Data Protection Policy

Borough of Harrow Swimming Club

Data Protection Policy

Policy owner: Club Committee
Applies to: Swimmers, parents/carers, coaches, teachers, volunteers, officials, committee members and employees

1. Purpose of this Policy

Borough of Harrow Swimming Club is committed to protecting the personal data of all members, swimmers, parents/carers, staff, coaches, teachers, volunteers and officials.

The purpose of this policy is to explain how the Club collects, uses, stores, shares and protects personal information in accordance with:

  • UK General Data Protection Regulation, UK GDPR
  • Data Protection Act 2018
  • Swim England guidance, regulations and safeguarding expectations
  • The Club’s safeguarding, welfare, photography, communication and membership procedures

The Club recognises that good data protection is essential for safeguarding children, managing membership, operating swimming lessons and squads, communicating with parents, administering competitions, recording attendance, processing payments, and ensuring the safe and effective running of the Club.

2. Who is Responsible for Data Protection?

The Club acts as a Data Controller for the personal data it collects and uses.

The Club Committee has overall responsibility for ensuring compliance with data protection law. Day-to-day responsibility may be delegated to appropriate Club officers, administrators or welfare officers.

All coaches, teachers, volunteers, committee members and administrators who handle personal data must follow this policy.

3. Data Protection Principles

The Club will follow the UK GDPR data protection principles. Personal data must be:

  1. Processed lawfully, fairly and transparently
  2. Collected for specific, clear and legitimate purposes
  3. Limited to what is necessary
  4. Accurate and kept up to date
  5. Kept only for as long as necessary
  6. Kept secure and confidential
  7. Handled in a way that demonstrates accountability

4. Personal Data We May Collect

The Club may collect and process the following personal data:

Swimmer information

  • Full name
  • Date of birth
  • Gender, where required for competition or Swim England purposes
  • Address
  • Parent/carer details
  • Emergency contact details
  • Medical information relevant to swimming participation
  • Disability, access or additional support needs where relevant
  • Swim England membership number
  • Squad, class or stage allocation
  • Attendance records
  • Assessment and progression records
  • Competition entries, times and results
  • Behaviour, welfare or safeguarding records where necessary
  • Photographs or video footage where appropriate consent has been obtained

Parent/carer information

  • Full name
  • Email address
  • Phone number
  • Address
  • Relationship to swimmer
  • Payment and membership communication records
  • Portal account details

Coaches, teachers, volunteers and staff information

  • Full name
  • Contact details
  • Role and qualifications
  • DBS information, where applicable
  • Safeguarding and training records
  • Emergency contact details
  • Right to work or employment-related information, where applicable
  • Timesheet, payment or payroll-related information, where applicable
  • Code of conduct and policy acknowledgements

Website and portal information

  • User account details
  • Login records
  • Policy acknowledgements
  • Forms submitted through the website or portals
  • Technical logs required for security and troubleshooting

5. Special Category Data

Some information, such as medical information, disability information or safeguarding information, may be classed as special category data and requires extra protection.

The ICO confirms that special category data needs additional protection and requires both a lawful basis under Article 6 UK GDPR and a separate condition under Article 9 UK GDPR.

The Club will only collect and use this type of data where it is necessary for:

  • Swimmer safety
  • Emergency care
  • Safeguarding
  • Reasonable adjustments
  • Safe participation in swimming, training or competition
  • Legal or regulatory obligations

Access to this information will be restricted to those who genuinely need it, such as relevant coaches, teachers, welfare officers, administrators or emergency responders.

6. Why We Use Personal Data

The Club may use personal data for the following purposes:

  • Registering swimmers, parents, staff, volunteers and officials
  • Managing Learn to Swim classes, squads, training groups and attendance
  • Communicating with parents, carers, swimmers, coaches and volunteers
  • Managing safeguarding and welfare matters
  • Recording medical, emergency and safety information
  • Administering Swim England membership and affiliation requirements
  • Entering swimmers into competitions and galas
  • Recording times, results, achievements and progression
  • Managing payments, fees, refunds and financial records
  • Managing staff, coach and volunteer records
  • Maintaining club portals, attendance systems and administrative systems
  • Sending important club updates, notices and operational information
  • Promoting the Club where valid consent or legitimate interest applies
  • Complying with legal, regulatory, insurance and governance obligations

7. Lawful Bases for Processing

The Club will only process personal data where it has a lawful basis to do so.

