Bury Supporters Collective Ltd trading as Bury Phoenix (and henceforth referred to as Bury Phoenix in this document) is committed to processing personal data in accordance with its responsibilities under the General Data Protection Regulation (GDPR) which was enacted into UK law through the Data Protection Act 2018. This Policy sets out how Bury Phoenix manages those responsibilities and follows best practice.
Any information which can be linked to a living individual will be deemed ‘personal data’ and will be covered by this Policy. Bury Phoenix obtains, uses, stores and otherwise processes personal data relating to prospective, current and former staff and volunteers, members, contractors, website users and other contacts, collectively referred to in this policy as ‘data subjects’.
This Policy seeks to ensure that we are clear about how personal data must be processed and Bury Phoenix’s expectations for everyone who processes personal data on its behalf. It applies to all personal data, regardless of where that information is stored – including mobile devices and paper records. All staff processing personal data on behalf of Bury Phoenix must read this Policy and abide by it. Failure to do so may result in disciplinary action. Any negligent processing of personal data may result in fines from the Information Commissioner as well as reputational damage to the club.
This Policy will be reviewed annually. Implementation of this policy will be monitored by the board of Bury Supporters Collective Ltd
Data Protection Principles
When we process personal data we must abide by the principles of the GDPR which demand that personal data is:
- processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
The ‘lawfuness’ requirement means that our processing of personal data must meet one of the following conditions:
- The data subject has given consent.
- The processing is required due to a contract.
- It is necessary due to a legal obligation.
- It is necessary to protect someone’s vital interests (i.e. life or death situation).
- It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- It is necessary for the legitimate interests of the controller or a third party.
Special categories of personal data are restricted by extra safeguards to give further protection to the privacy of data subjects. These categories cover information relating to an individual’s:
- racial or ethnic origin
- political opinions
- religious beliefs or other beliefs of a similar nature
- trade union membership
- physical or mental health or condition
- sex life and sexual orientation
- generic data and biometric data
Where this nature of information is being processed, at least one of the following conditions must be met:
- The data subject has given explicit consent.
- The processing is necessary for the purposes of employment, social security and social protection law.
- The processing is necessary to protect someone’s vital interests.
- The processing is carried out by a not-for-profit body.
- The processing is manifestly made public by the data subject
- The processing is necessary for legal claims
- The processing is necessary for reasons of substantial public interest.
- The processing is necessary for the purposes of medicine, the provision of health or social care or treatment or the management of health or social care systems and services.
- The processing is necessary for public health
- The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to certain safeguards which are explained in the Handbook
A register of systems will be maintained to further ensure lawful processing of information. This will be a log of types of personal data held, the location, basis for holding, security measures in place, further permissions and time for review. For example:
Season ticket holders – name, address, method of payment, email, phone number – Bury Phoenix drive – password protected – consent provided – opted in to email notifications – end of season update required.
The register will be reviewed annually to ensure ‘storage limitation’. Personal data must not be kept for longer than is necessary for the original purpose the information was collected for. Once information is no longer required, it must be deleted or securely destroyed.
Consent and Purpose Limitation
We will seek consent for processing where it is feasible and appropriate to do so. Consent means offering a real choice and control. It will build trust, engagement and help the reputation of the Club.
Consent requires a clear opt-in. We will not use pre-ticked boxes or any other method using consent by default.
We will be clear and concise where we are seeking consent for different things rather than using a blanket approach.
If electronic communications (emails, phone calls or texts) are sent to individuals based on their consent, an opportunity to reverse this decision will be sent with every communication, in order to meet our duties under the Privacy and Electronic Communications Regulations.
We will make it easy for data subjects to withdraw consent for other processing and will clearly explain how they can do so. If an individual is under the age of 13, consent for online services must be provided by a parent or guardian. As such, when collecting data, we need to ensure an effective means of checking the age of the person from whom the data is collected and have parental consent mechanisms in place.
