GENERAL DATA PROTECTION REGULATION – CBAI

What is GDPR?

The General Data Protection Regulation (GDPR) is a new EU regulation that came into effect on 25 May 2018. GDPR updates previous data protection laws and places greater accountability and transparency obligations on organisations when using a member’s personal information. It gives the individual greater control over their personal information.

This applies to all clubs, groupings of clubs e.g. Counties / Regions and the Contract Bridge Association of Ireland.. Each of these is identified as Data Controllers and has responsibilities in respect to the data they hold. It is possible that the entity operating as the first grouping of clubs, (County, region, etc) may not require separate identification as a Data Controller from  the NBO, but the responsibility of safeguarding personal data is in no way diminished.

Overview –

All information that is collected on an individual member is regarded as Personal Data. It must be kept secure and only to be used for the express purpose for which it was collected – bridge or other activities for the body involved.  Similarly, if you have a visitor/guest to your club, their information is also personal data.

Personal Data should not be passed on to anyone unless the purpose was specifically covered when the information was collected.

Maintenance of Records

If your records are retained on on a computer, they should only be accessible by authorised people;     The computer and/or folders in which the information is kept should be locked and/or encrypted.

Access to records should only be available to authorised committee members, Officers or managers. When new individuals take up these positions access methods e.g. passwords, should be changed,

Usage of Personal Data

When using personal data, care must be taken not to share any information with others, either deliberately or by accident; for example, if sending a group email, the blind copy (Bcc) facility or a mailshot programme that does not show other addressees must be used.

Clubs should not circulate lists of members with contact details within their own membership – unless they have specific agreement from their members. Clubs should regard this time as being a completely fresh start for all their practices, seeking specific permission from members to make use of their personal data.

Previous practice of “opting out” will no longer apply – all members must be asked to “opt in” – by specifically giving permission to use personal data.

Everyone must be informed from whom data has been collected:

• The legal basis for doing so;
• What data you collect;
• How it is stored;
• To whom you pass it on and for what purpose;
• For how long you keep the data;
• What they can do to limit how you use your data.

This will usually be done via a Privacy Notice, which may be on your club’s website, but a printed copy should also be available in the club and be sent to those who request it. Your members should be directed to this Privacy Notice on every occasion when you collect data, so it should be referred to on your membership application form. A Privacy Notice will also be displayed on the CBAI Website.

Publication of Personal Data

In a situation where a member is an office holder in a club or other grouping, and it is necessary to publish contact information for them either on paper or on another medium, specific permission must be sought from the individual for that purpose.

MEMBERSHIP FORMS

Your application form for membership at Club level should contain a request for permission to use Personal Data for purposes of bridge and include a request for permission to reproduce photographs of members to record their winning of a prize or prizes for bridge and promotion of bridge.

See attached template. This form will be printed and circulated to all Clubs for ALL Club members to complete. It will be in 2 parts – the original to be retained by the club and the copy to be returned to the CBAI.

RIGHTS OF THE INDIVIDUAL

An individual has a right to data protection when their details are

• held on a computer
• held on paper or other manual form as part of a filing system and
• made up of photographs or video recordings of their image or recordings of their voice

Data Protection rights help the individual to make sure the information stored about them is

• factually correct
• only available to those who should have it
• only used for stated purposes.

The bridge grouping (Data Controller) who holds information about the individual must –

• obtain and use the information fairly
• keep it for usage only for bridge purposes
• get permission before sending emails to your computer or text messages to your mobile phone.
• keep the information safe
• make sure that any information is relevant, factually correct and up-to-date
• give the individual a copy of their personal information when requested.

General Data Protection Regulation – Frequently Asked Questions

The new General Data Protection Regulation (GDPR) which came into force on 25 May 2018 is a European Regulation that gives individuals more control than previously over how their personal data can be used by the organisations they deal with. 

Personal data is any information that would allow an individual to be specifically identified, either on its own or in conjunction with other information.  It covers such items as name, address, email address, phone number, date of birth, PPSN number, photograph, etc.

The Regulations apply to any organisation which holds data, including not-for-profit organisations such as bridge clubs.  In the Irish bridge context, both the CBAI itself and each individual club has obligations under GDPR; the regions, as branches of the CBAI, will be covered by the Association’s own data control procedures, and thus do not need separate procedures of their own.

