top of page

GDPR

Data Protection Policy and Procedures

Policy
True Aim Activities is fully committed to compliance with data protection law and to maintaining the confidentiality of personal information.
Data Protection Law regulates how Personal Data (including Special Category Data) must be processed to protect privacy and provides individuals with rights in relation to their Personal Data. This policy has been reviewed in light of the new Data Protection Act 2018 and the implementation of the EU General Data Protection Regulations 2016 (‘GDPR’) together referred to as the “DPA”.

True Aim Activities needs to collect and use certain types of information about its Customers.  This personal information must be dealt with appropriately however it is collected, recorded and used; this principle applies whether on paper, on a computer or recorded by other means. There are safeguards to ensure this in the DPA

 

True Aim Activities regards the lawful and correct handling of personal information as essential and therefore has put in place measures which are designed to ensure that personal information is treated with sensitivity at all times.  To this end True Aim Archery fully adheres to the principles of the DPA

These specify that personal data must be:

•    Processed fairly and lawfully;
•    Obtained for specified and lawful purposes;
•    Be adequate, relevant and not excessive;
•    Be accurate and kept up-to-date;
•    Not be kept any longer than necessary;
•    Be processed in accordance with the data subject’s (the individual’s) rights;
•    Be kept secure; and
•    Not be transferred outside the European Economic Area unless the recipient country ensures an adequate level of protection.

Lawful Basis for Processing

In addition, whenever True Aim Activities processes personal data there must be a valid lawful basis for that processing. There are 6 potentially applicable lawful bases for general processing of Personal Data and 10 lawful bases for processing Special Category Data. If Special Category Data is being processed, both a lawful basis for general processing and an additional condition for processing this type of data must be identified.
The Appendix sets out the lawful bases for processing.

True Aim Activities will through appropriate management, strict application of criteria and controls:
•    Fully observe the conditions regarding the fair collection and use of the information;
•    Meet its legal obligations to specify the purpose for which the information is used;
•    Collect and process only that information which is required in order to fulfill operational needs or the compliance of legal requirements;
•    Ensure the quality of all information used;
•    Apply strict checks to determine the length of time information is held;
•    Ensure the rights of people about whom information is held can be fully exercised under the DPA that includes the right to be informed that processing is being undertaken, the right of access to one’s personal information, the right to prevent processing in certain circumstances and the right to correct, rectify, block or erase information which is regarded as wrong information;
•    Ensure that appropriate technical and organizational security measures are in place to safeguard such personal information;
•    Ensure that no transfer of information is made abroad without suitable safeguards being in place;
•    Treat people impartially and fairly irrespective of their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information; and

•    Have in place clear procedures for responding to requests for information.

 

In addition to the above, True Aim Activities will ensure that:

•    There is a member of staff with specific responsibility for Data Protection;
•    All staff responsible for managing and handling personal information understand that they are responsible, as indicated in their Contract of Employment, to follow good data protection practice;
•    All staff managing and handling personal information are appropriately trained to do so;
•    All staff managing and handling personal information are appropriately supervised;
•    Procedures are in place so that anybody wanting to make enquiries about handling personal information knows what to do;
•    All staff deal with queries concerning personal information promptly and courteously;
•    Methods of dealing with personal information are clearly described;
•    Monitor and review the way personal information is held, managed and used;
•    The methods of handling personal information are regularly assessed and evaluated;
•    All staff are aware that any breach of the rules and procedures relating to Data Protection may lead to disciplinary action; and
•    This policy document forms part of the induction process for new staff members.

In relation to the “EU Cookie Directive”, True Aim Activities will ensure that:
•    Users give consent to the download of Cookies on to their computing devices.

True Aim Archery will review this policy at least annually, and ensure it is brought to the attention of all staff, to ensure best practice in data management, security and control and to ensure compliance with changes or amendments made under the DPA

 
Procedures

This section outlines the procedures that True Aim Archery will put in place to meet the legal requirements of the DPA.
1 Fair Obtaining/Processing
True Aim Archery will, as far as practicable, ensure that all individuals whose details we hold are aware of the way in which that information will be held, used and disclosed and the lawful basis for retaining the data. Individuals will, where possible, be informed of the likely recipients of the information, whether the recipients are internal or external to True Aim Archery.
Processing within True Aim Archery will be fair and lawful; individuals will not be misled as to the uses to which True aim Archery will put the information given. If a person feels they have been deceived or misled as to the reason for which their information was collected, they should use the complaints procedure at the end of the document.
True Aim Archery will publish a privacy notice, which details how individuals data is collected, held & processed.

Collection forms requiring personal information will contain a “fair obtaining” statement giving details of the likely uses of the information and, where information is collected in person or by telephone, the employee asking for the details will tell the individual how those details will be used. People are free to ask the person collecting the information why they want the details and what they will be used for.

If a person’s details are going to be used for “auto-decision” processing (where a computer decides something based on a score or other information) the person will be told about how the system works and whether the decision can be challenged.

Should a person’s details need to be processed for a purpose that does not appear on True Aim Activities register entry and or a purpose that the individual has not previously been made aware of or could not reasonably be expected to realise it, the individual will be advised in order to make the processing fair and lawful.
 

Any person whose details are to be included on True Aim Archery web site will be asked to provide consent. At the time the information is included, all such individuals will be properly informed about the consequences of their data being available worldwide.

 

2 Data Uses and Processes
True Aim Archery will not use or process personal information in any way that contravenes its notified purposes or in any way that would constitute a breach of Data Protection law. Any new purposes introduced will, where appropriate, be notified to the individual and, if required by law, their consent will be sought.

All staff and or authorised agents using personal data within or on behalf of True Aim Activities will be told the limits of their authority to use and disclose such information.

