ORFC GDPR Policy

Oakdale rugby football club

PERSONAL DATA & INFORMATION RETENTION POLICY

 

1.              INTRODUCTION

1.1           During the course of business Oakdale Rugby Football Club will collect information from individuals. Oakdale Rugby Football Club has obligations as a controller under data protection law to comply with the data protection principles, in particular those of data minimisation, accuracy, storage limitation and integrity and confidentiality in respect of the personal information that we process.

1.2           In certain circumstances, it will be necessary for Oakdale Rugby Football Club to retain specific information in order to fulfil statutory or regulatory requirements and to meet organisational needs. Retention of personal information may also be useful to evidence agreements in the case of disputes, which is in the interests of both the individual and Oakdale Rugby Football Club

1.3           It is important therefore, that Oakdale Rugby Football Club has in place a retention policy to determine the appropriate retention period for different categories of personal information and to set out the mechanism for the disposal of personal information that is no longer required.

2.              AIMS AND OBJECTIVES

2.1           The aim of this policy is to set out the length of time that Oakdale Rugby Football Club will retain the categories of personal information processed (i.e. the retention period) and the appropriate process for disposing of personal data at the end of that retention period.

2.2           Oakdale Rugby Football Club will assign relevant retention periods to the categories of personal data processed, enabling personal information to be disposed of when it is no longer needed, in an appropriate and consistent manner across the organisation.

2.3           Implementation of this policy will reduce the amount of personal information which may be held unnecessarily and will promote data minimisation.

3.              SCOPE

3.1           This policy covers the all personal data held by Oakdale Rugby Football Club (irrespective of the media on which they are created or held e.g. hard copy or electronic files) [and its external service providers where they are processing personal data on Oakdale Rugby Football Club’s behalf].

4.              RETENTION & DISPOSAL POLICY

4.1           Decisions relating to the retention and disposal of personal information should be taken in accordance with this policy. In particular:

(a)            Appendix 1 – Disposal & Retention Checklist – to be followed (1) when determining retention periods for personal information not included in the Retention Schedule and (2) where the disposal of any personal information is being considered (including the relevant categories of personal information set out in the Retention Schedule)

(b)            Appendix 2 - Retention Schedule – A table containing the recommended retention period for each relevant category of personal information.

5.              DISPOSAL

5.1           In circumstances where the retention period of a document containing personal information has expired, a review should be carried out prior to a decision being made to dispose of it, in accordance with the Disposal & Retention Checklist. There may be circumstances where the personal information may need to be kept for a longer period that is designated under the Retention Schedule, for example, if the information needs to be retained due to ongoing legal proceedings. If the decision to dispose of the personal information is taken, consideration should be given to the method of disposal to be used.

5.2           Disposal of records and documentation containing personal information (whether hard copy or electronic) should be carried out in a way that preserves the confidentiality of the personal information.

Hard copy records

5.3           Hard copy records containing personal information will be placed in confidential waste bins/or shredded for collection by an approved disposal firm

Electronic records

5.4           Electronic records containing personal information require disposal (including any back-up or other copies) should be deleted (i.e. wiped).

5.5           Oakdale Rugby Football Club recognises that deleting electronic information may not always be straightforward, for example if for technical reasons it is not possible to delete the relevant personal information in isolation, without also deleting other information. In such circumstances, the personal information should be put beyond use, so that the content cannot be recoverable in any way.

5.6           Personal data that has been put beyond use in this way:

(a)            Should not be used to inform any decision in respect of any individual or in a manner that affects the individual in any way;

(b)            Should not be given to any other organisation, nor should any other organisation be provided access to the personal information;

(c)            Should be protected by appropriate technical and security measures;

(d)            Should be permanently deleted when this becomes possible.

(e)            Does not need to be provided to individuals in response to a subject access request (provided all four safeguards above are in place).

 

5.7           Records of disposal should be maintained, and should detail:

(a)            The document disposed of;

(b)            The date of disposal;

(c)            The reason for disposal (e.g. in compliance with the Retention Schedule);

(d)            The method of disposal; and

(e)            The individual who authorised the documents disposal.

 

6.              ROLES AND RESPONSIBILITES

6.1           The Treasurers of the senior section and junior section of Oakdale Rugby Football Club shall be responsible for ensuring compliance with this Policy and for determining in accordance with this Policy whether to retain or dispose of specific personal information within the remit of their department.

 

 

APPENDIX 1

Disposal & Retention Checklist

When determining how long specific categories of personal information should be retained, Oakdale Rugby Football Club must, in accordance with the data protection principles assess:

·       The nature of the personal information held and Oakdale Rugby Football Club’s reasons for processing it and whether these remain valid;

·       The cost, risks and potential liabilities associated with retaining the data;

·       The ease or difficulty of making sure that the personal information remains accurate and up to date.

The following questions and guidance should be considered prior to the disposal of any personal information.

1.

What is the personal information used for and is it still used for the reason it was collected?

Information that continues to be necessary for the reason it was initially collected can lawfully be retained as long as that reason still applies. If, however, that information is no longer necessary for the reason it was collected, and Oakdale Rugby Football Club has no other legal basis for retaining the personal information, it should be disposed of appropriately in accordance with this Policy.

