Data Protection Policy

Our Policy

The Irish Clay Target Shooting Association (“ICTSA”) as a sports governing body needs to gather and use certain personal data and information about individuals, or data subjects, in order to run, administer and promote the sport of clay target shooting.

The ICTSA takes its data protection obligations very seriously and is committed to complying with the law. The policy applies to all of our staff, members, clubs, volunteers, coaches and consultants (“ICTSA Community” or “you” or “your”).

This Data Protection Policy (“DP Policy”) is designed to:

1. give practical guidance on ICTSA’s approach to data protection law
2. raise awareness amongst the ICTSA Community about data protection law, including rights and responsibilities
3. provide guidance on how to comply with those responsibilities

This Policy is a guidance document only. It is not a summary of the law or an exhaustive list of data protection responsibilities.

ICTSA’s Approach to Data Protection Compliance

ICTSA has appointed a dedicated Data Protection Liaison (“DPL”) to oversee compliance with data protection laws for ICTSA[1].

Each club should appoint a DPL with responsibility for overseeing compliance with data protection laws within that club.

Any queries on data protection should be directed, in the first instance to your club DPL. If the query cannot be resolved at club level, ICTSA’s DPL Conor Mooney can be contacted at dataprotect@ictsa.ie

ICTSA has taken steps to ensure it is compliant with data protection law including;

1. Itemising it on the agenda for discussion at Board level;
2. Identifying and appointing a DPL.
3. Attending data protection-specific training;
4. Engaging experts regarding compliance and a project plan;
5. Completing a tailored data protection questionnaire, which required us to assess and document personal data we hold and the process and the justifications for doing so;
6. Drafting and reviewing policies;
7. Considering and completing a tailored data security and IT gap analysis;
8. Assessing and upgrading our data security software and processes

The ICTSA has other policies and rules in place that affect the use of personal data and that should be read in conjunction with this DP Policy. We would draw your attention in particular to the following:

Constitution

https://www.ictsa.ie/custom/public/files/ictsa-constitution-24-11-2016.pdf

Terms And Conditions

https://www.ictsa.ie/terms-and-conditions

Member Privacy Policy

https://www.ictsa.ie/shooting-policies/privacy-data-protection-policy/privacy-notice-for-members

Junior Member Privacy Policy

https://www.ictsa.ie/shooting-policies/privacy-data-protection-policy/privacy-notice-for-children

Social Media Policy

https://www.ictsa.ie/shooting-policies/social-media

Data Protection – Shoot Programme

https://www.ictsa.ie/shooting-policies/privacy-data-protection-policy/shoot-programme

Who is responsible for data protection?

During any given activity involving clay target shooting and the ICTSA Community, personal information may be collected, stored, viewed, archived, deleted, transferred, amended and so on. When we do this, we are processing personal data and we are required to do so in accordance with data protection law.

It is the responsibility of anybody involved in processing or controlling or using this personal data to do so in an appropriate and lawful manner.

Each person in the ICTSA Community is potentially affected. It is your responsibility to make yourself aware of the DP Policy and implement it when processing personal data.

This policy does not form part of any employee's contract of employment and it may be amended at any time. Any breach of this policy will be taken seriously and may result in disciplinary action.

It is important that you notify the Data Protection Liaison or relevant person in your club of any potential breach involving you or anybody in the ICTSA Community.

The Office of the Data Protection Commissioner (“DPC”) is the statutory independent body responsible for enforcing data protection law in Ireland. The DPC has extensive powers, including the ability to impose civil fines of up to Euros 20 million or 4% of group worldwide turnover, whichever is higher. Also, the data protection laws can be enforced in the courts and the courts have the power to award compensation to individuals.

Data protection laws

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (“DPA 2018”) (together “data protection laws”). It is anticipated that in the aftermath of Brexit, the UK will adopt laws equivalent to these data protection laws.

The data protection laws require that the personal data is processed in accordance with the Data Protection Principles (see below) and gives individuals rights to access, correct and control how we use their personal data (on which see below).

Key Data Protection Principles

All personal data must be:

• Processed fairly and lawfully and transparently
• Processed for specified, lawful and compatible purposes
• Adequate, relevant and not excessive to the purpose it was collected for
• Accurate and up to date
• Not kept longer than necessary
• Processed and kept securely

See the Schedules below for further detail on these principles.

Key Phrases

“Personal Data” means data that relates to a living individual who can be identified from the data. It is limited to information about living people only. In the clay target shooting context, this includes; athletes, coaches, judges, volunteers, parents, members, employees, contractors, suppliers etc… Personal data can include:

• information held electronically or on paper or provided orally (phone recordings) or visually (e.g. CCTV).;
• an expression of opinion about the individual e.g. records stored in the course of a coaching assessment or details regarding a participant’s performance;
• medical records, credit history, a recording of their actions, or contact details;

“Sensitive Personal Data” – means information containing facts or opinions about a living individual relating to: • Racial or ethnic origin • Political opinions • Religious beliefs • Trade Union Membership • Health • Sex life • Criminal proceedings or convictions

“Data subject” is the living individual to whom the relevant personal data relates.

