This policy is to ensure that British Taekwondo complies with the requirements of the Data Protection legislation, and associated guidance and Codes of Practice issued under the legislation.
The Policy applies to information in all forms including, but not limited to:
- Hard copy or documents printed or written on paper;
- Information or data stored electronically, including scanned images;
- Communications sent by post/courier or using electronic means such as email, fax or electronic file transfer;
- Information or data stored on or transferred to removable media such as tape, CD, DVD, USB storage device or memory card;
- Information stored on portable computing devices including mobile phones, tablets, cameras and laptops;
- Speech, voice recordings and verbal communications, including voicemail;
- Published web content, for example intranet and internet;
- Photographs and other digital images.
This policy is British Taekwondo’s main information governance policy and addresses:
- Data Protection (including rights and complaints)
- Information Asset Management
Information security and Records Management are addressed in separate policies and are supported by procedure documentation.
Personal data will be processed in accordance with the requirements of the UK GDPR and in compliance with the data protection principles specified in the legislation.
British Taekwondo has notified the Information Commissioner’s Office that it is a Data Controller and has appointed their Safeguarding, HR & Compliance Manager as the Data Protection Officer (DPO). Details of the DPO can be found here:
Manchester Regional Arena, Rowsley Street, Manchester, England, M11 3FF
The DPO is a statutory position and will operate in an advisory capacity. Duties will include:
- Acting as the point of contact for the Information Commissioner’s Office (ICO) and data subjects;
- Facilitating a periodic review of the corporate information asset register and information governance policies;
- Assisting with the reporting and investigation of information security breaches
- Providing advice on all aspects of data protection as required, including information requests, information sharing and Data Protection Impact Assessments; and
- Reporting to Board Members on the above matters
Information Asset Register
The DPO will advise British Taekwondo in developing and maintaining an Information Asset Register (IAR). The register will include the following information for each asset:
- An individual information asset identification number;
- The owner of that asset;
- Description and purpose of the asset;
- Whether there is a privacy notice published for that asset;
- Format and location of the asset;
- Which officers (job titles/teams) have routine access to the information;
- Whether there are any data sharing agreements relating to the information and the name of that agreement,
- Conditions of data processing;
- Details of any third parties contracted to process the information;
- Retention period for the asset
The IAR will be reviewed annually and the Information Asset Owner will inform the DPO of any significant changes to their information assets as soon as possible.
Information Asset Owners
An Information Asset Owner (IAO) is the individual responsible for an information asset, understands the value of that information and the potential risks associated with it. British Taekwondo will ensure that IAO’s are appointed based on sufficient seniority and level of responsibility.
IAO’s are responsible for the security and maintenance of their information assets. This includes ensuring that other members of staff are using the information safely and responsibly. The role also includes determining the retention period for the asset, and when destroyed, ensuring this is done so securely.
British Taekwondo will ensure that appropriate guidance and training is given to the relevant staff and volunteers on access to information procedures, records management and data breach procedures. Individuals will also be made aware and given training in relation to information security.
British Taekwondo will maintain a ‘training schedule’ which will record when employees have completed Data Protection training and when a refresher is due to be completed.
British Taekwondo will ensure that any third party contractors have adequately trained their staff in information governance by carrying out the appropriate due diligence.
British Taekwondo will provide a privacy notice to data subjects each time it obtains personal information from or about that data subject. Our main privacy notice will be displayed on the British Taekwondo website in an easily accessible area.
A privacy notice for employees will be provided at commencement of their employment with British Taekwondo.
Privacy notices will be cleared by the DPO prior to being published or issued. A record of privacy notices shall be kept on British Taekwondo’s Information Asset Register.
In order to efficiently fulfil our duty of international licenses it is sometimes necessary for the British Taekwondo to share information with third parties. Routine and regular information sharing arrangements will be documented in our main privacy notice (as above). Any ad hoc sharing of information will be done in compliance with our legislative requirements.
This Information sharing will at times be restricted transfers to countries outside the EEA and who have not received an adequacy decision (e.g. South Korea – World Taekwondo). In these cases British Taekwondo will ensure explicit consent will be gained from the Data Subject and where possible any further safeguards will be applied.
Data Protection Impact Assessments (DPIAs)
British Taekwondo will conduct a data protection impact assessment for all new projects involving high risk data processing as defined by the UK GDPR. This assessment will consider the privacy risks and implications of new projects as well as providing solutions to the identified risks.
The DPO will be consulted at the start of a project and will advise whether a DPIA is required. If it is agreed that a DPIA will be necessary, then the DPO will assist with the completion of the assessment, providing relevant advice.
Please refer to the Data Protection Impact Assessment Guidance for further information.
Third Party Data Processors
All third party contractors who process data on behalf of British Taekwondo must be able to provide assurances that they have adequate data protection controls in place to ensure that the data they process is afforded the appropriate safeguards. Where personal data is being processed, there will be a written contract in place with the necessary data protection clauses contained.
Relevant senior leadership may insist that any data processing by a third party ceases immediately if it believes that that third party has not got adequate data protection safeguards in place. If any data processing is going to take place outside of the EEA then the DPO must be consulted prior to any contracts being agreed.
Requests for information under the UK GDPR- Data Subject Requests
Requests under this legislation should be made to the Data Protection Officer.
Any member of staff may receive a request. Whilst the UK GDPR does not require such requests to be made in writing, applicants are encouraged where possible to do so; applicants who require assistance should seek help from British Taekwondo. Requests will be logged with the Data Protection Officer and acknowledged within 5 days.
Please refer to the Data Subject Rights Procedure for further information.
Relationship with existing policies
This policy has been drawn up within the context of the organisation’s policy framework. In particular it relates to British Taekwondo’s Special Category Data Policy, Records Management Policy and Information Security Policy and helps to facilitate compliance with the requirements of the UK General Data Protection Regulation.
British Taekwondo’s board will be responsible for evaluating and reviewing this policy.
Signed: Date: Review Date:
Ian Leafe 8th April 2021 8th April 2022