IBF Data Protection Policy



If you handle personal information about individuals, you have a number of legal

obligations to protect that information under the Data Protection Act 1998.

The Data Protection Act came into force in 1998 and is a complex piece of legislation and it is vital that those who collect and use personal data maintain the confidence of those who are asked to provide it by complying with the requirements of the Data Protection Legislation.

The Legislation applies to personal data that is data about identifiable living individuals and those who decide how and why personal data is processed must comply with the rules of good information handling known as the ‘Data Protection Principles’ listed below and the other requirements within the Legislation.

The Legislation requires that any personal data that is collected must be handled correctly and must comply with the eight enforceable principles of good practice. These are:

 Fairly and lawfully processed

 Processed for limited purposes and not in a manner incompatible with those


 Adequate, relevant and not excessive

 Accurate

 Not kept for longer than is necessary

 Processed in line with the Data Subject’s rights

 Secure

 Not transferred to countries without adequate protection

However, most Clubs may claim the unincorporated members Clubs exemption from registration, subject to access request under the old Act. This applies to non-profit making organisations.

The exemption from notification does not exempt you from complying with the other provisions of the Legislation, particularly subject access request and the processing of data in accordance with the Data Protection Principles as indicated above.

To benefit from the exemption the following conditions must be satisfied in relation to the processing of data:

 This is carried out by a body or Association not established or conducted for profit

 It is for the purposes of establishing or maintaining membership of or support for     the body or organisation providing or administering activities for individuals who are members of the body or have regular contact with it

 It is personal data, of which the Data Subject is a past, present or prospective

 member of the body

 It consists of the name, address and other identifiers as to the eligibility for


 It does not involve disclosure to third parties other than with consent or where

necessary to process the data

 It does not involve keeping the data after relationship ends, unless and for so long

as is necessary for exempt purposes

Essentially, this exemption enables Clubs to manage themselves and carry out there

purpose without having to notify with a Data Protection Registrar. Many Clubs will not hold vast amounts of data about individuals or use the data held by them for a wider purpose. If you are holding data about individuals that you need for your purposes then in order to fall within the exemption it may be sensible to audit the data so that you hold what you need to carry out your purposes.

It is very important, in order to benefit from the exemption that you obtain the specific consent from each of your Data Subjects to the transfer of data to third parties if you propose to do this. If an individual does not consent then the data may not be transferred.

Using your membership data commercially

If you process data for purposes wider than running of your Club, for example, if you

fundraise by obtaining sponsorship or sell your databases, then you will need to NOTIFY with the Data Protection Registrar. There is a template form for Clubs/Societies, which lists the general purposes for which a Club processes data (administration of membership, fundraising and processing note for profit organisations). If you process data for other purposes, for example trading, in personal data or information administration these purposes will need to be added.

Collection of data

When collecting data, the following information must be provided to the Data Subject:

 Who you are

 What data you are collecting

 For what purpose (if there is more than one this must be stated and if direct

marketing is one of the purposes an opportunity must be given)

 If the data will be transferred to a third party (and give them the opportunity to

opt out of this)

Where the data is being used for direct marketing it is important to get consent to this purpose from the Data Subject, as it is unlikely that any of the other conditions in Schedule 1 to the Act will be met permitting you to process the data. If the data is sensitive, explicit (positive) consent must be obtained i.e. a tick box will not be sufficient.

Transfer of data

If you do transfer data to third parties you need to ensure that in your agreement with them you have an undertaking from them to use the data only for the purpose agreed, which cannot be a wider purpose than what you tell your members that you are transferring thedata for.

Data Processors

If you employ a Data Processor to carryout processing on your behalf, eg data inputting, you need a written contract with the Data Processor, which needs to include specific guarantees relating to the Data Security.

The Rights of Individuals

The Act allows individuals to find out what information is held about them on computer and some paper records. This is known as the Right of Subject Access.

The Act allows individuals to apply to the court to order a Data Controller to rectify, block, erase or destroy personal details, if they are inaccurate or contain expressions of opinion, which are based on inaccurate data.

The Data Subjects can ask the Data Controller to stop or not to begin processing data

relating to him or her for direct marketing purposes. This is an ‘absolute right’.

Subjects can claim compensation from a Data Controller for damage or damage and

distress caused by any breach of the Data Protection Act.

It is an offence to obtain, disclose, sell or advertise for sale, or bring about the disclosure of personal data without the consent of the Data Controller.

For more information go to: http://www.ico.gov.uk/for_organisations/data_protection.aspx


For more detailed and indepth information the following websites may help you to find the information that you need.

Running Sports – Data Protection Guidance for Sport Providers


Information Commissioner’s Office


The above information is provided as a basic guide and signposts to organisations with the appropriate level of expertise that can offer guidance and support in this particular area of legislation. IBF and its staff cannot accept any liability for any loss arising as a result of reliance upon the information contained herein. Readers are advised to obtain professional advice on an individual basis.

No comments yet.

Leave a Reply