Privacy Policy |

Policy Statement

Evo Devo’s Data Protection Policy ensures that information it holds about individuals is processed in a fair and proper way, and that information is processed lawfully and in accordance with the Principles of Data Protection Legislation, specifically the General Data Protection Regulation (GDPR) and UK Data Protection Act 2018 (DPA).

The types of information that we may be required to handle include details of current, past and prospective employees, members, athletes, customers, volunteers, suppliers, sponsors and others that we communicate with. The information, which may be held on paper or electronically, is subject to certain legal safeguards specified in the Legislation.

Implementation / Status

Evo Devo will ensure compliance with the Data Protection Principles through the dissemination of this policy. This policy may be amended at any time and will be reviewed every two years.

Primary responsibility for ensuring that this policy is implemented and adhered to lies with the Company Secretary, supported by the Chief Executive and the Board of Directors. The Data Protection Officer (DPO) is responsible for the day-to-day management of this and can be contacted via contact@evodevocycling.org.uk. Any questions regarding this policy should be referred to the DPO.

In particular, the disclosure or processing of personal data relating to any living person without the authorisation of the data controller (in this case, British Cycling) is not permitted and may be a criminal offence unless such disclosures fall within the DPA or ‘whistle blowing’ legislation. Unauthorised processing may include accessing personal information of individuals where there is no business need (for example, relating to high profile members or athletes out of curiosity) or sharing information without authorisation (such as selling information to third parties).

Definitions

Data is information which is stored electronically, on a computer or other electronic media, or in certain paper based filing systems.

Personal Data means data relating to living individuals who can be identified from the data and includes any expression of opinion and any indications of the intentions of anyone in respect of the individual.

Special Category Data (or sensitive personal data as it was known under previous data protection law) is any personal data consisting of information as to:

race;

ethnic origin;

politics;

religion;

trade union membership;

genetics;

biometrics (where used for ID purposes);

health;

sex life; or

sexual orientation

Data relating to criminal convictions is not considered special category data under the GDPR but is given special protection under the DPA and therefore should also be considered ‘sensitive’.

Special category data can only be processed under strict conditions, and will often require the express consent of the person concerned.

Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. For the purposes of this policy the data controller is Evo Devo and its employees.

Data Processor is an organisation who processes personal data on behalf of the data controller and strictly under the instructions of the data controller. An example would be the third party we use to run payroll on our behalf.

Data Subject is the person who is the subject of the personal data and includes, but is not limited to members, employees, contractors and consultants, volunteers and athletes. All data subjects have legal rights in relation to their personal data.

Processing means obtaining, recording or holding information or data, or carrying out any operation or set of operations on the information or data. This includes the organisation, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, blocking, erasure or destruction of the information or data. This also includes transferring data to third parties.

Data Protection Principles

The GDPR sets out seven key Principles which Evo Devo must follow when processing personal data:

Lawfulness, fairness and transparency

We will ensure that our processing of personal data is lawful and fair and will actively communicate privacy information to the individuals concerned via our privacy notices.

Staff should ensure that these privacy notices are provided to individuals at the point of data collection (or as soon as possible afterwards if this is not practical, for example where personal data is collected over the phone). Forms used to collect personal data should reference the appropriate privacy notice as a minimum.

If we are relying on consent to hold and use information then this should be clear, unambiguous and freely given. That means that we have to make it clear what the individual is consenting to and it must be a free choice. Individuals can withdraw their consent at any time and this must be respected. Records of consent must be kept for compliance purposes.

Purpose limitation

Personal information may only be processed for the purpose(s) set out in the privacy notice. If you need to use personal data for any other purpose, then we will need to reissue the privacy notice with the appropriate information and where necessary gain consent for this additional processing. Please contact the DPO if you think you have a genuine business requirement to use personal data for a purpose outside of the relevant privacy notice.

Data minimisation

We must only collect the minimum amount of data necessary for the purpose that we are processing personal information. For example, when collecting information for event entry, we should only obtain the information we need for that person to enter the event.

