DATA PRIVACY POLICY
Version 2.0
February 2023
Petersfield Triathlon Club’s Commitment to Privacy
Version Control:
Version 1.0 (June 2018): Initial issue.
Version 1.1 (August 2018): Minor changes to reflect implementation of ICE information and use of Dropbox.
Version 1.2 (August 2020): To add information relating to Covid-19.
Version 2.0 ( February 2023): Amends to fit to My Clubhouse platform
Introduction
Petersfield Triathlon Club (PTC) was started in 2011 with the intention of creating a friendly, social club that caters for all levels of athlete - beginner, improver or elite. We encourage athletes with a variety of abilities from novices to age-group competitors.
Petersfield Triathlon Club is committed to protecting your privacy and processing your personal data in accordance with:
the Data Protection Act (DPA) 1998 up to 24 May 2018 and
the General Data Protection Regulation (GDPR) on and from 25 May 2018 (Data Protection Legislation).
This policy explains how the information we collect about you is used and kept securely. It also explains your right to access your information under Data Protection Legislation.
For the purposes of data protection legislation, PTC is both the data controller and data processor:
The data controller determines the purposes and means of processing personal data.
The data processor is responsible for processing personal data on behalf of a controller.
The Information We Collect About You
We may collect the following information about you through the membership application form on our website:
Your name, date of birth, email address, postal address, telephone number (home and mobile) and any other information you voluntarily provide to us via our website and online forms.
The names and telephone numbers of two emergency contacts nominated by you.
Relevant long-term health/injury information which may affect your ability to train. These data are reviewed by the Club Chairman, and only relevant information will be passed to the club coaches. The remaining health/injury data are deleted by the Club Chairman, before the membership data is passed to the Membership Secretary.
Your IP address (which is a unique identifier that computers and devices use to identify and communicate with each other) which is automatically recognised by the web server.
The PTC website is hosted for PTC by Simmetrics Ltd Simmetrics Ltd, 13 Southway, Carshalton
SM5 4HP. The privacy policy has been submitted to Simmetrics to confirm its compliance
Note that we require you to confirm that your emergency contacts are content for their data to be stored by us for the purposes of ensuring your safety. This will be done annually at renewal
How We Use Your Information
We may use your personal information for a number of purposes, including:
To deal with your requests and enquiries.
To contact you for reasons related to your enquiry.
To notify you about events, competitions and other items of legitimate interest (this is generally done via the club’s website managed mailing list, Facebook page ).
To use your IP address to monitor traffic and gather browsing behaviours of visitors to our websites. We will not use your IP address to identify you in any way.
To create meaningful, actionable analysis that will help us to understand the nature of the club and to apply for grants. Data for these purposes will be anonymised.
To provide information to the government’s Track and Trace system relating to Covid-19 infections.
We will use your emergency contacts’ information solely for the purposes of contacting them in case of accident or emergency occurring to you while you are training with PTC.
We will not use personal information for the purposes of marketing by third parties.
The primary methods of communication used by the club to contact members are email and Facebook. The website mail feature, Google Groups is used to communicate via email with the club membership and as such individuals’ email addresses are only visible to the Group administrator. The club’s Facebook page is ‘open’ (i.e. not restricted to club members). PTC will never post personal information on the club’s FB page.
Our Legal Bases for Processing Your Information
Membership applications are handled via our website which is run and maintained by Simmetrics Ltd. Your data is then passed via email to the Club Chairman who processes it and passes relevant data onto the Membership Secretary (and, in the case of relevant health/injury data, to club coaches). This process is described in full in the Annex.
We will process your data on the basis of the legitimate interests which include:
Providing you with relevant and necessary information (via email, text or post) to you about club activities and events/items of interest.
Maintaining records of any health issues which are relevant to your training with the club.
Use of your emergency contacts details to ensure your health and safety.
As part of the administration of your involvement in the club we may share your data with third party data managers who support PTC in managing the club; this includes the running of the club website.
We will share only what is needed for those purposes and, where possible, will anonymise the data before sharing. If we would like to share your information for any other purpose we will ask for your consent.
