of work to prepare for the new legislation, such as reviewing our data handling practices, and updating our policies in readiness. Protecting the personal data of our members, volunteers and staff, and ensuring that we handle it in accordance with the law is of paramount importance to us.
We know that county and local clubs throughout the country will share concerns about compliance with the GDPR. These ‘Frequently Asked Questions’ are intended to address many of the queries that clubs may have.
Q| We hold our club members details on an Excel spreadsheet which is made available to all club members. Is this acceptable under the new data protection legislation?
Security is a fundamental part of data protection legislation. This means that one of the first considerations when a County Badminton Association or club collects members' personal data is that it must be stored securely. Our advice to club members is that if they hold club members' details on an Excel spreadsheet which is made available to all club members, this spreadsheet is held in a secure members area (i.e. not on a publicly accessible website). Finally, transparency information must be provided to these members which clearly and concisely describes how their personal data is used. This will most likely be provided by way of a website privacy notice on the Club or County Badminton Association's website. The notice will also need to explain that members details will be accessible to other members on the Excel spreadsheet.
Q | Do you have a template privacy notice for club members?
Alongside several other key policies, Badminton England has updated our privacy notices. A template privacy notice can be downloaded here.
Q | How do we tell our members how their data is being used by Badminton England?
Protecting the personal data of our members and volunteers and ensuring that we handle it in accordance with the law is of paramount importance to us. Transparency is a fundamental part of the new data protection legislation, and we are committed to providing our members with clear and concise information as to how we use their personal information. This information will be provided to members by way of our website privacy notice.
Q | We collect our members' addresses to complete their membership information for Badminton England, but do not need or use this information for any other purpose. Do we need to continue to collect addresses?
Data minimisation is a key principle of data protection legislation. Badminton is committed to ensuring that it only collect adequate and relevant personal data, and limited to the personal data which is necessary in relation to the purpose. This means that any personal data which is necessary to sign-up a member to Badminton England must be collected. Members contact details, which include addresses, are a key part of the information Badminton England requires to complete a member sign up / renewal.
Q | Should we ask junior members to enter their details themselves so that they are 'exposed' to Badminton England's privacy notice directly, rather than us having to link to it?
The protection of children's personal data is very important, and Badminton England is committed to ensuring extra care is taken to keep children's personal data protected. We are required to process junior members' personal data in order to perform our membership contract with them. We take care to consider the child's competence to understand what they are agreeing to. If a junior member is a young child, all routine communications will be conducted through the child's parents, and the child's parents should have access to information about what their child is signing up to. Transparency is a fundamental part of the new data protection legislation and we are committed to providing our members with clear and concise information as to how we use their personal information. We will provide this information to our junior members by way of our website privacy notice which will be clear and written in plain, age-appropriate language. For parents of young children, we will make it clear how Badminton England uses their child's personal data.
Q | Are County Badminton Associations entitled to use members' personal details that they obtain from Badminton England? Will members have to indicate whether data submitted to Badminton England can be passed to us, and if so, how will we know?
The GDPR aims to give choice and control to data subjects. Therefore, the safest approach would be to give members the option not to have their data shared with County Badminton Associations. As such, Badminton England will be providing the option to members to opt-in to receive communications from their County Badminton Association – these preferences will form part of Badminton England’s Direct Marketing Policy. Transparency is a fundamental part of data protection, and Badminton England must provide clear and concise information to its members on how it uses members' personal data (including information on how personal data is transferred to County Badminton Associations, if a member chooses to opt-in to receive such communications). This information will be provided to members by way of our website privacy notice, which will be posted on our website in due course.
Q | Do we need to allow members to request us to "remove all data" or should that be done via Badminton England?
The "right to be forgotten" only arises in certain situations. If a member exercises this right, their request must be answered in one month. Whichever entity (in this case likely to be either Badminton England or a club) receives the request will likely have to respond, and you will have an obligation to ensure such information is erased.
Q | Are there restrictions on what we can use these details for?
The purpose limitation principle is one of the seven principles of the GDPR. This means that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way which is incompatible with those purposes. When Badminton England, a club or a County Badminton Association collects personal data from members, it must clearly specify the purposes for which it is collecting that data. This will be set out in the website privacy notice for members. We, or you, are not allowed to process personal data for any other purposes unless we notify the data subject (and have a legal basis for such processing).
Q | Do we need to distinguish between personal data submitted via Badminton England directly on our website?
Transparency is a fundamental part of data protection, and Badminton England, clubs and County Badminton Associations must provide clear and concise information to its members on how it uses members' personal data. When Badminton England collects personal data from its members, it will provide this information by way of its website privacy notice. When a Club or County Badminton Association collects personal data directly from a member, it must provide them with this information. This will be given by way of its own website privacy notice. Badminton England will be publishing template privacy notices on its website in due course.
Q | Is a member's Badminton England membership number "personal data"?
"Personal data" is defined as any information which can directly or indirectly identify an individual. This means that if it is possible to identify an individual using their Badminton England membership number (whether just by using their membership number, or matching it up with other information you hold), this constitutes "personal data". This means it should be securely stored and protected and only those with a business need to access such data should have such access. If another member has access to a member's Badminton England membership number but does not have any other information with which to identify the individual member, the membership number will not constitute "personal data".