Accuracy

We will ensure that personal information is kept accurate and up to date, and where we are informed that personal data is inaccurate we will rectify this without undue delay. This means that if someone informs you that their personal details have changed or that they think the information we hold on file for them is inaccurate, you should take steps to update/correct it as soon as possible.

Staff should periodically check that their own personal details held by HR are accurate and inform them of any changes. This can be done via the iTrent system.

Storage limitation

Personal data may only be kept for as long as it is needed to fulfil the purpose that it was collected for, after which it must be deleted or anonymised. Evo Devo data retention schedule is based on our legal and statutory obligations as well as business need. Please see the Data Retention Policy for more information.

Integrity and confidentiality (security)

We will take all steps reasonably necessary including policies, procedures and security features to ensure that personal data is treated securely and protected from unauthorised and unlawful access and use.

Where we have given individuals (or where they have chosen) a password which enables them to access personal data, the individual concerned is responsible for keeping this password confidential and passwords must not be shared with anyone.

Please see the Information Security Policy for more information.

Accountability

We take our data protection responsibilities seriously and have registered as a data controller with the Information Commissioner’s Office (ICO) under reference Z1066209. We have implemented technical and organisational measures to ensure (and demonstrate) compliance with the GDPR.

The DPO is responsible for helping us to comply with our legal obligations set out in the GDPR and DPA. The DPO monitors our data protection compliance and provides advice and guidance as to how we can improve our data handling practices. At this time, the DPO is Emma Bertenshaw who can be contacted via emmabertenshaw@britishcycling.org.uk.

Legitimate Interest Assessments

In order for processing to meet the first principle (fair, lawful and transparent), Evo Devo must identify an appropriate lawful basis for processing. One possible lawful basis is legitimate interests which may cover our general business processes. However, in order to rely on legitimate interests we must conduct and document a formal Legitimate Interest Assessment (LIA) to demonstrate that our use of data is not in any way unfair or damaging on the individual concerned. Please contact dataprotection@britishcycling.org.uk for the LIA template and guidance from the DPO.

Data Subject Rights

Data must be processed in line with data subjects’ rights. Under the GDPR, individuals have a right to:

Be informed about how their personal data will be used – typically via a privacy notice (see Principle 1 – fairness, lawfulness and transparency above);
Request access to any data held about them by a data controller;
Prevent the processing of their data for direct marketing purposes (note – this is an absolute right);
Ask to have inaccurate data amended without undue delay;
Object to processing in certain circumstances and to withdraw their consent for processing where this is the lawful basis;
Request that their personal data is deleted by the data controller in certain circumstances;
Restrict processing of their personal data where the individual disputes the accuracy of the data or lawfulness of the processing;
Request that their data is provided to another data controller in a machine-readable format (data portability) in certain circumstances;
Prevent personal data being processed for the purpose of automated decision making, including profiling, in certain circumstances; and

Complain to the Information Commissioner’s Office (ICO) about the data controller’s use of their personal data.

Evo Devo usually only has one calendar month to respond to a request so it is imperative that all staff are aware of the rights above and their obligation to immediately forward any requests to dataprotection@britishcycling.org.uk. Requests can be made in writing (e.g. via email or letter) as well as verbally in person or over the telephone, or via social media. For more

information please see Evo Devo Data Subject Request Policy.

Data Breaches

Under the GDPR, Evo Devo only has 72 hours to report certain types of data breaches to the ICO. If you are aware of an actual or potential data breach, you should immediately contact the DPO via dataprotection@britishcycling.org.uk so that she can investigate and establish whether the breach needs to be reported on. Please see Evo Devo Data Breach Management Policy for more detailed guidance.

Data Protection by Design

The GDPR introduces the requirement for organisations to address privacy considerations at the outset and to include data protection requirements in any new project or process involving personal data. It is therefore important that the DPO is involved in new processes where personal data is being used. In some cases, we will need to complete a Data Protection Impact Assessment (DPIA) prior to commencing the project to ensure that all privacy risks have been addressed and mitigated and that the processing is lawful. The DPIA Policy includes further information and templates for staff.