“Processing” is widely defined under the data protection laws and can include for example collection, modification, transfer, viewing, deleting, holding, backing up, archiving, retention, disclosure or destruction of personal data, including CCTV images. The lawful bases for processing Personal Data are set out in the Schedules below.

“Data controller” is the person who decides how personal data is used, for example we will always be a data controller in respect of personal data relating to our employees.

“Data processor” is a person who processes personal data on behalf of a data controller and only processes that personal data in accordance with instructions from the data controller, for example an outsourced payroll provider will be a data processor.

“Data users” include employees or volunteers whose work involves using personal data. Data users have a duty to protect the information they handle by following this data protection policy at all times.

Special category data

Special category data under the data protection laws is personal data relating to an individual’s race, political opinions, health, religious or other beliefs, trade union records, sex life, biometric data and genetic data.

The special category personal data we would expect to collect would be health data in the context of safely administering the sport of clay target shooting or anti-doping purposes. We are also required, under law, to collect any history of criminal records in the context of Garda vetting. There are separate lawful bases for collecting special category data (as set out in the Schedules below).

Your obligations – “Do’s and Don’ts”

You should always try to apply a practical, logical and common-sense approach to how you use personal data, including the following steps where practical:

• Do not take personal data out of the organisation’s premises (unless necessary).
• Only disclose your unique logins and passwords for any of our IT systems to authorised personnel (e.g. IT) and not to anyone else.
• Never leave any items containing personal data unattended in a public place, e.g. on a train, in a café, etc. and this would include paper files, mobile phone, laptops, tablets, memory sticks etc.
• Never leave any items containing personal data in unsecure locations, e.g. in car on your drive overnight and this would include paper files, mobile phone, laptops, tablets, memory sticks etc.
• If you are staying at a hotel then utilise the room safe or the hotel staff to store items containing personal data when you do not need to have them with you.
• Where possible, encrypt laptops, mobile devices and removable storage devices containing personal data.
• Do lock laptops, files, mobile devices and removable storage devices containing personal data away and out of sight when not in use.
• Do password protect documents and databases containing personal data.
• When disposing of personal data, ensure to shred it or dispose of it in a confidential manner.
• Do not leave personal data lying around, store it securely.
• When transferring personal data, especially sensitive data, to third parties consider whether you have a justifiable basis for doing so.
• Do notify your DPL immediately of any suspected security breaches or loss of personal data. (see Data Breach Policy in the Schedules below)

Consequences for non-compliance

There are a number of serious consequences for both yourself and us if we do not comply with data protection laws.

These include:    For you

• Disciplinary action: If you are an employee, your terms and conditions of employment require you to comply with our policies.
• Failure to do so could lead to disciplinary action including dismissal. Where you are a volunteer, failure to comply with our policies could lead to termination of your volunteering position with us.
• Criminal sanctions: Serious breaches could potentially result in criminal liability.
• Investigations and interviews: Your actions could be investigated, and you could be interviewed in relation to any non-compliance.

For ICTSA or your club:

• Criminal sanctions: Non-compliance could involve a criminal offence.
• Civil Fines: These can be up to Euro 20 million or 4% of group worldwide turnover whichever is higher.
• Assessments, investigations and enforcement action: We could be assessed or investigated by, and obliged to provide information to, the DPC.
• Court orders: These may require us to implement measures or take steps in relation to, or cease or refrain from, processing personal data.
• Claims for compensation: Individuals may make claims for damage they have suffered as a result of our non-compliance.
• Reputational damage: Assessments, investigations and enforcement action by, and complaints to, the Information Commissioner quickly become public knowledge and might damage our brand. Court proceedings are public knowledge.
• Use of management time and resources: Dealing with assessments, investigations, enforcement action, complaints, claims, etc. takes time and effort and can involve considerable cost.

Data subject rights

Under data protection laws individuals have certain rights in relation to their own personal data. In summary these are:

• The rights to access their personal data, usually referred to as a subject access request;
• The right to have their personal data rectified;
• The right to have their personal data erased, usually referred to as the right to be forgotten;
• The right to restrict processing of their personal data;
• The right to object to receiving direct marketing materials;
• The right to portability of their personal data;
• The right to object to processing of their personal data; and
• The right to not be subject to a decision made solely by automated data processing.

Not all of these rights are absolute rights, some are qualified and some only apply in specific circumstances. More details on these rights can be found in the Schedules of this Policy.