General Data Protection Regulation (GDPR) and Privacy Policy

Triple Crown ARSC recognises the importance of protecting personal and confidential information in all that we do and takes care to meet our legal duties. Triple Crown ARSC puts in place all reasonable, technical, security and procedural controls required to protect your personal information for the whole of its life, in whatever format we hold that information 

Personal data is any information relating to an identified or identifiable living person. This definition of this may be found in the Data Protection Act 2018.  

The GDPR includes six principles that organisations must apply when they collect and use personal data

These principles are: 

1. Personal data must be processed in a manner which is lawful, fair, and transparent. This means that when we collect and use personal information, we must have a lawful basis for doing so, we must consider the rights and interests of the person the data is about and provide clear information about our use of the data.
2. Personal data must be collected for specified, explicit and legitimate purposes and not used in any ways which are incompatible with those purposes. When we collect personal data, we must be truly clear about why we need it and what we will do with it. If we collect personal data for one purpose may not use it for an unconnected purpose.  
3. Personal data we collect must be adequate, relevant, and limited to what is necessary for the purposes for which it is used. This means must make sure that we only collect and use personal data that is strictly necessary for our stated purpose or purposes.  
4. Personal data must be accurate, and where necessary, kept up to date. We are required to take all reasonable steps to ensure that the personal data held is correct and kept up to date. This means that from time to time, we will review the personal data we hold, and we may contact you to make sure the personal data we have about you is current and does not contain any errors.  
5. Personal data must be kept in a format which allows identification for no longer than is necessary for the purposes for which it is used. In some cases, it may only be necessary for us to be able to directly identify an individual for a short period of time. When we no longer need to be able to identify an individual, we will anonymise the personal data. Where personal data is anonymised and the data subject in no longer identifiable that data will cease to be personal data. 
6. Personal data must be used in a manner that ensures appropriate security of the data. This means that our policies, procedures, systems and working practices must ensure that personal data is protected from unlawful access and is always kept secure. 

Before we collect and use personal data, we must be able to demonstrate that there is a lawful basis for us to do so. GDPR provides six lawful bases for processing personal data: 

1. Consent: when you have explicitly told us that we may collect and use your personal data – for example by asking us to add you to one of our mailing lists. 
2. Contract: when we need to collect and use personal data to enter into or perform a contract – for example if you receive funding from us.
3. Legal obligations: when we need to collect and use personal data to carry out our legal duties – for example to respond to a request for information under the Freedom of Information Act. 
4. Vital interests: when we need to collect and use personal data to protect your vital interests or the vital interests of another person – for example by contacting the relevant authorities if we believe an individual is likely to come to immediate harm. 
5. Public task: when we need to collect and use personal data to carry out one of our official tasks, or a task that’s in the public interest – for example when we carry out surveys about sports participation to create official statistics. 
6. Legitimate interests: when we need to collect and use personal data to pursue the legitimate interests of Triple Crown ARSC or a third party, unless doing so would interfere with your rights and freedoms – for example when we’re dealing with complaints about an organisation we have funded. 

Our lawful basis for collecting and using personal data varies depending on why we have collected it and what we will do with it. Whenever Triple Crown ARSC collects personal data directly from you, we aim to set out our lawful basis as clearly as we can or provide links to the information you need.

If we receive personal data about you from a third party, we will use reasonable efforts to identify our lawful basis and to inform you of this where it is possible and practical for us to do so. 

Triple Crown ARSC collects and uses personal data for a variety of purposes including: 

• To manage our relationship with you.  
• To communicate with you about your membership of Triple Crown ARSC  
• To administer payments relating to membership.  
• To administer payments relating to other event and activities.  
• To manage risk for us and our members.  
• To comply with regulations that apply to us.  
• To respond to complaints.  
• To run Triple Crown ARSC in an efficient and proper way including the managing of  
• our financial position and communications.  
• To provide the Great Britain Skating Association (the GBSA) central database with your personal details for the purposes of their membership administration.  