1. You need to set out your policy in relation to personal data, and make it available to your members.  A sample Privacy Policy statement is available separately on the CBAI website.
2. You need to decide who within the club will be responsible for managing members’ personal data, and to ensure that these people know their obligations under the Regulations.  You also need to agree how you will handle any queries or requests for data from your members.
3. You need to get consent from your members to hold and use their data for the specific purposes for which you need it, and this consent needs to be obtained formally, i.e. with a signature.  The easiest way to do this is to ask all members, both current and new, to complete a membership form.  A sample version is available on the CBAI website – you will need to include your own club-specific information where appropriate.
4. You need to ensure that any personal data you hold is used only for the purposes for which it was collected.
5. You need to ensure that the data you have collected is stored safely.  If you use paper records, they should be kept under lock-and-key; if you store your records electronically, the files should be locked with password protection.
6. You need to dispose of any data that is no longer required, in a secure manner.  Paper records should be shredded, and electronic ones should be permanently deleted.
7. You need to make sure that only authorized individuals have access to the personal data.  When these individuals change (due to changes in your club officers, for example), you should make it a practice to change all relevant computer passwords.
8. You need to make sure that emails to the membership are sent in such a way that the recipients’ individual email addresses are not visible – i.e. by blind-copying them (the “bcc” function) or by using a mailshot program.

No.  The Regulations apply to all clubs, no matter how small, and regardless of whether or not they are established as profit-making enterprises.

There are a number of bases on which an organisation can seek consent to hold and use personal data.  If you use the form we are recommending, your members are acknowledging that in the legitimate interests of running the bridge club that they have elected to join, the club will need to use, process, and retain some of their personal data, and furthermore that the club will pass on some or all of that data to the CBAI, as the body responsible for the administration of bridge in Ireland.

This legitimate interest basis is the most flexible legal basis for using data, and is the one appropriate for organisations such as bridge clubs, where people’s data will be used in ways they would reasonably expect and that have minimal privacy impact, and where “marketing” activities are not intended.  It follows that you must therefore only use the data for purposes that are in the legitimate interests of running your bridge club and in fulfilling your obligations to the CBAI (e.g. for Masterpoints, affiliations, etc).

Committee members’ personal details (phone numbers or email addresses) should only be displayed on websites or documents if they have specifically agreed to this.  For committee business, it is acceptable to send emails to the entire committee in the usual fashion (i.e. without blind-copying) provided that the members of the committee have been informed that this is the practice.

The Regulation came into effect on 25 May 2018.  So you will need to put policies in relation to members’ personal data in place quickly, if you have not already done so, and to seek members’ consent to use their data.  Realistically, the payment of member subscriptions for next season may represent the best opportunity for clubs to revisit their consents with all members, but we would recommend that a formal Privacy Policy be in place, and be adhered to, as soon as practicable.

Our advice is that, given the substantial changes in the Regulations affecting personal data, and the requirement to draw members’ attention to your policies in this regard, the safest course of action is to seek fresh consents from all members, including those already on your books.

Our advice is that this is an area that is beyond the essential activities of a club, and as such, should only be done if specific member consent is obtained.  Given that all members would need to consent, it might be easier to abandon this practice.  Honour boards in a public place (such as list of competition winners or former officers within a club), on the other hand, do seem to fall within the definition of the normal activities of a club, and as such, our advice is that they may be retained.

Publishing results is clearly a legitimate and normal activity within a bridge club.  In addition, the results presumably do not contain any information other than the player’s name and their score, so there would seem to be little risk.  Some clubs already limit access to their online results to members of the club, via a password, so this is also an option.  But it would not seem to be necessary if your club would prefer not to limit access.

If you teach as part of a bridge club, and the students’ details are processed by the club, your activities should be covered by the club’s Privacy Policy, as long as the students have signed up to this.  If you teach independently of a club (even though you may use the club’s premises) then you are responsible for ensuring compliance with the Regulations.  Either way, the data obviously needs to be managed in accordance with the Regulations (for example, blind-copying the students on emails, whether they come from you or from the club).  We intend to revise the CBAI Student Membership Application Form for next season to take account of GDPR.