1 / 58

Club Legal Essentials: How to avoid the red card

Club Legal Essentials: How to avoid the red card. Saturday 2 June 2018 - Sussex RFU Presentation by Bruce Hayter, Dan Sherlock and Amy White. GDPR and Personal Responsibility Dan Sherlock. A new data protection landscape.

weeksr
Télécharger la présentation

Club Legal Essentials: How to avoid the red card

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Club Legal Essentials: How to avoid the red card Saturday 2 June 2018 - Sussex RFU Presentation by Bruce Hayter, Dan Sherlock and Amy White

  2. GDPR and Personal Responsibility Dan Sherlock

  3. A new data protection landscape • The General Data Protection Regulation (GDPR) will be directly applicable in all EU Member States without the need for implementing national legislation. It applies to all organisations in the EU and EEA and all organisations processing personal data of EEA citizens. • GDPR applied from 25 May 2018. dansherlock@rixandkay.co.uk/ www.linkedin.com/in/jdansherlock

  4. Things you should be doing now • Put someone in charge who should familiarise themselves with the legislation and prepare your business to comply as a controller or processor of personal data. • Look at the RFU Game Management System for IT help. • The Information Commissioner’s Office (ICO) has recommended 12 Steps to take now. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr dansherlock@rixandkay.co.uk/ www.linkedin.com/in/jdansherlock

  5. Definitions: What is Personal Data? Any information relating to a person (data subject) who can be identified, directly or indirectly, in particular by reference to a name, an ID number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

  6. What is Sensitive Personal Data? Any personal data that includes: • Racial/ethnic origin • Health, sex life or sexual orientation • All that relates to individuals under 18 • Genetic or biometric data • Political opinions • Religious beliefs • Trade Union membership Specific consent is required or a lawful justification must be shown to retain this information.

  7. Are you a Controller or Processor of data? Know which one you are as your obligations are different. A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller. What is processing? Pretty much anything done with or to personal data.

  8. Data Controller / Data Processor • Know which one you are for each data subject. Controllers • The owner of the data. They determine the content, purpose and means of processing all personal data. • GDPR makes them primarily responsibility for compliance. • Must demonstrate and audit trail that shows the lawful purpose for retaining data and the processing of it. Processors • Must ensure controllers can lawfully transfer personal data to the processor via diligence required under a Data Process Agreement • Must maintain records of lawful processing activities • Ensure the permanent erasing of data at the end of the contract

  9. Registration with the Information Commissioner’s Office All data controllers who process personal information will need to log onto the ICO and pay an annual fee to process data.

  10. The penalties from 25 May 2018 Unincorporated clubs can lead to personal liability. Fines will adopt a 2-tier approach: • Lower tier fine: 10m Euros or 2% of turnover – whichever is the greater sum. Applicable for design and default failures, failing to manage security breaches, failure to present a data protection strategy. • Higher tier fine: 20m Euros or 4% of turnover – whichever is the greater sum. Applicable for breaches of fundamental principles, infringing the rights of data subjects and transfer outside of the EEA (not the EU). • ICO will publish a list of those found to be in breach.

  11. Principles of Data Protection Article 5 of the GDPR sets out 6 core principles that a controller must be able to demonstrate are being followed: 1. Processed lawfully, fairly and transparently. 2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. 3. Data is adequate, relevant and limited to what is necessary in relation to the purpose or purposes for which it is processed.

  12. Principles of Data Protection Article 5 of the GDPR sets out 6 core principles that a controller must be able to demonstrate are being followed: 4. Accurate and kept up to date with every reasonable step taken to erase or rectify inaccurate data without delay. 5. Kept in a form which permits identification of the subject only for as long as is necessary to fulfil the purposes for which it was collected. 6. Processed in a manner which ensures security from unauthorised or unlawful processing, accidental loss, damage or erasure.

  13. Lawful processing There are 6 available lawful bases for processing under Article 6. Always know which applies and when they might change. (1) Consent (2) Contract (3) Legal obligation (4) Vital interests (5) Public task (6) Legitimate interests

  14. Lawful processing The data subject should receive a privacy notice setting out the lawful basis and the purposes for processing the data. If anything changes, you must renew the notice. You cannot continue to process data if the lawful basis was consent. It must be renewed from 25 May and whenever processing exceeds in the consent obtained. Sensitive personal data, eg. Children and health as well as processing of criminal convictions (otherwise called special category data) requires both: lawful purpose; and an additional condition

  15. Lawful processing Always ask yourself “is processing necessary?” if not, it cannot qualify within any of the lawful bases. Get it right from the start as a post-dated lawful basis will not legitimise previous breach.

