Download our app
Athlone Regional Sports Centre Data Protection Policy
1. Introduction
1.1 Athlone RSC is owned by Westmeath County Council that but privately run.
1.2 The principal function of Athlone RSC is to provide a wide range of fitness services to the local area of Athlone and the surrounding areas.
1.3 In using the centre, Athlone RSC is required to collect and process significant amounts of “personal data” and “sensitive personal data” within the meaning of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
1.4 The GDPR provides that “personal data” and “sensitive personal data” must be:
-processed lawfully, fairly and in a transparent manner
-collected for specified, explicit and legitimate purposes
-adequate, relevant and limited to what is necessary
-accurate and where necessary kept up to date
-kept no longer than necessary in a form where a person can be identified and securely maintained using appropriate technical and organisational measures.
Athlone RSC has to be able to demonstrate compliance with these principles.
1.5 The term “data” in this policy document means both personal data and sensitive personal data. It includes all data held by Athlone RSC, including electronic and paper records and all CCTV images.
1.6 This policy sets out how the Athlone RSC will handle and process data, deal with a request for data by a data subject and manage a breach of data. It also references the controls in place in respect of the use of CCTV systems and requests for data images.
2 Purpose and Scope
2.1 Athlone RSC must comply with the data protection principles set out in the relevant legislation. This policy applies to all personal data collected, processed and stored by Athlone RSC in relation to its staff, service providers and clients in the course of its activities. Athlone RSC makes no distinction between the rights of data subjects who are employees, and those who are not. All are treated equally under this policy.
3 Personal Data
In the course of its daily organisational activities, Athlone RSC obtains, processes and stores personal data in relation to:
– employees of Athlone RSC
– next of kin of employees Athlone RSC
– customers of Athlone RSC
3.3 Athlone RSC is responsible for securing the personal data it obtains, transmits, stores or processes. Athlone RSC processes personal data provided, only for the purpose of complying with our obligations.
3.4 The following list highlights the type of data that is processed by Athlone RSC and is covered by the Data Protection legislation (this list in indicative only, and is not intended to be exhaustive):
-Personal data including:
o Name, date of birth, private address, employer, business address, qualifications, work experience, contact details, marital/family status, employer information, bank details.
– Sensitive personal data including:
o Details of any convictions, medical information.
4. The Data Protection Principles
4.1 The following key principles are enshrined in the General Data Protection Regulation and Irish legislation and are fundamental to the Athlone RSC Data Protection policy.
Athlone RSC ensures that all data shall:
1. ….be processed lawfully, fairly and in a transparent manner.
For data to be processed lawfully, fairly and in a transparent manner, Athlone RSC will only collect data where it has a legal obligation and it is necessary for the performance of a task carried out in the Centre
At the time the data is being collected, the data subject will be made aware of:
The purpose(s) for which the data is being collected
Any other information that is necessary so that the processing may be fair.
Athlone RSC will meet this obligation in the following way.
Athlone RSC will ensure that collection of the data is justified under one of the lawful processing conditions – legal obligation, contractual necessity, etc.;
where Athlone RSC intends to record activity on CCTV or video, a fair processing notice will be posted in full view;
processing of the personal data will be carried out only as part of Athlone RSC lawful activities, and Athlone RSC will safeguard the rights and freedoms of the Data Subject;
2. …. be collected for specified, explicit and legitimate purposes. Athlone RSC will obtain data for purposes which are specific, lawful and clearly stated. A data subject will have the right to question the purpose(s) for which Athlone RSC holds their data, and Athlone RSC will be able to clearly state that purpose or purposes.
3. …. be adequate, relevant and limited to what is necessary.
Athlone RSC will only collect necessary personal data to be processed for the purposes for which the data was acquired.
4. …. be accurate, and where necessary, kept up to date.
Athlone RSC will ensure that data is accurate and kept up to date and where necessary rectified if any error has been identified. Data will also be erased if it has been identified as no longer accurate for the purposes for which the data was acquired.
Athlone RSC will:
ensure that administrative and IT validation processes are in place to conduct regular assessments of data accuracy
conduct periodic reviews and audits to ensure that relevant data is kept accurate and up-to-date. Westmeath County Council conducts a review of
Staff and member contact details and details on next-of-kin are reviewed and updated every two years
5. ….be kept in a form which permits identification of data subjects for no longer than is necessary.
Athlone RSC has identified an appropriate data retention period, this applies to data in both a manual and automated format.
Once the respective retention period has elapsed, Athlone RSC undertakes to destroy, erase or otherwise put this data beyond use.
6. ….be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures.
Athlone RSC will employ high standards of security in order to protect the personal data under its care. Appropriate security measures will be taken to protect against unauthorised access to, or alteration, destruction or disclosure of any personal data. Access to and management of staff and customer records is limited to those staff members who have appropriate authorisation.
