ETTA Data Protection Policy - The English Table Tennis Association

1 IntroductionETTA Data Protection PolicyThis is the Data Protection Policy of the English Table Tennis Association Ltd,hereinafter known as (or referred to as) the ETTA.The Data Protection Act applies to electronic and paper records held in structured filingsystems containing personal data, meaning data which relates to living individuals who canbe identified from the data. This includes any expression of opinion about an individual andintentions towards an individual. It also applies to personal data held visually in photographsor video clips (including CCTV) or as sound recordings. The ETTA collects a large amount ofpersonal data every year including:• staff records and references• membership records, including players and coaches• names and addresses of those requesting information• limited information for fee collection for online transactions• different types of research data used by the ETTAThe Data Protection Act 1998 governs the use of personal information through the eight dataprotection principles. These principles require that personal information is:• processed fairly and lawfully• processed for one or more specified and lawful purposes, and not further processedin any way that is incompatible with the original purpose• adequate, relevant and not excessive• accurate and, where necessary, kept up to date• kept for no longer than is necessary for the purpose for which it is being used• processed in line with the rights of individuals• kept secure with appropriate technical and organisational measures taken to protectthe information• not transferred outside the European Economic Area (the European Union memberstates plus Norway, Iceland and Liechtenstein) unless there is adequate protectionfor the personal information being transferredThe ETTA, acting as custodians of the personal data, recognises its duty to ensure that alldata is handled properly and confidentially at all times during the lifecycle of the data, asfollows• the obtaining of personal data;• the storage and security of personal data;• the use of personal data,• the disposal/destruction of personal data.2. ImplementationThe ETTA will undertake the following• nominate a "Data Protection Controller", responsible for gathering and disseminatinginformation and issues relating to information security, the Data Protection Act andother related legislation;

• ensure that all activities that relate to the processing of personal data haveappropriate safeguards and controls in place to ensure information security andcompliance with the Act;• ensure that all contracts and service level agreements (SLAs) between the ETTA andexternal third parties (for example funders) - where personal data is processed -make reference to the Act as appropriate;• ensure that all staff acting on the ETTA's behalf understand their responsibilitiesregarding information security under the Act, and that they receive the appropriatetraining / instruction and supervision so that they carry these duties out effectivelyand consistently and are given access to personal information that is appropriate tothe duties they undertake;• ensure that all third parties acting on the ETTA's behalf are given access to personalinformation that is appropriate to the duties they undertake and no more;• ensure that any requests for access to personal data are handled courteously,promptly and appropriately, ensuring that either the data subject or his/her authorisedrepresentative has a legitimate right to access under the Act that the request is valid,and that information provided is clear and unambiguous. All actions regarding datasubject access requests will be logged. This audit trail will include details regardingthe nature of the request, the steps taken to validate it, the information provided aswell as any withheld, e.g. for legal reasons.• never, under any circumstances, exploit your data for commercial gain but it may,from time to time, release your personal data to other National Governing Bodies forUK sport and Government agencies involved in sport in the UK. In thesecircumstances, the data will be held for the duration of the project and destroyedimmediately after use.• allow you to request that your data is held solely for the purposes of the ETTA. Thiscan be achieved by you making the request (in writing) to the Data Protection Officer,at the following address:English Table Tennis Association LimitedQueensbury House (Fourth Floor)Havelock RoadHastingsEast Sussex TN34 1HF• work towards adopting, as best working practice, the key principles of BS7799- theBritish Standard on Information Security Management;• Implement a security policy for controlling staff use of data and governing staffhandling of personal data• review this policy and the safeguards and controls that relate to it annually - toensure that they are still relevant, efficient and effective.3 The ETTA responsibilities under the Act3.1 Data Protection means that the English Table Tennis Association (ETTA) must:• manage and process personal data properly• protect the individual's rights to privacy• provide an individual with access to all personal information held on them3.2 The English Table Tennis Association (ETTA) has a legal responsibility to comply withthe Act. The Senior Management Team member with overall responsibility for this policy is

the Operations Manager. The English Table Tennis Association (ETTA), as a corporatebody, is named as the Data Controller under the Act.3.3 The English Table Tennis Association (ETTA) is required to notify the InformationCommissioner of the processing of personal data and this is included in a public register.The public register of data controllers is available on the Information Commissioner'swebsite.3.4 The English Table Tennis Association (ETTA)'s Operations Manager is responsible fordrawing up guidance on good data protection practice and promoting compliance with thisguidance through advising staff on the creation, maintenance, storage and retention of theirrecords which contain personal information.3.5 Every member of staff that holds information about identifiable living individuals has tocomply with data protection in managing that information. Individuals can be liable forbreaches of the Act.3.6 The ETTA acknowledges the rights of individuals to whom personal data relates, andensure that these rights may be exercised in accordance with the Act;• ensure that both the collection and use of personal data is done fairly and lawfully;• ensure that personal data will only be obtained and processed for the purposesspecified;• collect and process personal data on a "need to know" basis, ensuring that such datais fit for the purpose, is not excessive, and is disposed of at a time appropriate to itspurpose;• ensure that adequate steps are taken to ensure the accuracy and currency of data;• ensure that for all personal data, appropriate security measures are taken bothtechnically and organisationally - to protect against damage, loss or abuse;• ensure that the movement of personal data is done in a lawful way - both inside andoutside the ETTA and that those suitable safeguards exist at all times.4. GuidanceGuidance on the procedures necessary to comply with this policy is available from theOperations Manager. This guidance covers:4.1 Introduction to Data Protection including Data Protection principles, types of datainvolved and key concepts4.2 Best practice guidelines including:• use of personal data by employees and volunteers• transfer of personal data to third parties (incl volunteers)• security of personal data –You should be able to "completely" restore from a catastrophic failure, from at leasttwo previous full backups, just in case the last is damaged, lost, corrupt, etc.A "Good" backup regime should contain at least one full backup within a chosencycle, normally weekly.A "Good" backup practice is to store backups away from the current data location,preferably off-site.

Dynamic data should be backed-up during "dead periods" to avoid fuzzy backups(data is changing as you backup it up, potentially leading to related information notbeing in sync when backed up.• use of personal data in research• confidential references• transfer of personal data to non-EEA countries4.4 Guidance for the public on Data Protection and how to make a request is available onthe Data Protection internet pages.5. StatusThis policy was approved by the Senior Management Team in December 2009. It will bereviewed annually.6. ContactsOperations ManagerTel: 01424 456200Email: bill.shearer@etta.co.ukData Protection OfficerTel: 01424 456208Email: dataprotection@etta.co.uk