Data policy
1. Who Are We?
1.1. Bury St Edmunds Hockey Club (The Club) are a private club/association whose purpose is to facilitate and manage the provision of field hockey pitches, teams, coaches and league membership to their members. The Club includes both playing and non-playing, adult and junior members from the age of 8 upwards. The Club’s home ground is registered as Bury St Edmunds Hockey Club c/o Culford Sports and Tennis Centre, Culford School, Bury St Edmunds, Suffolk IP28 6TX.
2. Definitions:
2.1. What is GDPR?
2.1.1. GDPR is the abbreviation for the General Data Protection Regulation. It is Directive 95/46/EC and relates to the collection, storage, processing and movement of personal data.
2.2. What is Personal Data?
2.2.1. Personal Data is any information relating to an identifiable person who can be directly or indirectly identified.
2.3. What is Processing?
2.3.1. Processing can be one or more of the following activities; collection, recording, organising, structuring, storage, adaption, retrieval, consultation/use, disclosure by Transmission, dissemination or otherwise by making available, alignment or combination, restriction, erasure or destruction.
2.4. What is a Data Breach?
2.4.1. A data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data i.e. when the data has been lost, destroyed, corrupted, disclosed or if the data has been rendered unavailable by being accidentally lost or destroyed or encrypted by ransomware.
3. Data Controller
3.1. The data is under the control of The Club. The Chairman is the data controller and Data Protection Officer (DPO). He can be reached for the purposes of privacy and data security at cmbsehc@gmail.com or contacted at the address above.
4. Purpose of processing data
4.1. The Club may hold your personal data for the purposes of facilitating and managing your membership and affiliation to teams within the club. It also can be used to communicate with you via the Pitchero phone apps, request your availability for games, confirm your availability for games, record your attendance at games and training and post reports and images for the games. We may also collect video imagery of you while attending the Walled Garden pitch during training, game and social events. This includes an unrecorded stream from the fixed CCTV camera system overlooking the playing area which coaches/officials may seek consent to record for training and development. That live stream may also be viewed periodically for security purposes.
4.2. Data collected about can be broadly categorised as follows;
4.2.1. Key Data - includes your Name, Gender, Age Group, Address, Post Code, Date of Birth, Home and Mobile Phone Number, Email Address, Vehicle Registration Number.
4.2.2. Player Management Data - Shirt Number, Coaching/Umpiring Qualifications, date of DBS, Occupation, Employers, School and emergency Contact Details and your together with your E-mail Address. We also record here any roles inside the Club that you may have i.e. Player, Parent, Coach, Staff/Official etc
4.2.3. Affiliation Management Data – Record of your membership Type i.e. Pay as you Play or All Inclusive and a record of the payments that we have received through the Payment methods. The Club does not keep records of your payment methods
4.2.4. Video data - While playing/training on the Walled Garden pitch, the CCTV camera may be used to collect images of you for player development and/or security purposes.
4.3. Data collected an associated to your personal data includes information relating to;
4.3.1. A Relationship to the teams you are affiliated to within the Club
4.3.2. A relationship to the games you have played in during the season.
4.3.3. The results and league tables of those games and your personal goal tally.
4.3.4. Records of your membership and journals relating to payments made to the Club by you.
4.3.5. Photos of teams, games and members – For recording training, game and social events
4.3.6. Videos of teams, games and team members– For recording training, game and social events
5. Legal basis for processing
5.1. The legal basis for processing this data is one of contract, where to be a member of The Club, we must process your personal data. We will however have a consent policy for Videos when used for Training, Game Play and Social Events. Consent documents are available on the site for Adult, Guests and for Parents of Children Under 16.
6. Recipients of your personal data
6.1. The Club use Pitchero to manage your data and they run their system exclusively in Amazon Web Services (AWS) data centre. AWS security compliance and certification is available here; https://aws.amazon.com/security/
6.2. Because Pitchero manage the platform and website, they also have a set of terms relating to the way that they use your personal Data. Their Privacy Policy can be viewed here; https://www.pitchero.com/privacy-policy
6.3. When Creating news articles on the Pitchero site, The Club Shares these feeds to Facebook and Twitter. If you are in in a news piece, then your name will be shared with these platforms. Information about their security measures to protect your data may be found on the following links;
Facebook - https://www.facebook.com/about/privacy/update?ref=old_policy
Twitter - https://twitter.com/en/privacy#update
It may not be possible to remove data already shared on these platforms, but we may remove names from news pieces to prevent their transmission in the future. In the event of a problem, please contact cmbsehc@gmail.com
6.3 When creating Payments on the Pitchero site, your personal data and payment details are not accessible by the Club. These are processed and held by the card processor – currently GoCardless. Their GDPR policies can be found here; https://support.gocardless.com/hc/en-gb/articles/360000281005-GoCardless-and-GDPR
The Club will see the transaction being made to their account but nothing more.
