PRIVACY NOTICE Cleethorpes and Grimsby Group What information do we collect about you? We collect information about you when you complete relevant forms for us, including the rider application form and the volunteer application form. How will we use the information about you? We will use the information about you to administer the RDA group and ride schedules. We may pass the information about you to Riding for the Disabled Association incorporating Carriage Driving, the national body. Limited, anonymised information may be passed to RDA for analysis in the Tracker. We will not disclose any information about you to any company other than noted above, or if required to do so by law. Marketing We would like to send you newsletters and other information about how you can support the RDA group. If you have consented to receive marketing, you may opt out at a later date. You have a right at any time to stop us from contacting you for marketing purposes. Access to your information and correction You have the right to request a copy of the information that we hold about you. We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate. Retention of data Once you are no longer involved with the RDA group, we will securely retain your data for 3 years for adults and 3 years after a child reaches the age of 18. How to contact us If you have any questions about our privacy policy or information we hold about you, please contact Carol Dougall our group secretary who is our nominated GDPR lead. The full policy can be found at (website link in here). Please can you respond to this email to either consent to receiving information from us or to opt out.
DATA PROTECTION POLICY Cleethorpes and Grimsby
Purpose and Background The RDA Group holds information about riders, volunteers and other people involved with our activities. The Group has a responsibility to look after this information properly, and to comply with the Data Protection Act. The UK Act has been replaced by the EU General Data Protection Regulation (GDPR) from 25th May 2018. It is likely that the GDPR will continue to form the basis of our Data Protection legislation, even once the UK has left the EU, so it is fully taken into account in this policy. Good Data Protection practice is not just a matter of legal compliance and ticking the boxes. Data Protection is about taking care of people and respecting their privacy. Poor practice or a serious breach could not only harm individuals but would also have a serious effect on the reputation of our group and RDA as a whole. We have a nominated trustee who serves as our data protection lead. If you have any questions regarding our privacy policy please contact [email protected] Scope This policy applies to information relating to identifiable individuals which is held by RDA Cleethorpes and Grimsby Group. Cleethorpes and Grimsby RDA group is a data controller. Our legal basis for using people’s data. Everything we do with records about individuals – obtaining the information, storing it, using it, sharing it, and even deleting it – will have an acceptable legal basis. There are six of these:
Consent from the individual (or someone authorised to consent on their behalf).
Where it is necessary in connection with a contract between our group and the individual.
Where it is necessary because of a legal obligation – if the law says you must, you must.
Where it is necessary in an emergency, to protect an individual’s ‘vital interests’.
Where it involves the exercise of a public function – i.e. most activities of most government, local government and other public bodies.
Where it is necessary in our legitimate interests, as long as these are not outweighed by the interests of the individual.
Where we are basing our processing on consent we will be able to ‘demonstrate’ that we hold consent. This means having a record of who gave consent, when they gave it, how they gave it (e.g. on the website, on a form, verbally) and what they actually consented to. In the case of legitimate interests we will do a balancing test, and be confident that our legitimate interests in using the data in a particular way – for example in providing our services or raising funds to support them – are not over-ridden by the interests of the individual. There are additional considerations where we are holding information about people’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and also genetic data or biometric data, health data or data concerning their sex life or sexual orientation. We will legitimise the use of any of these categories of data by having the individual’s explicit consent. Data Protection Principles Data Protection compliance is based largely on a set of Principles. The six GDPR Principles say that:
Whatever you do with people’s information has to be fair and legal. This includes making sure that they know what you are doing with the information about them.
When you obtain information you must be clear why you are obtaining it, and must then use it only for the original purpose(s).
You must hold the right information for your purposes: it must be adequate, relevant and limited to what is necessary.
Your information must be accurate and, where necessary, up to date.
You must not hold information longer than necessary.
You must have appropriate security to prevent your information being lost, damaged, or getting into the wrong hands.
Our policy sections below reflect each of these principles in a bit more detail. Transparency& purposes (first and second Principles)We will make key information available to people at the time we collect information from them. This includes:
the identity and contact details of our group and the person who is responsible for Data Protection;
the purposes we intend to use the data for and our ‘legal basis’ for this (see above);
what we regard as our ‘legitimate interests’, if this is our basis for processing;
any specific recipients of the data (e.g. RDA UK) or categories of recipients.