When we collect personal data directly from you, we will provide specific and detailed information about why we need to do so. 

Triple Crown ARSC collects a range of personal data including: 

• Names and contact details (including postal and email addresses and telephone numbers) 
• Biographical information such as participation in sport, membership of sports clubs and interest in, or opinions. 
• Information about ethnicity, sexual orientation, health related data or other special category personal data where it is necessary and relevant for a specific purpose 
• Photographs, including for publicity or promotional purposes (see Consent for Images for further information). 

When we collect and use personal data directly from you, we aim to provide specific and detailed information about the categories of personal data involved. 

We do not knowingly collect personal data about children under the age of sixteen without consent of a parent or guardian. If you become aware that a child has provided us with their personal data without the consent of the parent or guardian, we would ask you to contact us immediately so that we can address the matter. 

Officials of Triple Crown ARSC will have access to your personal data for the purpose(s) for which it was collected. Any third-party providers who have access to your personal data, Triple Crown ARSC will still be responsible for decisions about how your personal data is used.

In some cases, where there is a lawful basis for us to do so we may share personal data with third parties such as the GBSA, the Information Commissioner’s Office, or other trusted partners, including charities and funding organisations. Where possible we will tell you if your personal data will be shared, and the third parties the data be shared with, at the time we collect your personal data. If we are required by law to disclose personal data we will do so, in keeping with our obligations.  

Triple Crown ARSC never sells personal data to third parties for any purpose, and we do not collect or compile personal data for dissemination to third parties for marketing purposes.  

Personal data is held securely within the Triple Crown ARSC Information Technology environment.  Access is limited to use with secure passwords.

All the personal data that we collect, and hold is kept in accordance with our File Retention Schedule. This Schedule is guided by the legislative and regulatory frameworks we are subject to and helps us to ensure that we do not keep personal data for longer than is necessary for the purpose(s) for which it was collected. 

The GDPR gives individuals a number of rights in relation to any personal data an organisation holds about them, and it is the Triple Crown ARSC’s policy to make it as easy as possible for people to exercise these rights.  

• Subject access - Under GDPR all individuals are entitled to be told what personal data an organisation holds about them, and to receive copies of that information, free of charge, within one month. You can make a subject access request to Triple Crown ARSC by contacting the Club Chairperson 

• Rectification and erasure - If you believe that Triple Crown ARSC is holding inaccurate information about you, you are entitled to ask us to rectify that data. In addition, if you believe that Triple Crown ARSC  no longer has a lawful basis to use your personal data, you can ask us to delete it. The right to rectification and erasure is not absolute, but we will consider any requests carefully and comply with such requests where it is appropriate for us to do so. You can ask to have your personal data rectified or erased by contacting the Club Chairperson

• Withdrawing consent - If our lawful basis for collecting and using your personal data was consent, then you are entitled to withdraw that consent at any time. You do not need to give a reason for withdrawing your consent and we are required to comply promptly. You can inform us that you wish to withdraw consent by contacting the Club Chairperson 

• Complaints - If you are in any way dissatisfied with the way we have handled your personal data, Triple Crown ARSC provides a Concerns and Complaints Policy and Procedure. In addition, regardless of whether you make a complaint under our policy you’re entitled to lodge a complaint about our data handling practices with the Information Commissioner by writing to: The Information Commissioner’s Office www.ico.org.uk 

You have the right to question any information we hold on you that you think is wrong, out of date or incomplete. If you do, we will take reasonable steps to check its accuracy and correct it. 

If you need to update your contact details, you can do so by contacting the Club Secretary

We may need to collect personal information by law or to maintain our membership records.  

 If you choose not to give us this personal information, it may delay or prevent us from meeting our membership obligations. It may mean that we cannot provide you with membership of Triple Crown ARSC.

We will notify you if your choice not to give us your personal information would result in a delay or prevent us from meeting our obligations.