Data Procedures

Data Procedures, inc. Photographs & Videos

Aims

Oxford Rhythmic Gymnastics Club aims to ensure that all personal data collected about ORG staff, gymnasts, and parents, stored and processed in accordance with the General Data Protection Regulation (GDPR) and the expected provisions of the Data Protection Act 2018 (DPA 2018) as set out in the Data Protection Bill.

This policy applies to all personal data, regardless of whether it is in paper or electronic format.

Legislation and Guidance

This policy meets the requirements of the GDPR and the expected provisions of the DPA 2018. It is based on guidance published by the Information Commissioner’s Office (ICO) on the GDPR and the ICO’s code of practice for subject access requests.

It also reflects the ICO’s code of practice for the use of surveillance cameras and personal information.

Roles and Responsibilities

This policy applies to members of ORG

Governing Board

Head Coach /Director

Head Coach

The head coach acts as the representative of the data controller on a day-to-day basis.

The Data Controller

Oxford Rhythmic Gymnastics Club processes personal data relating to parents, gymnasts and staff, and therefore is a data controller.

Definitions

Personal data

Any information relating to an identified, or identifiable, individual.

This may include the individual’s:

Name (including initials)
DOB
Address, email
Parents/Guardians contact telephone, numbers
Emergency contact and telephone numbers
Medical factors Impacting potential on welfare and training
Other adults allowed to drop off or pick up children
It may also include factors specific to the individual’s medical Issues

Special categories of personal data

Personal data which is more sensitive and so needs more protection, including information about an individual’s:

· Health – physical or mental

Processing

Anything done to personal data, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disseminating, erasing or destroying.

Processing can be automated or manual.

Data subject

The identified or identifiable individual whose personal data is held or processed.

Data controller

A person or organisation that determines the purposes and the means of processing of personal data.

Data processor

A person or other body, other than an employee of the data controller, who processes personal data on behalf of the data controller.

Personal data breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

Personal data shall be managed based on the seven GDPR principles

(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Data Security and Storage of Records

We will protect personal data and keep it safe from unauthorised or unlawful access, alteration, processing or disclosure, and against accidental or unlawful loss, destruction or damage.

In particular:

Paper-based records and portable electronic devices, such as laptops and hard drives that contain personal data are kept under lock and key when not in use
Papers containing confidential personal data must not be left on office or around the gym, pinned to notice/display boards, or left anywhere else where there is general access
Encryption software is used to protect all portable devices and removable media, such as laptops and USB devices
Where we need to share personal data with a third party, we carry out due diligence and take reasonable steps to ensure it is stored securely and adequately protected

Disposal of Records

Personal data that is no longer needed will be disposed of securely. Personal data that has become inaccurate or out of date will also be disposed of securely, where we cannot or do not need to rectify or update it.

For example, we will shred or incinerate paper-based records, and overwrite or delete electronic files. We may also use a third party to safely dispose of records on the ORG’s behalf. If we do so, we will require the third party to provide sufficient guarantees that it complies with data protection law.

Personal Data Breaches

The ORG will make all reasonable endeavours to ensure that there are no personal data breaches.

In the unlikely event of a suspected data breach, we will follow our procedures.

When appropriate, we will report the data breach to the ICO within 72 hours. Such breaches in the Club’s context may include, but are not limited to:

A non-anonymised dataset being published on the ORG website and social media
Safeguarding information being made available to an unauthorised person
Stolen Paper Records

Monitoring Arrangements

The Director is responsible for monitoring and reviewing this policy.

This policy will be reviewed and updated if necessary when the Data Protection Bill receives royal assent and becomes law (as the Data Protection Act 2018) – if any changes are made to the bill that affect our Club’s practice. Otherwise, or from then on, this policy will be reviewed every 2 years.

Subject Access Requests and Other Rights of Individuals

Subject Access Requests

Individuals have a right to make a ‘subject access request’ to gain access to personal information that the ORG Club holds about them. This includes:

Confirmation that their personal data is being processed
Access to a copy of the data
The purposes of the data processing
The categories of personal data concerned
Who the data has been, or will be, shared with
How long the data will be stored for, or if this isn’t possible, the criteria used to determine this period
The source of the data, if not the individual
Whether any automated decision-making is being applied to their data, and what the significance and consequences of this might be for the individual

Children and Subject Access Requests

Personal data about a child belongs to that child, and not the child’s parents or carers. For a parent or carer to make a subject access request with respect to their child, the child must either be unable to understand their rights and the implications of a subject access request or have given their consent.

Children below the age of 12 are generally not regarded to be mature enough to understand their rights and the implications of a subject access request. Therefore, most subject access requests from parents or carers of pupils at our school may be granted without the express permission of the pupil. This is not a rule and a pupil’s ability to understand their rights will always be judged on a case-by-case basis.