Personal data should not be kept "just in case", or if there is only a small possibility that it will be used.

NB. Consider whether all the personal information is necessary, or whether only some of the personal information needs to be retained.

 

2.

Are there legal or regulatory requirements that mandate the retention or deletion of the data?

Oakdale Rugby Football Club is permitted to retain personal data to comply with a legal requirement (for example, tax, auditing, or health and safety) or a requirement set out in professional guidelines to which we are subject.

 

3.

Are there any industry practices regarding the retention or deletion of the data in place?

Specific business-sector requirements and agreed practices to retain personal data may be in place (for example, credit reference agencies are generally permitted to keep consumer credit data for six years).

 

4.

Is retention required for evidence?

Oakdale Rugby Football Club may need to keep personal information in relation to any potential or ongoing legal proceedings until the threat of proceedings has passed, or ongoing legal proceedings have concluded.

The limitation period for commencing litigation should also be a key consideration. The main time limits that may apply to Oakdale Rugby Football Club are:

Contract or tort claims (such as negligence) other than personal injury – 6 years from the date on which the cause of action occurred;

Personal injury claims – 3 years from the date on which the cause of action occurred;

Claims relating to employment such as unfair dismissal or discrimination – 3 months from the date dismissal or the alleged unlawful act.

 

5.

Does the personal information need to be retained for historical, statistical or research purposes?  

Processing for these purposes can continue for as long as is needed, provided appropriate technical and organisational measures are put in place in relation to this information, particularly to ensure that only the minimum amount of information necessary is retained.

 

 

 

 

 

 

 

 

 

 

 

APPENDIX 2

RETENTION SCHEDULE

1.              The Retention Schedule sets out the period Oakdale Rugby Football Club recommends for each category of personal information processed by us. The retention period sets out in the Retention Schedule applies to all personal information in that category by default, and should be adhered to wherever possible.

2.              Oakdale Rugby Football Club recognises that there may be exceptional circumstances which require personal information to be kept for a longer period than is designated under the Retention Schedule. If particular personal information requires a different retention period than that recommended under the Retention Schedule then the Club Treasurer should be contacted to discuss and, if appropriate approve any specific retention requirements.

3.              In the event that a category of personal information is not covered by the provisions of the Retention Schedule then the Disposal & Retention Checklist should be used to determine whether the personal information needs to be retained, and the appropriate period of retention.

4.              In any instance where specific retention periods are agreed (either because they depart from those contained in the Retention Schedule or relate to a category of personal information not contained in the Retention Schedule) that retention period should be:

(a)            Documented; and in the case of a departure from the Retention Schedule

(b)            The reasons for the departure noted; and

(c)            Any affected data subjects should be notified.

5.              The retention periods set out in the retention schedule apply to all formats of documents, i.e. paper and electronic, unless specifically stated otherwise.

6.              In circumstances where the retention period of a document containing personal information has expired, a review should be carried out prior to a decision being made to dispose of it, in accordance with the Disposal & Retention Checklist.

7.              The Club Treasurer will be responsible for ensuring that the Retention Schedule is kept up to date, to reflect changing organisational needs, new legislation and changing perceptions of risk management.

 

DEPARTMENT

CATEGORY OF PERSONAL DATA/INFORMATION

MEDIA

RETENTION PERIOD

FACTORS INFORMING RETENTION PERIOD

 

 

HUMAN RESOURCES

Records of recruitment exercises including;

·       Applicants CVs and accompanying documentation;

·       Correspondence*; and

·       Interview notes

Paper and electronic

Review 6 months from end of the recruitment exercise

Statutory limitation period for contractual/employment tribunal claim

Employee files

Including:

Contracts of employment

Payroll records

disciplinary record,

grievances,

absence record,

leave record,

personal injuries at work,

references,

work permits

termination agreements

workplace correspondence*

etc.

Paper and electronic

7 years after employment has ended

Statutory limitation period, for contractual/employment tribunal claim;

Regulatory or legal requirements

 

Basic employee record: start date, end date, reason for leaving, job roles.

 

 

20 years after employment has ended.

Provision of references, statistical historical purposes.

Pension administration documentation

 

Indefinitely

In accordance with pension scheme requirements.

 

Occupational Health records including:

Health questionnaire

Adjustments to workplace

Restrictions

Recommendations

 

 

7 years after employment has ended

Statutory limitation period, for contractual/employment tribunal claim;

Regulatory or legal requirements

 

ADMINISTRATIVE DOCUMENTATION

Internal meeting minutes

Correspondence*

Funding applications

 

 

 

 

3 years after last action

 

 MEMBER INFORMATION

Application forms and other membership documentation

Paper and electronic

3 years after joining/renewal

Statutory limitation period, for contractual claim;

 

Direct marketing contact information

Paper and electronic

Indefinitely or until the member opts-out

 

Complaints

Paper and electronic

6 years after last action

 

EMAILS

All email correspondence

Electronic

2 Years

 

AUDIO/VISUAL

CCTV

Electronic

31 Days

 

 

*Any email correspondence will be retained in accordance with the specific retention period for emails specified in the Retention Schedule.

|