The overall accountability for Data Protection is assigned to the Proprietor of True Aim Archery who will ensure that:
•    All purposes and disclosures are coordinated and consistent.
•    All new purposes are documented and notified to the Information Commissioner
•    All problems can be investigated thoroughly
 

Where a new process or system is being planned, the GDPR Working group will be informed. There may then be a requirement for a Data Protection Impact Assessment (DPIA) to be carried out, and the planned processes reviewed.

 

3 Data Quality and Integrity
True Aim Archery will not collect data from individuals where that information is excessive or irrelevant in relation to the notified purpose(s). Details collected will be adequate for the purpose and no more. Information collected, which becomes (over time or by virtue of changed purposes) irrelevant or excessive, will be deleted.

Information will only be held for as long as is necessary for the notified purpose(s), after which the details will be deleted. Where details of individuals are stored for long-term archive or historical reasons and where it is necessary to retain the personal detail within the records, it will always be done within the requirements of the legislation. In many cases personal details will be removed from the record so that individuals cannot be identified.

True Aim Activities will ensure, as far as it is practicable, that the information held is accurate and up-to-date, and it is the intention to check wherever possible the details given.  Where possible access will be given to the individuals so that they can manage their own data, and update it where appropriate, through membership gateways.

Information received from third parties (i.e. neither the individual concerned nor True Aim Archery) will carry a marker indicating the source. Where a person informs the company of a change of their own circumstances, such as home address or non - contentious data, their record(s) will be updated as soon as possible. Where the individual requests that information be changed, or asks that it be stopped being processed, and it is not possible to update it immediately, or where the new information needs to be checked for its accuracy or validity, a marker will be placed on the disputed record indicating the nature of the problem. True Aim Archery and the individual will attempt to reach an amicable agreement on the complaint, but where this is not possible True Aim Archery Complaints procedure will be implemented.

 

4 Technical and Organisational Security

True Aim Activities has implemented appropriate security measures as required by GDPR. In particular, unauthorised staff and other individuals are prevented from gaining access to personal information.
A full review of True Aim Archery’s data handling procedures and processes has been carried out, all new processes are designed to be inherently protective and where relevant will have gone through a formal Data Protection Impact Assessment (DPIA)

Appropriate physical security is in place with visitors being received and supervised at all times within True Aim Activities buildings where information about individuals is stored. The general public visiting True Aim Activities buildings should not feel that the measures are restrictive or oppressive; the measures are there to protect the True Aim Archery’s data.

It is also important to stress the need to ensure that data in transit whether in electronic or paper form is kept secure.

Computer systems are installed with user-profile type password controls and, where necessary, audit and access trails to establish that each user is fully authorised. In addition, employees are fully informed about overall security procedures and the importance of their role within those procedures. Manual filing systems are held in secure locations and are accessed on a need-to-know basis only.

Security arrangements are reviewed regularly, all reported breaches or potential weaknesses are investigated and, where necessary, further or alternate measures will be introduced to secure the data. Such reports are received by True Aim Activities who will liaise with the relevant internal team to resolve breach or potential weakness.
All staff are informed and frequently reminded about the limits of their authority on disclosing information, both inside and outside True Aim Activities. Details will only be disclosed on a needs basis within True Aim Activities. Where details need to be passed outside True Aim Activities it will in general be done with the person’s consent except where this is not possible or where it is required by law, allowed under Data Protection Act exemptions (such as crime prevention/detection, to prevent injury, etc) or where it is in the person’s vital interests. Any unauthorised disclosure will be dealt with under True Aim Activities disciplinary procedures.

Redundant personal data will be destroyed using True Aim Activities “procedure for disposal of confidential waste”. In general, paper waste is shredded and magnetic media (disks, tapes, etc) are either electronically “wiped” or physically destroyed beyond recovery.

 

5 Subject Access/Subject Information Requests

Any person whose details are held/processed by True Aim Activities has a general right to receive a copy of their own information. There are few exceptions to this rule, such as data held for child protection or crime detection/prevention purposes, but most individuals will be able to have a copy of the data held on them.

Completion of a Subject Access Request is required to obtain the information.

The request must also be made in writing. Any codes used in the record will be fully explained; any inaccurate, out of date, irrelevant or excessive data will be dealt with under the procedures outlined previously in this policy.

True Aim Activities will attempt to reply to subject access requests as quickly as possible and in all cases within one month as set out in the DPA.

Repeat requests will be fulfilled unless the period between is deemed unreasonable, such as a second request received so soon after the first that it would be impossible for the details to have changed.

A subject access/information request should be submitted on the appropriate form; this will ensure that True Aim Activities has the required information to be able to conduct a data search and to fulfill the request. In some cases, further information may be required from the requester, which may delay the start of the one month maximum time limit.


Legal bases for general processing of Personal Data Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the data controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (This does not apply to processing carried out by public authorities, such as Universities, in the performance of their public tasks).

10 legal bases for processing Special Category Personal Data:
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;
(b) processing is necessary for the purposes of carrying out the obligations and rights of the data controller or of the data subject in the field of employment and social security (subject to the Data Protection Act 2018);
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e) processing relates to personal data which are manifestly made public by the data subject;
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to safeguards;
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.


Data Protection Officer
We have appointed a data protection officer to oversee compliance with this privacy notice.
If you have any questions about this privacy notice or how we handle your personal information, please contact:
Contact Details: Theresagoodwin@trueaimarchery.co.uk
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.

Organisation Name: True Aim Activities
Changes to this privacy notice. We reserve the right to update this privacy notice at any time and without notice.
Date issued: 11/02/2020

bottom of page