We will not share your data with third parties for marketing purposes.
PTC may also share your personal information with the police and other law enforcement agencies for the purposes of crime prevention or detection. This is done strictly on a case by case basis and advice will be sought from the Information Commissioner’s Office and the British Triathlon Federation to ensure we comply with Data Protection Legislation. If we disclose your information, we will ask the organisation to demonstrate that the data will assist in the prevention or detection of crime, or that PTC is legally obliged to disclose it.
Petersfield Triathlon
PTC organises the Petersfield Triathlon. The administration of this event is run separately from the club by an event organiser (currently Stuweb Race Timing) and they are therefore responsible for ensuring that GDPR requirements for processing entrants’ information are met. PTC will ensure that any events organiser used to support our activities is GDPR compliant.
PTC holds contact details (names and email addresses) for previous competitors in the Petersfield Triathlon. These are used solely to inform past competitors of future Petersfield Triathlons. Email addresses are held in Mailchimp which is password protected and has duo authentication. The use of Mailchimp ensures that email addresses are only accessible to the club administrator. Past competitors can request at any time to be removed from the mailing list.
PTC also holds contact details for volunteers who have previously supported the running of the triathlon by acting as marshals. These are used solely to seek support for future Petersfield Triathlons and the mailing method used ensures that email addresses are only accessible to the club administrator. Past volunteers can request at any time to be removed from the mailing list.
Protecting Your Information
The club holds membership data which you provide on joining the club on a database; this is only accessible by the Club Chairman, Membership Secretary, Treasurer and Data Protection Officer.
The data that we collect from you may be transferred to a destination external to PTC’s website server; this process is described in the Annex. By submitting your personal data, you agree to this transfer, storing or processing. We will take all reasonable steps to ensure that your data are treated securely and in accordance with this privacy policy. The Internet is not generally a secure medium for communication and therefore we cannot guarantee the security of any information you send to us over the Internet. We require that all computers used by club officials to access the membership database have suitable firewall and anti-virus protection.
We protect the security of your data on our membership database using password protection; this prevents accidental access by non-authorised people (e.g. when a club official is accessing the data from their home computer) and accidental editing of the data. The membership data is held on the club’s Website which ensures that the data are regularly backed up.
In case of emergencies club members are expected to be wearing their ‘In Case of Emergency’ (ICE) wristbands and to hold their ICE contacts on their phones (in such a way that they can be accessed even when the phone is locked). As a backup, contact numbers for the club officials who have access to the membership list (Club Chairman, Data Protection Officer, Membership Secretary and Treasurer) are held on the swim session register and are also given to all coaches and swim/bike/run session leaders via activity entry forms. This minimises the number of club officials who have access to your data.
Access Control
The membership database is held on the club’s website. The club’s Data Protection Officer controls access to the Membership area in our website administration portal which is the only place where your personal details are stored. Access to the membership data is restricted to the Club Chairman, Membership Secretary, Treasurer and Data Protection Officer. Those with access to the membership database are required to have industry-standard computer firewall and virus protection.
Finding Out What Information PTC Holds About You
Under the Data Protection Legislation, you can ask to see any personal information that we hold about you. Such requests are called subject access requests. If you would like to make a subject access request, please contact PTC’s Data Protection Officer via the club website under the ‘Contact Us’ tab, marking your email for the attention of the Data Protection Officer.
In order to access your personal information, you will also need to provide two forms of identification, for example, driving licence, utility bill or passport.
We will aim to respond to such requests within one calendar month.
Data Retention
We will retain your personal data for such time as you are a member of PTC. Should you decided to leave the club, or fail to renew your subscription, all your personal details (including your emergency contact details) will be deleted within the following 12 months. This includes removing your email address from the Google Groups list.
The attendance records for each club training session will be held for 21 days before being destroyed.
Data Breaches
Any data breaches (e.g. misdirection of personal data to an unauthorised person, loss of data files or cyber-attack) must be reported to the club’s Data Protection Officer. These will then be handled in accordance with GDPR by the club’s Data Protection Officer, Club Chairman and Membership Secretary.