Depending on the situation, the Club may rely on one or more of the following lawful bases:

Contract

To provide membership, lessons, squad training, competition entries or other club services.

Legal obligation

To comply with legal, safeguarding, employment, tax, insurance or regulatory requirements.

Legitimate interests

To manage the Club effectively, communicate with members, organise training, maintain records, monitor attendance, administer competitions and protect the Club’s legitimate interests.

Consent

For optional activities such as certain marketing, photography, video use, promotional material or specific medical/disability disclosures where consent is the appropriate basis.

Vital interests

In an emergency, where personal or medical information may need to be shared to protect someone’s life or safety.

Safeguarding and substantial public interest

Where necessary to protect children, young people or adults at risk.

8. Photographs, Video and Media

Photographs and videos of identifiable individuals are personal data.

The Club will:

  • Obtain appropriate consent before using photographs or videos for promotional purposes
  • Follow Swim England and Wavepower guidance on photography and filming
  • Avoid publishing unnecessary personal details with images
  • Respect any parent/carer or swimmer who has refused consent
  • Remove images where reasonably possible if consent is withdrawn
  • Take additional care when images involve children or vulnerable individuals

Photography or video may also be used for coaching, performance analysis or competition purposes where appropriate safeguards are in place.

9. Children’s Data

The Club handles children’s data with particular care.

The Club will:

  • Collect only information needed to manage swimming safely and effectively
  • Communicate primarily with parents/carers for younger swimmers
  • Ensure medical, welfare and safeguarding information is shared only with those who need to know
  • Avoid unnecessary publication of children’s personal information
  • Ensure portal access and online systems are appropriately protected

10. Sharing Personal Data

The Club may share personal data where necessary with:

  • Swim England
  • County, regional or national swimming bodies
  • Competition organisers
  • Club Organiser or other membership/payment platforms
  • Coaches, teachers, welfare officers and authorised club administrators
  • Pool operators or facility providers where necessary for safety or access
  • Medical professionals or emergency services in an emergency
  • DBS, safeguarding or regulatory bodies where required
  • Insurance providers, legal advisers or professional advisers
  • Website, IT, email, portal, database or hosting providers acting on behalf of the Club

The Club will not sell personal data to third parties.

Where third-party systems are used, the Club will take reasonable steps to ensure that data is handled securely and only for authorised purposes.

11. Club Communication

The Club may use personal data to send important communications, including:

  • Training updates
  • Class or squad information
  • Competition information
  • Payment reminders
  • Club notices
  • Safeguarding or welfare information
  • Portal updates
  • Emergency changes or cancellations

The Club may communicate by email, phone, SMS, WhatsApp, website notices or club portal messages, depending on the nature of the communication.

Marketing or promotional communications will only be sent where there is an appropriate lawful basis.

12. Data Security

The Club will take reasonable steps to protect personal data from unauthorised access, loss, misuse, alteration or disclosure.

Security measures may include:

  • Password-protected systems
  • Restricted admin access
  • Role-based access to portals
  • Secure website hosting
  • Regular plugin, theme and system updates
  • Limiting access to sensitive information
  • Secure storage of documents
  • Avoiding unnecessary downloads or exports
  • Deleting data securely when no longer required
  • Training relevant staff and volunteers on confidentiality

All coaches, teachers, staff, volunteers and committee members must keep personal data confidential and must not share it outside authorised Club purposes.

13. Access Controls

Personal data must only be accessed by people who need it for their Club role.

Examples:

  • Coaches may access swimmer attendance, medical alerts and parent contact information where needed for training safety
  • Teachers may access class registers, stage information and medical notes relevant to teaching
  • Welfare officers may access safeguarding information
  • Administrators may access membership, payment and portal information
  • Committee members may access information required for governance and decision-making

Access should be removed when someone leaves their role or no longer needs access.

14. Data Accuracy

The Club will take reasonable steps to keep personal data accurate and up to date.

Parents/carers, swimmers, staff and volunteers must inform the Club promptly of any changes to:

  • Contact details
  • Emergency contacts
  • Medical information
  • Safeguarding or welfare information
  • Consent preferences
  • Swim England membership information

15. Data Retention

The Club will not keep personal data for longer than necessary. The ICO confirms that organisations should not keep personal data for longer than they need it, and that the UK GDPR does not set one fixed time limit for all data types.

