Bradford City Community Foundation Data Protection Policy
Our data protection policy sets out our commitment to protecting personal data and how we implement that commitment with regards to the collection and use of personal data.
In order to operate effectively and fulfil its legal obligations, we need to collect, maintain and use certain personal information about current, past and prospective employees, customers, suppliers, participants in our educational programmes, participants in our NCS programmes and other individuals with whom it has dealings. All such personal information, whether held on computer, paper or other media, will be obtained, handled, processed, transported and stored lawfully and correctly, in accordance with the safeguards contained in the Data Protection Act 1998 [DPA].
Employees are required to accept and adhere to policy and procedures and failure to do so may result in the disciplinary procedure being invoked.
We are committed to the 8 principles of data protection as detailed in the Data Protection Act. These principles require that personal information must:
- be fairly and lawfully processed and not processed unless specific conditions are met
- be obtained for one or more specified, lawful purposes and not processed in any manner incompatible with those purposes
- be adequate, relevant and not excessive for those purposes
- be accurate and, where necessary, kept up to date
- not be kept for longer than is necessary
- be processed in accordance with the data subject’s rights under the DPA
- be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage
- not be transferred to countries outside the European Economic Area [EEA] unless the country or territory ensures adequate protection for the rights and freedoms of the data subjects
In order to comply with the data protection principles, we will:
- observe fully all conditions regarding the fair collection and use of personal information
- meet its legal obligations to specify the purpose for which information is used
- collect and process appropriate personal information only to the extent that it is needed to fulfil operational needs or to comply with legal obligations
- ensure the quality of the personal information used
- apply strict checks to determine the length of time personal information is held
- ensure that individuals about whom information is held are able to exercise their rights under the DPA, including the right to be informed that processing is taking place, the right of access to their own personal information, the right to prevent processing in certain circumstances and the right to correct, rectify, block or erase incorrect information
- take appropriate technical and organisational security measures to safeguard personal information
- ensure that personal information is not transferred outside the EEA without suitable safeguards
Overall responsibility for ensuring that the company complies with its data protection obligations rests with the Board of Directors. It is the responsibility of all employees to ensure that personal information provided to the company, for example current address, is accurate and up to date. To this end employees are required to inform the company immediately when changes occur.
Employees whose role involves the collection, maintenance and processing of personal information about other employees customers, suppliers or any other individuals with whom the company has dealings are responsible for following the company’s rules on good data protection practice as notified from time to time by their Manager/supervisor.
Information about employees
Bradford City FC Community Foundation holds personal information about its employees including but not limited to name, address, next of kin, salary, dependant details. This information is used for HR, payroll and administrative purposes.
Bradford City FC Community Foundation holds personal information about participants in our soccer camps, schools coaching (including Premier League Primary Stars) educational programmes and on our NCS Programmes. this is essential information (including but not limited to) date of birth, address, national insurance number, next of kin, medical conditions.
We also hold some sensitive personal information about employees and participants including but not limited to racial or ethnic origins; physical or mental health or condition; capability and conduct. This information is used for the monitoring purposes for equal opportunities, health and safety and company absence, conduct and capability procedures.
Access to personal information
Anyone who is the subject of personal information held by the company has the right to make a subject access request. Employees who wish to exercise this right should write to your manager.
If, as the result of a subject access request, any personal information is found to be incorrect it will be amended. The company will deal promptly with subject access requests and will normally respond within 40 days. If there is a reason for delay, the person making the request will be informed accordingly.
Employees who consider that there has been a breach of this policy in relation to personal information about them held by the company should raise the matter via the company’s formal Grievance Procedure.
8.1 I.T & Communications Policy
Bradford City FC Community Foundation provides employees with access to various IT and communication computer for work purposes. In order to ensure compliance with all applicable laws in relation to data protection, information security and compliance monitoring; to protect the company and its employees from the risk of financial loss, loss of reputation or libel; and to ensure that the facilities are not used so as to cause harm or damage to any person or organisation this policy aims to:
- prevent inappropriate use of computer equipment (such as extended personal use or for accessing and circulating pornographic, racist, sexist or defamatory material)
- protect confidential, personal or commercially sensitive data
- prevent the introduction of viruses
- prevent the use of unlicensed software
- ensure that company property is properly looked after
- monitor the use of computer facilities to ensure compliance with internal policies and rules and to detect abuse
Employees are required to accept and adhere to policy and procedures and failure to do so may result in the disciplinary procedure being invoked.
8.2 Application of Policy
This Policy applies to the use of all IT and Communications facilities including but not limited to:
- local, network, national and international, private or public networks (including the Internet and Intranet) and all systems and services accessed through those networks
- desktop, portable and mobile computers and applications (including personal digital assistants (PDAs)
- land line telephones and mobile telephones (including the use of WAP services)
- electronic mail and messaging services
8.3 I.T Facilities
Subject to anything to the contrary in this Policy all I.T facilities must be used for business purposes only.
In order to maintain the confidentiality of information held on or transferred via IT facilities, security measures are in place and must be followed at all times. A log-on ID and password is required for access your computer. Despite your use of a password, the company reserves the right to override your password and obtain access to any part of the Facilities.
You are responsible for keeping your password secure. You must not give it to anyone, including colleagues, except as expressly authorised by the company.
You are expressly prohibited from using IT facilities for the production, sending, forwarding, receiving, printing or otherwise disseminating information which is the confidential information of the company or its clients other than in the normal and proper course of carrying out your duties for the company.
In order to ensure proper use of computers, you must adhere to the following practices:-
- anti-virus software must be kept running at all times
- obvious passwords such as birthdays and spouse names etc must be avoided. The most secure passwords are random combinations of letters and numbers
- when you are sending data or software to an external party by floppy disk always ensure that the disk has been checked for viruses before sending it
- all files must be stored on the network drive which is backed up regularly to avoid loss of information; and
- always log off before leaving your computer for long periods of time or overnight.