  16. Lawful basis to process – (1) Consent You must show you gave real choice and control; It must be explicit to the purpose for which the data is processed It must be a positive opt-in step that is recorded and be capable of showing if audited; Make it a distinct step for the subject, separate from other terms of business; Remove all default provisions and pre-ticked boxes; Name all third party controllers who will be relying on this consent; Ensure it is reviewed regularly; If difficult to obtain or is not clearly given freely (e.g. employees) consider better alternatives.

  17. Lawful basis to process – (1) Consent Children They are always going to fall within special category data and so enhanced obligations to have a separate condition will apply. A default provision should be to obtain consent from the parent or guardian. If seeking consent from children: Article 8 provides that a digital age of consent (in the context of social media platforms) is generally to allow consent directly at 16. Member states have scope to lower this to 13 in the future. Always consider if the child is capable of truly understanding the implications of consent. Consider if age verification is appropriate and will work.

  18. Lawful basis to process – (2) Contract This will cover: Fulfilling contractual obligations where the subject is a party to that contract and Where the subject has asked you to take steps before entering into a contract (e.g. providing a quote) Processing must be necessary for the purpose it is used. Document the basis for necessity and be able to justify it

  19. Lawful basis to process – (6) Legitimate interests This is flexible but requires caution as it is the option most open to abuse. Typically for non-intrusive privacy impact situations that you can demonstrate the subject would likely expect you to be engaged in. Always consider if the processing is necessary to achieve an identified legitimate interest. The assessment must show a balance of the interests of the subject with the use. Include the details in your privacy information made available to subjects. If it involves children, be able to show extra care being taken.

  20. Lawful basis to process – Special category data This applies for sensitive personal data (including health and children). One of the 6 lawful basis must be applicable. And One Article 9(2) separate condition must also apply: • Explicit consent given for all specified personal data and all specified purposes of processing; • To fulfil necessary obligations and rights of the controller in meeting employment, security and protection law; • Necessary to protect the vital interests of the subject or of another who is incapable of giving consent; • Necessary and with appropriate safeguards by any association or not for profit body (excluding sports clubs) relating solely to members, former members and persons who have regular contact; • In relation to data made public by the subject;

  21. Lawful basis to process – Special category data This applies for sensitive personal data. One of the 6 lawful basis must be applicable. And One Article 9(2) separate condition must also apply: (f) Necessary to establish or defend legal claims; (g) Necessary for a substantial public interest that is proportionate to the aim pursued; (h) Necessary for medical , fitness for employment and provision of health and social care or contract with a health professional; (i) Necessary for the public interest in public health standards; (j) Necessary for the public interest of scientific, historical research or statistics;

  22. Individual rights The main rights for individuals under the GDPR will be: • Subject access to know what you hold; • To have inaccuracies corrected; • To have information erased; • To prevent direct marketing; • To prevent automated decision-making and profiling, and • Data portability (a subject can obtain and reuse their data for their own purposes).

  23. Data breaches • Make sure you have the right procedures in place to: • Detect • Investigate • Report • Manage a personal data breach. • Be aware that a failure to report a breach when required to do so within 72 hours of first detection could result in a fine in itself, in addition to a fine for the breach.

  24. Getting your club into shape Key steps • Understand your obligations when controlling and processing personal data • Know your role as an employer • Manage subject access requests • Know when you can store, access, modify, transfer or should delete personal data • Pay the ICO annual fee • Data breach reporting: get it right from the moment it happens with a clear breach management plan that is also well rehearsed • Effective IT solutions – firewalls and streamlines database reports • Be able to show a systematic audit trail for personal data under your control

  25. Getting your club into shape What your business needs: the basics • Data Audit – what do you hold, why have you got it and where is it? • Privacy Policies for • Staff, Candidates, members & applications for membership • Those outside your organisation not in a contract with you who you gather personal data from • Privacy Notices for all data subjects both current and in the future • Managed opt-in communications with your marketing database and thereafter an ongoing and clear opt-out option • Data Process Agreements between controllers and processors • Enhanced terms for contracts between controllers and data subjects (they must include new mandatory provisions) • Privacy Impact Assessments are required for new data processing where a serious risk of harm might occur

  26. Summary - You are accountable for Personal Data • Know the 6 Principles of data protection. • Is it necessary to process the data or can the objective be met another way? • Do you hold data legitimately? • Ensure one of the lawful basis applies; does it also need an Article 9 condition?

  27. Summary - You are accountable for Personal Data • Record where data came from, why you acquired it and continue to hold it; • Identify & justify all personnel inside your business who can access it; • Consider what could be pseudononymised to take it outside of GDPR; • Identify & justify all you share it with & what they do with it – you must be accountable for sharing data via Data Process Agreements. • Establish a framework for audit with affective policies and procedures to show how you comply with the data protection principles. Make sure staff know and follow them.