Responding to Subject Access Requests

When responding to requests, we:

May ask the individual to provide 2 forms of identification
May contact the individual via phone to confirm the request was made
Will respond without delay and within 1 month of receipt of the request
Will provide the information free of charge
May tell the individual we will comply within 3 months of receipt of the request, where a request is complex or numerous. We will inform the individual of this within 1 month, and explain why the extension is necessary

We will not disclose information if it:

Might cause serious harm to the physical or mental health of the pupil or another individual
Would reveal that the child is at risk of abuse, where the disclosure of that information would not be in the child’s best interests
Is contained in adoption or parental order records
Is given to a court in proceedings concerning the child

If the request is unfounded or excessive, we may refuse to act on it, or charge a reasonable fee which takes into account administrative costs.

A request will be deemed to be unfounded or excessive if it is repetitive or asks for further copies of the same information.

When we refuse a request, we will tell the individual why, and tell them they have the right to complain to the ICO.

Other Data Protection Rights of the Individual

In addition to the right to make a subject access request (see above), and to receive information when we are collecting their data about how we use and process it, individuals also have the right to:

Withdraw their consent to processing at any time
Ask us to rectify, erase or restrict processing of their personal data, or object to the processing of it (in certain circumstances)
Challenge processing which has been justified on the basis of public interest
Request a copy of agreements under which their personal data is transferred outside of the European Economic Area
Object to decisions based solely on automated decision making or profiling (decisions taken with no human involvement, that might negatively affect them)
Prevent processing that is likely to cause damage or distress
Be notified of a data breach in certain circumstances
Make a complaint to the ICO
Ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format (in certain circumstances)

Actions to Minimise the Impact of Data Breaches

We will take the actions set out below to mitigate the impact of different types of data breach, focusing especially on breaches involving particularly risky or sensitive information. We will review the effectiveness of these actions and amend them as necessary after any data breach.

Privacy Notice for Gymnasts

You have a legal right to be informed about how Oxford Rhythmic Gymnastics Club uses any personal information that we hold about you. To comply with this, we provide a ‘privacy notice’ to you where we are processing your personal data.

This privacy notice explains how we collect, store and use personal data about you.

We, Oxford Rhythmic Gymnastics Club are the ‘data controller’ for the purposes of data protection law.

Photographs and Videos

As part of Oxford Rhythmic Gymnastics activities, we may take photographs and record images of individuals within our Club. These are taken with the Childs or Parents electronic devices.

We will obtain written consent from parents/carers for photographs and videos to be taken of their child for communication, marketing and promotional materials. We will clearly explain how the photograph and/or video will be used to both the parent/carer and pupil.

Uses may include:

Within Oxford Rhythmic Gymnastics notice boards, brochures, newsletters, etc.
Outside of Oxford Rhythmic Gymnastics by external agencies such as the newspapers, campaigns
Online on our Oxford Rhythmic Gymnastics website or social media site

Consent can be refused or withdrawn at any time. If consent is withdrawn, we will delete the photograph or video and not distribute it further.

When using photographs and videos in this way we will not accompany them with any other personal information about the child, to ensure they cannot be identified.

Parents/carers, gymnasts and other visitors at events are informed not to take any photos or videos and share this content on social media.

ORG ensures that:

All gymnasts, especially children who are under a court order are not photographed, recorded or published without permission.
Seeks guidance from BG for simultaneous “live” streaming of images onto a website. BG recommends prerecording and, where appropriate, editing material to remove any inappropriate images before it is published.
Any instance of the use or publication of inappropriate images of gymnasts should be reported to BG who may then inform the appropriate authorities and/or consider any further action.
Images are in a secure storage. They should not be stored on unencrypted portable equipment such as laptops, memory sticks or mobile phones. Avoid using any personal equipment or personal social media platform (whether to publish or store).
In circumstances, where parental consent is withdrawn, ORG will adhere to existing Data Protection legislation and guidance provided by the Information Commissioners Office. There is a potential for abuse of any image placed on the Internet or within other forms of media. Although the exploitation of such images may be rare, we have a responsibility to provide guidance on how images of children and young people should be used to reduce the risk of potential ‘grooming’. Those creating or administering websites should carefully monitor their content to eliminate the use of inappropriate images or improper text. When determining whether it is appropriate to publish a photograph on a website or another form of media, consideration should be given to both the potential for inappropriate use of an image and the possibility that an individual could make contact with a child by using any personal and club details placed on line.
Not using any personal details if it is possible from the image to ascertain a specific location, or there are any details on your site about the training venue.
It is not possible to ascertain any training or competitive location
The dress of a child is considered when using the photo:
1. If it is a posed shot for example taken during a medal presentation, we will ensure that the child is fully clothed in a tracksuit or similar attire.
2. If it is an action shot, we will use profile imagery and avoid full-length shots. Alternatively, we will use digital software to blur the child’s facial features.

Not use images that can appear staged and potentially provocative.
Not use images that appear to focus unnecessarily directly on the groin area in movements where legs are in a split position.
Always use a parental consent form to request the use of a child’s image for publication. The parent would be encouraged to discuss the matter with their child before signing a consent form.

British Gymnastics should be informed of any inappropriate use of imagery on Gymnastics websites or any other form of media, which is not in keeping with this guidance. Anyone discovering a child’s image that appears to be being used illegally online should report the matter to Child Exploitation and Online Protection Centre (UK) (CEOP), who provide a single point of contact for reporting abuse of children online.

Last reviewed: April 2022