Other information will be made available where relevant. This includes:
the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
details of the individual’s rights, such as to request a copy of all the data held;
the right to withdraw consent if that is the legal basis for processing (but not retrospectively);
whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
In both cases, we will only tell people things they won’t already know. When a rider joins our group they know that we will keep a record about them and their activities with us. When a volunteer comes along it’s the same. We will therefore tell them anything that may not be entirely obvious to them. This could include things like:
The fact that RDA nationally is a separate organisation and that limited data may be passed to RDA. We will reassure people that their data is anonymous when analysed on Tracker by RDA.
Any direct marketing that we may want to carry out (see below), or any additional purpose(s) that we might use the data for – publicity, perhaps. (‘Data’ can include photos, videos, CCTV, audio recordings, etc, not just written records.)
Direct marketing One explicit right that people have is to stop us sending them marketing material (by post, phone, email or text) if they don’t want it. When we collect information from people that might be used for marketing we will say so at the time and ask them if they are happy to hear from us. The wording will be along the lines of: “We would like to keep you up to date with information about opportunities and events within RDA, and how you can support us. Please tick here to indicate which method(s) you are happy for us to use: Mail o, Phone o, Email o, Text o” These rules are only for marketing. They do not stop us from contacting people in whatever is the most convenient way to give them information about things they have already signed up to, or for other administrative purposes. Data quality, record keeping and retention (third, fourth and fifth principles)Our activities will be more effective and appropriate if we have good quality records about the people we are working for and with. GDPR insists on this. Wewill ensure we have the information we need, but no more (it must be adequate, relevant and limited to what is necessary) and it will be as accurate as we can make it and – where necessary – kept as up to date as possible. We will not keep it longer than necessary. We will remind our staff and volunteers that the individual concerned has the right to see all the information recorded about them by the group. While Data Protection concerns should never prevent us from recording the information we believe we need (especially in cases relating to safeguarding or other serious misbehaviour), being over-casual, rude or injudicious in an email could easily cause a major crisis for the group, and even the wider RDA. This can be a useful discipline in deciding what to record and how to record it. Our group will also have a clear policy on how long to keep information. We will draw up a retention schedule, taking each type of record we hold and specifying how long we normally keep it, and our justification for this. We will set up a process for ensuring that data is deleted or destroyed routinely at the appropriate time. Security (sixth principle)We will take good care of the information we hold, whether on computer or on paper, and make sure that we have provided guidance and training to our staff and volunteers so that they treat the information appropriately. In particular we will think about the risks when data is ‘in transit’ – either on portable devices or when it is being sent out. For example:
If people are using their personal phone, laptop, camera or other device for our group’s purposes there will be clear expectations of how they should be secured.
When sending information, particularly by email, we will take steps to prevent confidential information being sent to the wrong person. For example, by using password-protected documents and sending the password in a separate email.
We will also take care not to disclose people’s email addresses or other information inappropriately by carelessly copying in a large number of people or forwarding an email that has been copied widely.
Information on paper will not be left lying around, and will only be taken out of a secure location when this is really necessary.
Where information is processed for us externally (for example by RDA) we will expect the external organisation to be able to give us satisfactory guarantees about the security measures they take.
Responsibilities Responsibility for compliance with Data Protection lies with the organisation, not with any specific individual. The Trustees as a whole body will be responsible to keep up to date with any developments, to check that we are complying and have the evidence to prove it, to give advice to staff and volunteers and to handle any issues such as a data breach or a Subject Access Request. The Trustees may designate someone to be the lead person.See Appendix 1. We will notify RDA National Office in the event of a serious issue e.g. a data breach.It is a requirement of the Information Commissioner that a report of any loss of data or data breach must be report to the IOC within 72 hours. When we work in collaboration with other organisations we will sort out clearly (and in writing) who is responsible for what, in order that there are no Data Protection gaps. If we engage external suppliers to handle data for us in any way,our contract will set out their responsibilities to handle data in a way that will not cause us to be in breach. How we use personal information We collect and use personal information about our riders, coaches and volunteers for different purposes
Application for riders
Application to become a volunteer
Recording accident information
Dealing with complaints
Undertaking safeguarding activities including DBS checks and casework
Entries for events and competitions
Application for riders We will use the information that you provide to us to process your application to join the group. We will email and post to you information about events and other items of interest as part of you joining the group. You can opt out from this at any time. Our purpose in processing information in this way is to enable rides to be administered and the general running of the group achieved. Our legal basis for using your personal information is for the purpose of a contract. Special category information that you supply, such as medical conditions or disabilities will only be shared with others under the provision of Article 9(2) to protect your vital interests in a situation where you were physically or legally incapable of giving consent.