Software piracy could expose both the company and the user to allegations of intellectual property infringement. The company are committed to following the terms of all software licences to which the company is a contracting party. This means, in particular, that:
- software must not be installed onto any of the company’s computers unless this has been approved in advance. You will be responsible for establishing that the appropriate licence has been obtained, that the software is virus free and compatible with the computer facilities
- software should not be removed from any computer nor should it be copied or loaded on to any computer without prior consent.
8.5 E-mail Facilities [Internal or External Use]
Internet e-mail is not a secure medium of communication; it can be intercepted and read. Do not use it to say anything you would not wish to be made public. If you are sending confidential information by e-mail this should be sent using password protected attachments.
E-mail should be treated as any other documentation. If you would normally retain a certain document in hard copy, then you should retain the e-mail.
Do not forward e-mail messages unless the original sender is aware that the message may be forwarded. If you would not have forwarded a copy of a paper memo with the same information do not forward the e-mail.
Your e-mail inbox should be checked on a regular basis.
If you are away from the office and use e-mail as an external means of communication you must ensure that the auto reply service is used to inform the sender that you are unavailable.
As with many other records, e-mail may be subject to discovery in litigation. Like all communications, you should not say anything that might appear inappropriate or that might be misinterpreted by a reader.
Personal Use of e-mail facilities
Personal use is permitted during breaks providing that:-
- such e-mails do not contain information or data that could be considered to be obscene, racist, sexist, otherwise offensive and provided that such use is not part of a pyramid or chain letter
- such e-mails are not used for the purpose of trading or carrying out any business activity other than company business
- If you are using e-mail for private purposes then you must ensure that it contains the message “This e-mail does not reflect the views or opinions of [company name]”
8.7 Internet Facilities
Use of the Internet, or Internet services, by unauthorised users is strictly prohibited. You are responsible for ensuring that you are the only person using your authorised Internet account and services.
Downloading any files from the Internet using the computer Facilities is not permitted. If there is a file or document on the Internet that you wish to acquire, make arrangements for it to be evaluated and checked for viruses.
Producing, sending, forwarding, viewing, displaying, storing (including data held in RAM or cache) or disseminating materials (including text and images) that could be considered to be obscene, racist, sexist, or otherwise offensive may constitute harassment and such use of the Facilities is strictly prohibited. The legal focus in a harassment case is the impact of the allegedly harassing material on the person viewing it, not how the material is viewed by the person sending or displaying it.
Posting information on the Internet, whether on a newsgroup, via a chat room or via e-mail is no different from publishing information in the newspaper. If a posting is alleged to be defamatory, libellous, or harassing, the employee making the posting and the company could face legal claims for monetary damages.
Using the Internet for the purpose of trading or carrying out any business activity other than company business is strictly prohibited.
Subject to the above you are allowed to use the Internet for personal use during breaks. Use of the Internet for personal use at any other time is strictly prohibited.
For the avoidance of doubt the matters set out above include use of WAP facilities.
8.8 Telephone Facilities
Personal use of landline or mobile phones is allowed but should be kept to a minimum. If the company considers that your personal use is excessive, you will be expected to pay for the charges incurred and this will be dealt with by way of a deduction from your salary. In extreme cases or persistent excessive use, the disciplinary procedure may also be invoked.
8.9 I.T and Communications Monitoring Policy
The company recognises the importance of an individual’s privacy but needs to balance this against the requirement to protect others and preserve the integrity and functionality of the Facilities.
The company may from time to time monitor the facilities, the principle reasons for this being to:
- detect any harassment or inappropriate behaviour by employees, ensuring compliance with contracts of employment and relevant policies including the Equality, Diversity & Dignity at Work and health and safety policy
- ensure compliance of this policy
- detect and enforce the integrity of the Facilities and any sensitive or confidential information belonging to or under the control of the company
- ensure compliance by users of the Facilities with all applicable laws (including Data Protection), regulations and guidelines published and in force from time to time; and
- monitor and protect the well-being of employees
The company may adopt at any time a number of methods to monitor use of the Facilities which may include:
- recording and logging of internal, network and external telephone calls made or received by employees using its telephone network (including where possible mobile telephones). Such recording may include details of length, date and content
- recording and logging the activities by individual users of the Facilities. This may include opening e-mails and their attachments, monitoring Internet usage including time spent on the Internet and web sites visited
- physical inspections of individual users computers, software and telephone messaging services
- periodic monitoring of the Facilities through third party software including real time inspections
- physical inspection of an individual’s post
- archiving of any information obtained from the above including e-mails, telephone call logs and Internet downloads.
If at any time an employee wishes to use the Facilities for private purposes without the possibility of such use being monitored they should contact their Manager who will consider such request and any restrictions upon which such consent is to be given. In the event that such request is granted, the company [unless required by law] will not monitor the applicable private use.
The company will not (unless required by law):
- allow third parties to monitor the Facilities; or
- disclose information obtained by such monitoring of the Facilities to third parties.
- The company may be prohibited by law from notifying employees using the Facilities of a disclosure to third parties.
8.10 General Guidance
Never leave any equipment or data (including laptops, computer equipment, mobile phones and PDA’s) unattended on public transport or in an unattended vehicle.
When using e-mail or sending any form of written correspondence:
- be careful what you write. Never forget that e-mail and written correspondence are not the same as conversation. They are a written record and can be duplicated at will
- use normal capitalisation and punctuation. Typing a message all in capital letters is the equivalent of shouting at the reader
- check your grammar and spelling; and do not forget that e-mails and other forms of correspondence should maintain the high standards expected by the company. Where applicable you should use formal headings and introductions