Consent is one lawful basis for processing but it is not the only option. In some circumstances consent will not be appropriate – for example when holding details of individuals banned from football grounds – and at these times we will ensure we have other adequate grounds for processing.
Bury Phoenix will ensure that personal data is adequate, relevant and only what is required for the purpose it is to be used for. We must not keep extra personal data if it is not clear why it is needed and should not keep information which is no longer needed for a clear purpose.
Bury Phoenix will take reasonable steps to ensure that personal data held is accurate. Steps will be put in place for updating information.
If we wish to release any personal data outside of the Club we must ensure that there is a valid condition for doing so in line with the principles outlined above. Any such disclosure must also be in line with the purposes we had informed the data subjects about initially.
Data subjects have the right to a copy of the information which Bury Phoenix hold about them, including the source of that information and any uses we make of it . A request can be made in writing or verbally and we must respond within one month. Whilst these requests are rare for football clubs, they can legally be made to any member of staff and therefore we must ensure that all staff are aware of their responsibility to pass the details on to Bury Supporters Collective Ltd the same day. A written record should be kept of any verbal requests. A separate ‘Subject Access Guidance’ sheet is available.
Personal data will be stored securely using modern software which is kept up to date, with protections – to be listed in the register of systems.
Access to personal data will be on a need to know basis and security must be in place to avoid unauthorised access.
When a decision is made to delete personal data this must be done with appropriate security to ensure the information can not be recovered.
Appropriate back-up and recovery systems must be put in place.
It must be clear who owns personal data. All staff and volunteers working for Bury Phoenix must be aware that the information they have access to as part of their role belongs to the Club and is not to be shared or accessed without the relevant permissions.
We will maintain a mailing list. This will include the names and contact details of people who wish to receive publicity, fundraising appeals and further information from Bury Phoenix.
When people sign up to the list we will explain how their details will be used, how they will be stored, and that they may ask to be removed from the list at any time. We will only send messages where consent has been provided.
We will not use the mailing list in any way that the individuals on it have not explicitly consented to.
We will provide information about how to be removed from the list with every mailing.
Selling Tickets and Merchandise
To order tickets and merchandise, people complete an order form on our website, which includes providing a name and address for the items to be delivered to.
When ordering, people will be asked if they wish to be added to our mailing list. If they do not opt to be on the mailing list, their details will be deleted within one month of processing their order, and will not be used for any purpose other than communicating with them about their order.
People volunteer to help Bury Phoenix in a number of ways. We will maintain a list of contact details of our recent volunteers. We will share volunteering opportunities and requests for help with the people on this list. If someone on the list has not volunteered or been in contact for a period of 12 months, we will contact them to check if they still wish to remain on our list.
When contacting people on this list, we will be clear about why we have their information, what we are using it for, how long we will keep it, and that they can ask to have it deleted or amended at any time by contacting us.
To allow volunteers to work together, it is sometimes necessary to share volunteer contact details with other volunteers. We will only do this with explicit consent.
Registration with the Information Commissioner
At time of policy approval it is felt that Bury Phoenix is currently exempt from registration under the Data Protection Act. This is due to the ‘not-for-profit’ exemption.
Any profit made by Bury Phoenix will be used for the purposes of the Club and Club activities and will not be used to enrich others. Furthermore, the personal data we hold will be used only for the purposes of the Club, maintaining membership and providing or administering activities for either our members or those who have regular contact with us.
We will review this decision on an annual basis.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Bury Phoenix will promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the Information Commissioner’s Office within the required 72 hour deadline.
Personal data breaches could occur through:
- Loss or theft of data or equipment
- Ineffective access controls allowing unauthorised use
- Equipment failure
- Unauthorised disclosure (e.g. email sent to the incorrect recipient)
- Human error
- Hacking attack
Anyone who is aware of, or suspects, a breach must report this to the board of Bury Supporters Collective Ltd.