Contacting PTC About This Data Privacy Policy
If you have any questions or comments about this Data Privacy Policy contact PTC’s Data Protection Officer via the club website as detailed above.
Annex: Petersfield Triathlon Club Data Flow Processes for Club Membership and Appointment of Officials
The flow below describe how the club processes club membership data. These show:
how we process the data and keep it secure;
how we keep it up to date, regularly and accurately;
that it is limited to just the data we need to run the club;
and that we only use it for those purposes.
Membership Joining Process
Potential member fills in on-line membership form via club website and acknowledges (via a tick box) that they have read and agree with the club’s Data Privacy Statement (accessible via a link from the form).
Membership application form is sent automatically to the Club Chairman and Membership Secretary for application approval.
Application approval reviews long-term health/injury information to assess whether there is an impact on ability to train. If so, only relevant information to the club coaches. All health/injury data is then deleted unless member allows it to be retained
Application is approved and payment is requested. Data is filed as an applicant for 14 days for payment. If no payment is forthcoming, the application is deleted.
Membership Secretary sends welcome email to new member,
Membership Leaving Process
If a member leaves, or does not renew subscription, the Membership Secretary removes the member data from the membership portal. This will be done within 12 months of failing to renew subscription.
Membership Joining Process
NEW MEMBER
Membership form comes in via club website
Club Chairman / Membership
Membership form data fields:
Name
DOB
Email address
Postal address
Mobile number
Home phone number
Emergency contact names & phone numbers
Relevant medical/injury info
Permission for PTC to store personal data (inc. emergency contacts)
Tick box on form indicates new member’s agreement with Data Privacy Statement (link provided).
Extracts relevant member medical/injury info (only that which coaches need to know)
Email to Coaches:
Any information relevant to member’s training
Administrator checks payment
Sends welcome email to new member.
Authorised access:
Club Chairman
Membership Secretary
Treasurer
Data Protection Officer
Access Controller:
DPO
All those with access to personal data must have effective firewalls and virus protection.
Membership Leaving Process
Member Leaving
No renewal ( 30 days grace)
Requests to leave
Membership Secretary
Removes member details from website data set
Notifies leaving member
Club Official Appointment Process
When a new Club Chairman is appointed, the Data Protection Officer authorises their access to the Membership Area of the website as administrator (and removes access from retiring Chairman).
When a new Membership Secretary or Treasurer is appointed the Club Chairman notifies the Data Protection Officer who authorises their access to the Membership Area of the website (and removes access from retiring officials).
When a new Data Protection Officer is appointed the Club Chairman authorises their role in controlling data access on the website. The retiring DPO formally hands over responsibility to the new DPO. The new DPO removes access to the Membership Area of the website from the retiring DPO.
When a new Club Coach is appointed, the Data Protection Officer authorises their access to the Coaches’ website area.
Club Official Leaving Process
When a new Club Chairman, Membership Secretary or Treasurer is appointed the Data Protection Officer removes the authorisation from the previous incumbent.
When a new Data Protection Officer is appointed and has been authorised by the Club Chairman, the new DPO removes the authorisation from the previous incumbent.
When a Club Coach leaves the club the Data Protection Officer removes their authorisation from the Coaches’ Members area.
All emails sent by the system contain a tracking pixel. This is used to track whether each email has been opened by the recipient, and when. This information can be viewed by those users of the system with permission to view email delivery reports. We do not display any information regarding the location of the recipient. Note that the tracking pixel is only activated if the recipient chooses to download images into their email client.
We, Petersfield Triathlon Club, make use of the myClubhouse software supplied by Simmetrics Ltd to process personal data we include on our myClubhouse website in accordance with our privacy policy set out above. Simmetrics Ltd processes your personal data on our behalf and they can only do so in accordance with our written instructions. You can find the details of our data processor’s privacy policy here: http://www.myclubhouse.co.uk/Home/PrivacyPolicy.