6.4. We may release information relating to your account and any video footage to relevant authorities if it is deemed that the request meets the GDPR’s Vital Interest clause i.e. where a crime may have been committed.
6.5. Personal Data is not routinely shared with the East Hockey League other than the names, phone numbers and email addresses of Club Officials. However, in the event of a disciplinary or administrative investigation, East League may require reports from the Club with which to asses appropriate actions. These reports may contain personal data. Their GDPR statement can be found here; http://east-hockey.com/east/siteinfo.htm
6.6. Personal Data of regular Club members is not routinely shared with England Hockey other than the names, addresses, post codes, email addresses and telephone numbers of Club Officials when entering teams into the Cup Competitions. Their Privacy statement can be found here; www.englandhockey.co.uk
7. Players of 16 Years and Under
7.1. Currently the Club asks that every player under 16 is registered to a Parental account. The process is ongoing as some parents have registered their children using an e-mail belonging to the parent. The Club will be reviewing this process and attempting to clean and update these records in the coming months.
8. Storage and Transfer of data
8.1. Your personal data is held on servers hosted by AWS (see above).
8.2. Access to the Pitchero administration site is managed by the Club’s Web Master. Access is provided to selected Club Officials and is password protected.
8.3. Personal Data may be downloaded from the site by Club Officials for processing. Where possible data is anonymised.
8.4. Personal data held by Club official’s outside the Pitchero system shall by encrypted or password protected depending on the sensitivity of the data.
8.5. Data is stored according to our data retention policies but broadly;
8.5.1. Key Data – For the duration of your membership. Thereafter, Name, Gender, Email and Address are archived for our alumni records. All other data is deleted buy the Webmaster. If your login is not used for 3 years, then the Pitchero retention clause becomes operational and a request is sent to you asking if you if you still wish your record to be retained.
8.5.2. Player Management Data – For the duration of your membership. Thereafter removed.
8.5.3. Affiliation Management Data – For the duration of your membership to a maximum of 5 years. Thereafter removed
8.5.4. Video Data – coaches using apps to retain coaching/development may retain data for an appropriate time but no longer than 3 years.
9. How we use and profile your data
9.1. The Club’s Management and Coaches profile your data into playing teams and abilities. The Club may also profile your data to ensure you are notified of forthcoming games and events. The Club will profile your personal data for managing your Club subscriptions and match fees. The Club may also profile your data to identify future Club Officials.
9.2. Where practical the Club will anonymise the data to reduce the exposure of personal data to profiling.
10. Your Rights
10.1. The General Data Protection Regulations (GDPR) provide individuals with rights over the data that we hold where you can be identified by that data. More information can be viewed at the Information Commissioner’s Office (ICO) at www.ico.org.uk . Broadly these rights relate to the data that the Club hold as follows:
10.1.1. You have the right to be informed about the data that is collected about you
10.1.2. You have a right to access this information – information about you is generally visible on your personal Pitchero account, however you may make a subject access request to the Club’s DPO if you have an issue.
10.1.3. You have the right to rectification - You have full access to your data and are free to amend at any time.
10.1.4. You have the right to erasure – you have the right to be forgotten from the system and the Clubs records. You can do this by contacting the Club’s DPO
10.1.5. You may also have the right to restrict processing where this is appropriate. You have a number of controls on your account to turn on/off certain functions but if you have a specific issue, contact the Club’s DPO.
10.1.6. You may also request a portable data file of your data by contacting the Club’s DPO.
10.1.7. The Club and its Officials work hard to keep our Membership happy and their personal data safe. If your membership experience does not meet your expectations, please let any Committee member know so we may investigate and respond. You can raise issues relating to personal data by mailing cmbsehc@gmail.com or writing to us at the postal address in the header.
10.1.8. If you are still unhappy with our response, then you may contact the ICO using the above website and quote our Data protection Registration Number (ZA313651)
11. Data Breach
11.1. If we become aware of a data breach, the Club or Pitchero will advise you as soon as possible and within 72 hours of becoming aware.