Application to become a volunteer We will use the information that you provide to us to process your application to join the group as a volunteer. As in the case of the riders application we will provide you with information about events and other items of interest unless you tell us not to. Our legal basis for using your personal information is for the purpose of a contract.
Recording accident information When necessary we will process relevant personal information about riders, volunteers and coaches where accidents or incidents have occurred that are required to be recorded and in some cases the severity requires that a referral should be made to the Health and Safety Executive (HSE), the national RDA office, relevant authorities such as the police or HM Coroner. Our legal basis for this processing is to meet our legal obligations.
Dealing with complaints If a complaint is raised with us, we will process the personal information that is provided to us to manage and resolve the complaint. This may include sharing the relevant information with a coach, the national RDA office or other organisation depending upon the nature of the complaint. Our legal basis for using personal information for this purpose is to fulfil our legitimate interest and fulfil our objective of resolving complaints in a careful and appropriate manner.
Undertaking safeguarding activities including DBS checks and casework We process relevant personal information about our volunteers and coaches for safeguarding purposes. This includes undertaking DBS and other checks to identify any criminal and other activity we need to be aware of and casework. It may be necessary to share some personal information with relevant authorities such as the police, or national RDA office. Our legal basis for processing information in these circumstances is to meet our legal obligations.
Entries for events and competitions If you register for one of our RDA events or competitions, we will use your information provided to us to process your registration and enable you to attend the event. This will include sharing some of your information with the organisers that run the event.It may also include collecting and sharing medical information with them if you choose to provide that to us. Our legal basis for using your personal information in this way is for the performance of a contract.
Your rights If you no longer wish to receive communications about the group please contact the secretary – Carol Dougall at [email protected]
You also have a right to –
Request a copy of the information we hold about you. Requests should be addressed to [email protected]. We will respond within 30 days of receiving your written request
Tell us to change or correct your personal information if it is incomplete or inaccurate
Ask us to restrict our processing of your personal data or to delete your personal data if there is no compelling reason for us to continue using or holding this information
Receive from us the personal information we hold about you which you have provided to us, in a reasonable format specified by you, so that you can send it to another organisations.
Object, on grounds relating to your specific situation, to any of our processing activities where you feel this as a disproportionate impact on you,
Please note that we may be entitled to refuse requests where exceptions apply; for example if we have reason to believe that the personal data we hold is accurate orwe can show that our processing is necessary for a lawful purpose set out in this Privacy Policy
How long we keep your personal information We will hold your personal information for only as long as is necessary. We will not retain your personal information if it is no longer required.
We will keep records of members of the group whilst they are current and active in order to administer the group's activities, however once the individual is no longer a member of the group the personal information will only be retained for three years.
We will keep records of any events and training for three years in order to facilitate any insurance claim resulting from the activity.
Changes to this policy This policy may change from time to time. Where practical we will provide you with an updated policy. However we would advise that you keep up to date by regularly visiting the Cleethorpes and Grimsby RDA group website –
Making a complaint to the Information Commissioner's Office If you are not satisfied with our response to any query you raise with us, or you believe we are processing personal data in a way which is inconsistent with the law, you can complaint to the ICO whose helpline number is 0303 123 1113
APPENDIX 1
Responsibility for compliance with Data Protection lies with the organisation, not with any specific individual. However, the Trustees may designate someone to lead on: keeping up to date with any developments; checking that we are complying and have the evidence to prove it; giving advice to staff and volunteers and handling any issues such as a data breach or a Subject Access Request.
The individual currently designated is: Carol Dougall