Data Protection – Clubs

The General Data Protection Regulation (GDPR) came into force on 25th May 2018. These GDPR applies to all clubs separate organisations, regardless of their size. Please note that the following guidance does not constitute legal advice and if you are concerned about any of these matters you should seek advice from the ICO or other specialists.

General information:
• All information you collect relating to your members is “personal data”. Keep it secure and only use if for the purpose for which it was collected. Do not pass it on to anyone unless that was explicitly part of the reason for collecting it – e.g. grading purposes for which the data was collected.
• Information relating to guests is also “personal data” and covered by the same requirements as that of members.
• If you keep paper records they should be secure – if on club premises they should be locked, with a note taken of who are key-holders.
• If you keep your records on a computer, they should only be accessible by appropriate people – the computer and/or the folders in which they are contained should be locked and/or encrypted.
• Only appropriately authorised people should have access to members’ records. Passwords should be changed whenever these roles are filled by new people.
• Emails should not be sent to groups of people in a way that makes their email addresses visible. To avoid this, either use a mailshot program or blind copy (bcc) all the recipients.
• For committees where you would like them to be able to reply to all recipients to continue a discussion, it is acceptable to copy them all in the usual fashion provided they give their consent. Similarly, personal contact details should only be displayed on websites if specific consent has been obtained. It may be sensible for this information, if it must be available, to be in a password-protected area of the website, only available to members.
Clubs should not issue lists of members' contact details (telephone number and email address) to all their members without the specific consent of the members concerned. Any clubs that currently publish such a list should contact all members on it to ask whether they wish to remain on the list. They should be asked to “opt in” to this - it is not permissible for the default to be to include them unless they opt out.
• Do not keep data in more places than necessary – not only does this weaken your security, it also increases the possibility that the data will get out of sync and will not be consistent in different places. It is however sensible to have a backup of your data providing that you have a system to ensure it is backed up regularly and kept in a secure place.

Specific information relating to the GDPR
• The legal basis on which you collect most of your data is likely be that it is in the club’s “legitimate interest” to do so. In order to rely on there being a “legitimate interest”, this should be supported by a “legitimate interest assessment” – for further details, refer to the ICO – see ICO - Legitimate Interests.
• You must inform everyone from whom you collect data:
     o The legal basis for doing so;
     o What data you collect;
     o How it is stored;
     o To whom you pass it on and for what purpose;
     o For how long you keep the data;
     o What they can do to limit how you use your data.
• This will usually be achieved via a Privacy Notice, which may be on your club’s website, but a printed copy should also be available in the club and be sent to those who request it. Your members should be directed to this Privacy Notice on every occasion when you collect data, so it should be referred to on your membership application forms.
• You need to take all reasonable measures to ensure that your members are aware of this, so you do need to contact them one way or another. While email is convenient, you should also contact those members for whom you do not have valid email addresses, if necessary by post.
• Clubs act as Data Controllers with regard to their own data. They also act as Data Processors on behalf of Chess Scotland, to whom they send members’ data and results for grading.