  28. Summary - You are accountable for Personal Data • Review your current contracts, consent communication and privacy notices. The subject must have made an informed choice and retain control over what has been or will be collected and processed. • Contact your database and ask for an opt-in for consent to keep their data. • Give an ongoing opt-out option in future communications. Show that consent remains valid. • Describe in plain language what is collected and how it is used.

  29. Personal Liability for Club Members • Community Amateur Sports Club(CASC) status offers tax advantages and does not offer limited liability. • Unincorporated Associations will involve members having duties and liabilities to each other. • Members have no legal protection when dealing with the world at large. • WARNING: Members have no legal protection when dealing with the world at large and will be jointly and severally liable for club debts. There is no automatic right for the committee of non-charitable clubs to an indemnity.

  30. Personal Liability for Club Members • Without an express power in the rules to borrow money, an unincorporated association cannot take out a mortgage, bank loan or loan from a third party or one of the members. Even then, members are jointly liable where there is default. • Property must be held by members, usually in trust. This can be expensive to manage e.g. amending where trustees need to be replaced – or worse if trustees have already left or died and no changes were made. • Trusts can fail for uncertainty • Asset management is reliant on personal responsibility and not corporate duties and checks.

  31. Personal Liability and Incorporation • Incorporation offers protection by giving limited liability. • Directors and senior officers can be insured against many personal claims including negligence, default, breach of duty or breach of trust. • Outside businesses will have greater certainty as to who they contract with.

  32. Personal Liability for Club Members • It’s not all bad news for the unincorporated! Hatchett v Attorney General 2008 “The last surviving member is entitled to all its assets”

  33. Employment Essentials Amy White

  34. Employment Status • You might not, at first glance, realise you have any employees, but take a good look. • Three categories of employment status: • employee; • worker; and • self-employed. • King v The Sash Window Workshop Ltd

  35. Volunteers Definition: ‘A person engaged in an activity which involves spending time, unpaid (except for travel and other out of pocket expenses), doing something which aims to benefit some third party other than or in addition to a close relative’ • Are your volunteers genuine? • Even if they are, there are still rights to consider.

  36. Employer Responsibilities • Employers must ensure their employees (and in certain cases their workers) receive basic employment rights such as: • Written Statement of Terms • National Minimum Wage • Holiday & Rest Breaks • Family-Friendly Rights • Statutory Sick Pay • Pension

  37. Compliance with Legislation • Employers must comply with relevant legislation and the rules of regulatory and/or government bodies such as: • deducting income tax and National Insurance; • carrying out DBS checks; and • confirming the right to work in the UK.

  38. Employer Duties • Employers also owe a number of duties to their employees. • Some duties are implied: • duty to pay wages; • duty to provide opportunity for redress of a grievance; and • duty to give reasonable notice.

  39. Duty of Care • One of the most significant duties an employer owes its employees is the: • The duty to take reasonable care of one’s employees arises from legislation and common law.

  40. Legislation • Health & Safety at Work etc Act 1974 • Management of Health and Safety at Work Regulations 1999 HSE can impose sanctions (including fines, imprisonment or both in serious cases) as a result of breaches of the legislation.

  41. Common Law • Broadly speaking, an employer has a common law duty to: • take reasonable care of an employee’s health and safety; • provide a safe workplace; • provide equipment in good working order; • provide safe systems of work; • ensure employees are properly trained; and • ensure colleagues are competent.

  42. Duty of Care in Sport Health and Safety at Work etc Act 1974: Applies to club organisers (employers and self employed) and requires them to protect employees and also other people such as volunteer coaches, club members, visiting teams and spectators. Common Law: The courts recognise the social value of amateur sport but are reluctant to distinguish between amateur and professional games in respect of the common law duty of care. • Vowles v Evans and Welsh RFU (2003)

  43. Negligence • Injury does not automatically equate to compensation. • To succeed in a claim of negligence, an individual must be able to prove three things: • they were owed a duty of care; • the duty of care was breached; and • they suffered foreseeable loss.

  44. Negligence & Sport DUTY: Condon v Basi (1985) Those who take part in competitive sport owe a duty of care to other participants. BREACH: Caldwell v Maguire (2001) Sports claims have to be judged against the fast moving nature of competitive sport. More than a momentary lapse is needed to establish a breach of duty.

  45. Coaches Academics have suggested that the liability of coaches will be the next growth area in the context of sports law and negligence claims. • Anderson v Lyotier (t/a Snowbizz) (2008) • Standard of Care: reasonable skill and care. • Also specifically addressed situation where coach has multiple pupils at once.

More Related