Athlone RSC will also ensure that it shall be
1. ….responsible for, and be able to demonstrate compliance with the above.
Athlone RSC will demonstrate compliance to the Data Protection Principles by:
-assessing current practice and developing a data privacy governance structure
-appointing a Data Protection Officer
-creating a personal data inventory
-implementing appropriate privacy notices
– obtaining appropriate consents
– using appropriate organisation and technical measures to ensure compliance with the data protection principles
– creating a breach reporting mechanism.
5. Rights of Individuals
5.1 Athlone RSC will ensure that the rights of the individual are fully protected. The GDPR providing the following rights for individuals:
1. the right to be informed
2. the right of access
3. the right to rectification
4. the right to erasure
5. the right to restrict processing
6. the right to data portability
7. the right to object
6. Subject Access Requests
6.1 Any formal, written request by a data subject for a copy of their personal data (a Subject Access Request) will be made to the Data Protection Officer, and will be processed as soon as possible. The Data Protection Officer will ensure that the request is responded to and processed as quickly and efficiently as possible, but within not more than 20 working days from receipt of the request.
7. Data Protection Officer (DPO)
7.1 Athlone RSC have appointed a DPO as required under the GDPR. The tasks of the DPO have been set out in Article 39 of the GDPR and include, but not limited to, the following tasks:
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other European Union or Member State data protection provisions;
(b) to monitor compliance with this Regulation, with other European Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
(d) to cooperate with the supervisory authority;
(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
7.2 The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
8. Data Breach
8.1 Athlone RSC will manage breaches of data protection in accordance with the GDPR and Data Protection Act 2018. A data protection breach occurs where “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or, or access to, personal data transmitted, stored or otherwise processed”. Such breaches may occur in the event of the loss of USB keys, disks, laptops, digital cameras and mobile phones, or other electronic devices on which data is held, as well as paper records containing data. A breach may also occur due to inappropriate access to such data on Athlone RSC systems or the sending of data to the wrong individuals.
8.2 The Data Protection Commissioners Office will be contacted without undue delay, not later than 72 hours after becoming aware of the breach. Notification will not occur if the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
8.3 All affected individuals will be notified without undue delay unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects, appropriate technical and organisational measures in place at the time of the incident or a public information campaign or “similar measures” were deemed more proportionate and affective.
8.4 An investigation will immediately commence. The findings of the investigation and recommendations will be advised to the Data Protection Commissioners Office and to affected individuals. All recommendations will be implemented as soon as possible.
9. Implementation
9.1 As a data controller, Athlone RSC ensures that any entity which processes personal data on its behalf (a data processor) does so in a manner compliant with the Data Protection legislation.
9.2 Failure of a data processor to manage Athlone RSC’s data in a compliant manner will be viewed as a breach of contract, and will be pursued through the courts.
9.3 Failure of Athlone RSC’s staff to process Personal Data in compliance with this policy may result in disciplinary proceedings.
11
Definitions
For the avoidance of doubt, and for consistency in terminology, the following definitions will apply within this Policy.
Data This includes both automated and manual data.
Automated data means data held on computers, or stored with the intention that it is processed on computer.
Manual data means data that is processed as part of a relevant filing system, or which is stored with the intention that it forms part of a relevant filing system.
Personal Data Information which relates to a living individual, who can be identified either directly from that data, or indirectly in conjunction with other data which is likely to come into the legitimate possession of the Data Controller. (If in doubt, [The Company] refers to the definition issued by the Article 29 Working Party, and updated from time to time.)
Sensitive Personal Data
A particular category of Personal data, relating to: Racial or Ethnic Origin, Political Opinions, Religious, Ideological or Philosophical beliefs, Trade Union membership, Information relating to mental or physical health, information in relation to one’s Sexual Orientation, information in relation to commission of a crime and information relating to conviction for a criminal offence.
Data Controller A person or entity who, either alone or with others, controls the content and use of Personal Data by determining the purposes and means by which that Personal Data is processed.
Data Subject A living individual who is the subject of the Personal Data,
i.e. to whom the data relates either directly or indirectly.
Data Processor A person or entity who processes Personal Data on behalf of a Data Controller on the basis of a formal, written contract, but who is not an employee of the Data Controller, processing such Data in the course of his/her employment.
Data Protection Officer
Relevant Filing System
A person appointed by Athlone RSC to ensure compliance with the GDPR. The tasks include advising their colleagues and monitoring their organisation’s GDPR/privacy law/policy compliance, including via training and awareness raising, running audits, advising regarding PIAs and cooperating with supervisory authorities.
Any set of information in relation to living individuals which is not processed by means of equipment operating automatically (computers), and that is structured, either by reference to individuals, or by reference to criteria relating to individuals, in such a manner that specific information relating to an individual is readily retrievable.
