Data Protection Policy

The following is the England Hockey’s policy on the Use of Personal Data under the Data Protection Act

Policy on Use of Personal Data

England Hockey (EH) endorses fully the statements and the intent of the Data Protection Act 1998. The Data Protection principles contained in the Act are designed to protect the rights of the individual. England Hockey is registered to hold data under the Data Protection Act.

Definitions

Personal Data means data (manual or computer) which relate to a living individual who can be identified from those data (or from data and other information that is in the possession of, or is likely to come into the possession of, the data controller).

Data means information that is being processed automatically or is recorded with the intention that it should be processed automatically. Any manual data that forms part of an “accessible record” is also included in this definition.
Data Controller means a person who determines the way in which any personal data are to be processed.

Notification

Any time that data about an individual person is held manually or on a computer, the purposes must be:

o In accordance with the principles of the Act
o Available to be seen by the person named
o Notified to the EH CRM and Membership Officer

Processing

Every person must be sure that data held on manual and computer files about individuals is:

o Processed fairly and lawfully
o Accurate and up-to-date
o Used only for defined purposes
o Kept private
o Kept only for as long as it is useful
o Relevant and not excessive

Disclosure
Care should be taken to ensure that the identity of any person requesting information about themselves is confirmed.

Any time that information from a file is given to a third party, the person giving the information must be sure that the third party is properly identified, and authorised and registered to receive the data
Before disclosing personal information to a third party it is essential to check why the data is required and to whom that party intends to disclose it. Only disclose personal information when you have checked that the disclosure is compatible with your disclosure policy and the Data Protection principles.

If you are aware of any data held or disclosures made that break the data protection principles you must report this to your line manager, or to the CRM and Membership Officer, in order that the breach may be addressed.

Policy on Authority to Access

The Computer Misuse Act 1990 identifies the legal framework for definition of and prosecution for unauthorised use or misuse of computers and computer systems. Whilst the Act is particularly intended to deal with unauthorised accesses from outside the organisation (“hackers”), it deals equally with unauthorised accesses from inside.

It is essential that you, as a computer user, understand the extent of your authority to use and access systems. Computers used for more than one purpose and those connected to the corporate data network provide the potential for access to a large number of systems and to a great deal of personal, private and confidential data.

This policy makes it your responsibility to guard and protect your ability to access systems that you have authority to use. Passwords must not be written down or passed on (other than to your line manager). Computers must not be left logged in when unattended, particularly those in open access offices.

Any employee finding that they have access to systems and data which they are not authorised to use must report this to their manager, or a director, in order that the access may be removed. Any employee with authority to access data that is no longer necessary to their work must ask for the access to be removed. Any employee who knows that unauthorised access is taking place must report this to their line manager or to a director in order that the access may be removed.

Penalties under the Act fall into two main categories:

o Unauthorised access – Anyone gaining access, or attempting to gain access to computer data they are not authorised to see, may face a fine of up to £2,000 or six months in prison, or both.
o Ulterior intent or unauthorised modification – Anyone accessing data with an ulterior motive, or modifying data without authorisation, may be sentenced to up to five years in prison or an unlimited fine, or both.

Data Security Policy

o Make sure your password is changed regularly
o Do not leave your computer accessible when unattended (a password-protected screensaver can be a simple solution)
o Make sure you are authorised to use the systems you need
o Remember to copy data regularly for security and back-up.
o Store important files in your folder on our network file server if you have one – these are backed up regularly.
o Ensure important email files are stored in an archive folder.
o Do not store personal information on a laptop, it should be kept on the England Hockey Board’s Server.

Contact us:
For more information, please contact Ian Wilson.