Privacy Policy for Members

  1. Neatishead Community Gym (NCG) is a not-for-profit organisation offering the local community access to local fitness facilities at a sustainable cost, within a club structure in which individuals are members subject to the rules of the NCG.

  2. NCG receives and processes both personal data and sensitive personal data about the members of NCG. This policy is intended to explain and record NCG’s approach to the processing, storage and retention of this data in light of the General Data Protection Regulations.

  3. “Personal Data” means information such as members’ names, addresses, email addresses and telephone numbers. “Sensitive data” means members’ personal health information.

    Purposes for which members’ data is held

  4. Personal data is held for the following purposes:

    a. To enable NCG to communicate with members about any aspect of the operation of the NCG (for example, the payment of membership fees; changes to opening or closing times; changes of instructors; the provision of new equipment; or meetings of the NCG).
    b. To enable NCG to communicate with members about fundraising activities on behalf of NCG (for example, events organised by NCG to raise funds such as a quiz; requests to members for support with specific fundraising efforts; or to inform members about the outcome of fundraising carried out by NCG).
    c. Occasionally, to enable NCG to pass on to members information about other local community groups which it has been asked to communicate and which it judges its members may be interested to hear about (for example, inviting members to represent the NCG at local events such as a church flower festival).

  5. Sensitive personal data is held for the following purposes:
    a. To enable NCG to design and review an exercise programme tailored to the member’s needs and to assess the member’s progress in that programme.
    b. To provide information relevant to the investigation or defence of any claim by a member or former member against NCG or one of the instructors contracted to it.

  6. NCG will NEVER pass on members’ personal or sensitive data to any third party unless:
    a. required to do so by operation of law.
    b. where the communication is reasonably necessary because of the serious illness or injury of a member.
    c. where the member is a GP referral and the member’s GP requires a follow-up report to which the member consents; or
    d. where this is reasonably necessary because of a claim made by a member or former member against NCG or one of the instructors contracted to it.


    Lawful basis for processing members’ personal data

  7. The lawful basis relied on by NCG is legitimate interests. Specifically:
    a. The legitimate interest is of the member who wants to use the facilities offered by the NCG, and of the NCG in wishing to provide those facilities to the member in a way which is safe and appropriate for the member’s individual needs.
    b. NCG needs to process the member’s personal data in order to achieve this legitimate interest; and
    c. This is fairly balanced because the member wishes to use the facilities offered by the NCG but the NCG can only offer those facilities if it is able to process the member’s personal data.


    Special condition for processing members’ sensitive data

  8. The special condition relied on by NCG is explicit consent. This means that all members will be asked to give their consent to the NCG processing their sensitive data.


    Storage and security of members’ personal and sensitive data

  9. Personal data may be stored:
    a. in paper form (either in the possession of one or more members of the NCG committee, or as described below if it is sensitive data); and/or
    b. electronically (on devices in the possession of one or more members of the NCG committee only).

  10. Sensitive data is ONLY stored in paper form. Other than when the gym is open, this is normally kept in a secure container which is locked in a cupboard in a locked storage room with restricted access. This is within the New Victory Hall at Neatishead which is both locked and alarmed when closed.

  11. Instructors are not permitted to store either personal or sensitive data electronically, except that instructors may have access only to an electronic diary shared with the NCG committee.

  12. Exceptionally,
    a. an instructor may temporarily remove paper copies of both personal and sensitive data about individual members only from the New Victory Hall, for the purpose of writing or updating that member’s exercise programme outside of NCG opening hours where this is necessary due to the member’s specific needs. If this is required, the instructor will use the utmost care with the security and privacy of that data and will return it to the approved storage facility at the next opening of the NCG or within 1 week at the latest;
    b. members of the committee may temporarily remove paper copies of both personal and sensitive data about members from the New Victory Hall, for the purpose of updating NCG records and to check that NCG procedures are being complied with. If this is required, the committee member(s) will use the utmost care with the security and privacy of that data and will return it to the approved storage facility at the next opening of the NCG or within 1 week at the latest.


    Storage limits on data and data destruction

  13. The aim of NCG is that personal data will be retained by NCG for up to 6 years (or 6 years after a junior member reaches 18) and sensitive data for 1 year, after:
    a. a member terminates their membership; or
    b. is deemed to have done so (by failing to pay membership fees for a continuous period of 6 months without agreeing in advance a suspension of membership).
    The reason for the 6 year limit is that contractual claims or tax review may involve NCG for up to 6 years. The reason for the 1 year limit is that although personal claims may be made against NCG for up to 3 years, we consider these will be apparent immediately or within 1 year and it is unnecessary to keep sensitive data for longer.

  14. This means that the right to erasure of data does not apply until after the time periods stated above because the processing of the data is required for the (potential) defence of legal claims.

  15. As NCG is a small organisation run by volunteers and largely operating on paper for the benefit of data security, it is not feasible for it to run a programme which destroys a member’s data after exactly the period stated above. Instead, NCG will identify on an annual basis the data of former members which requires destruction in accordance with this policy.

  16. When data is due for destruction, data stored on paper will be burned or shredded; electronic data will be removed from any devices on which it is stored.


    Access to data by members

  17. Any member, including a member aged under 18, can request access to all personal and sensitive data held about them at any time, with reasonable notice.

  18. Where a member is under 18, we will consider a request for access to that member’s data by a parent or guardian, depending on the age of the child and the child’s wishes.


    Other data rights

  19. Members have other rights about their data and details can be read at

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

PRIVACY POLICY FOR MEMBERS © 2018, NEATISHEAD COMMUNITY GYMNASIUM V3 13 FEB 2019