The Club will use the following general retention approach:

Type of record Suggested retention
Active membership records Duration of membership
Former member contact records Up to 6 years after leaving, where needed for legal, financial or insurance reasons
Payment and financial records Usually 6 years
Attendance and training records Normally up to 3–6 years, depending on purpose
Medical information While active, then deleted when no longer needed unless linked to an incident
Accident and incident records In line with insurance and safeguarding requirements
Safeguarding records Kept securely in line with Swim England/Wavepower safeguarding guidance
DBS and staff compliance records For as long as required for role, legal, safeguarding or audit purposes
Photography consent records While images are in use, or until consent is withdrawn
Website/portal logs For a limited period required for security and troubleshooting

The Club may retain some records for longer where required for safeguarding, legal claims, insurance, regulatory compliance or legitimate club governance.

16. Individual Rights

Individuals have rights under UK data protection law, including the right to:

  • Be informed about how their data is used
  • Access their personal data
  • Correct inaccurate data
  • Request deletion of data in certain circumstances
  • Restrict processing in certain circumstances
  • Object to processing in certain circumstances
  • Withdraw consent where consent is the lawful basis
  • Request data portability in certain circumstances
  • Complain to the Information Commissioner’s Office

The ICO states that the right to be informed requires organisations to provide clear and concise information about what they do with personal information.

Requests should be sent to:

Data Protection Contact: [Insert email address]

The Club will respond to valid data protection requests within the required legal timescale, usually one calendar month.

17. Data Breaches

A data breach may include:

  • Sending personal data to the wrong person
  • Losing a device or document containing personal data
  • Unauthorised access to club systems
  • Accidental deletion or alteration of data
  • Sharing medical, safeguarding or contact information inappropriately

Any suspected data breach must be reported immediately to the Club Data Protection Contact or Club Chair.

The Club will:

  1. Investigate the breach
  2. Take steps to reduce harm
  3. Record the incident
  4. Inform affected individuals where appropriate
  5. Report to the ICO where legally required
  6. Review procedures to prevent recurrence

18. Staff, Coach and Volunteer Responsibilities

Anyone handling Club personal data must:

  • Use data only for authorised Club purposes
  • Keep data confidential
  • Not share login details
  • Not download or copy data unnecessarily
  • Keep devices secure
  • Report any data breach or suspected breach promptly
  • Follow Club safeguarding and communication policies
  • Delete or return data when no longer needed
  • Use official Club systems where possible

Failure to follow this policy may result in removal of system access, disciplinary action, referral to Swim England, or other appropriate action.

19. Use of Third-Party Systems

The Club may use third-party systems for:

  • Membership administration
  • Payments
  • Website and portal access
  • Email communication
  • WhatsApp communication
  • Competition entries
  • Attendance and assessment records
  • Staff, volunteer and compliance records

The Club will take reasonable steps to ensure third-party systems are appropriate, secure and used only for legitimate Club purposes.

20. Safeguarding and Welfare Information

Safeguarding and welfare information will be handled with particular care.

The Club may share safeguarding information with appropriate persons or organisations, including:

  • Club Welfare Officer
  • Swim England safeguarding teams
  • Local authority safeguarding services
  • Police
  • NSPCC or other safeguarding bodies
  • Relevant statutory agencies

Safeguarding information will only be shared where necessary and proportionate to protect children, young people, adults at risk, staff, volunteers or the wider Club community.

21. Policy Acknowledgement

All relevant staff, coaches, teachers, volunteers, committee members and administrators may be required to confirm that they have read, understood and agree to follow this policy.

Parents, carers and swimmers may also be asked to acknowledge the Club’s privacy notice, media consent, code of conduct and related policies through the Club website or portal.

22. Review of this Policy

This policy will be reviewed at least annually by the Club Committee, or sooner if:

  • Data protection law changes
  • Swim England guidance changes
  • Club systems or processes change
  • A data breach or safeguarding issue identifies a need for review
  • The Club introduces new technology, portals or third-party systems
0
    0
    Your Cart
    Your cart is emptyReturn to Shop
    Continue Shopping