The Academy of Historical Arts takes data protection seriously, as befits a professional organisation. We urge all of our affiliated clubs to think seriously about data privacy for members and participants.
- Website cookies
- Who is responsible for data protection?
- Your data protection rights
- Lawful basis for processing personal information
- Storage methods
- Membership details
- Recording and tracking attendance
- Records of payments
- Records of injuries and accidents
- Collecting any other data
- Access to your own data
- Photography and digital media
- Sharing your information
Affiliated clubs with a website should similarly comply with data privacy legislation for their websites.
Who is responsible for data protection?
In the Academy of Historical Arts, the Board of Directors is responsible for data protection.
For affiliated clubs, one person or a group of people should be specified to be responsible for data protection in the club.
Your data protection rights
Under data protection legislation, we must make you aware of your rights. The rights available to you depend on our reason for processing your information.
Your right of access: you have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. [read more]
Your right to rectification: you have the right to ask us to correct information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. [read more]
Your right to erasure: you have the right to ask us to erase your personal information in certain circumstances. [read more]
Your right to restriction of processing: you have the right to ask us to restrict the processing of your information in certain circumstances. [read more]
Your right to object to processing: you have the right to object to processing if we are able to process your information because it is in our legitimate interests. [read more]
Your right to data portability: this only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. [read more]
Please contact us if you wish to make a request.
Lawful basis for processing personal information
We have identified our lawful basis for processing personal information, as per the GDPR:
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for the purposes of the legitimate interests pursued by our organisation except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The use of secure cloud servers is our solution of choice for storing membership data. This choice means that the data is easily available to the people who may need to use it, even while out and about (such as club instructors, who may need to update things at the club or during an event), yet it can still be kept safely and access can be restricted only to those with viewing/editing permissions.
Of course, access to any given file or folder in the secure cloud server should be controlled carefully. Within the Academy of Historical Arts, only the staff who may be involved in using or processing that data will be given access to it, and access should be revoked if the staff member leaves the organisation or moves to a different role within the organisation. Club leaders and administrators have a duty to ensure that access to club files, folders, and data is kept up to date and that access is not granted to people who will not be processing the data for club purposes.
Although personal information may sometimes be collected on paper forms, the information should be digitised and placed into an appropriate document in the secure cloud server, and then the paper copy should be destroyed securely (i.e. shredding, not just putting it in the recycling bin).
The services we use for cloud servers and for website hosting are all signed up to the Privacy Shield framework.
Our organisation keeps certain details about members, so that we can maintain a database of current members, and so that we can arrange appropriate insurance cover for each member.
Details stored about members
The details that we store about members are:
- name (so we know who you are)
- email address (so we can contact you about your membership)
- date of birth (so we know if you are an adult or if the child protection policy must apply to you)
- any relevant medical information (a requirement of the insurance company before they will provide an insurance policy for you)
- the date you signed up for membership (so that we can renew your membership at the correct time)
- the club in which you are a member (so that we can deal with the correct club leader about your membership)
- any position of responsibility you hold in the club (so that we can talk to the right person in each club about any given matter)
Additional details about instructors
Additionally, for instructors with an instructor insurance policy, we need to collect additional details to pass to the insurance company:
- residential address (a requirement of the insurance company)
- evidence of a first aid certificate (a requirement of the insurance company)
- any evidence of relevant martial arts qualifications
(a requirement of the insurance company)
Additional details for activities and events
For certain activities, sometimes additional details may be required. For example, when running an event where dinner is provided, we may request and store information about dietary requirements; for other activities, we may request and store information about emergency contact details. These additional details will not be stored in our central database, and will be kept only for as long as is required for us to organise and run the activity in question.
Recording and tracking attendance
Anyone organising and running an activity of any kind should keep note of attendance and participation. This only needs to include the name of each participant and the date they attended the activity, although you might expand it to include other useful details.
Access to this attendance information should be controlled so that only club administrators have access. Affiliated clubs do not need to share this with the Academy of Historical Arts, and in fact we would prefer that you don’t, since we don’t need to know!
Records of payments
Commercial organisations have a legal obligation to maintain accurate accounts of all transactions and all monies in and out. HMRC may not make a point of chasing up amateur sports clubs, but it is nonetheless good practice to keep financial accounts.
For companies, records of financial accounts (and each and every transaction) need to be kept for at least 6 years after your last financial year. [source]
Annual accounting submissions may need to be shared with organisations such as HMRC or Companies House, where they may become accessible by the public. However, these submissions typically do not show each individual transaction, merely a summary. The detailed notes may need to be shared with accountants, auditors, or with HMRC if requested by the government.
Records of injuries and accidents
Our organisation may keep records of injuries and accidents in order to fulfil our obligations under health and safety legislation. We will keep records when such incidents occur at activities run by the Academy of Historical Arts. We will not keep any records of such incidents when they occur at activities run by affiliated clubs.
Affiliated clubs should keep records of any such incidents that occur at their own activities.
Collecting any other data
Any data or personal information that is collected should only be collected for a purpose that is in line with the organisation’s mission and activities. If the organisation does not need that information in order to deliver the goods or services required by the transaction, then that information should not be collected in the first place.
The purpose of collecting data is to allow for the safe and effective delivery of the goods or services required by a given transaction, and to allow the Academy of Historical Arts and our affiliated clubs to meet any and all legal obligations.
Data should only be kept for as long as is necessary, and should be deleted/destroyed securely when the data is no longer required.
Access to your own data
Anyone should be able to ask (politely) to see what of their own information is stored by the Academy of Historical Arts, and to ask that edits be made if the information is wrong or out of date. To do this, please send us an email through the contact form, and we’ll get back in touch with you as soon as is feasible.
You may also make this request in a physical letter sent to our registered office, or verbally to one of our administrators. In the latter case, we will ask you to put your request in writing to expedite the process and so that we have your contact details in order to get back in touch with the data that you wish to see.
Similarly, affiliated clubs must allow individuals to request to see what of their own information is stored by the club, and to allow edits if the information is wrong or out of date. To request this of your club, please contact your club leader directly; there’s no point in asking the Academy of Historical Arts about this, because we probably do not store the same details as your club.
When granting access to one’s own data, it is good practice to show that data in isolation. In other words, do not show the entire membership database to someone who wants to see their own entry; just show that one entry. This can be done quickly and easily by copying and pasting that entry into a new file on the secure cloud server and sharing the file directly with the individual in question, and then deleting it afterwards so that there is no personal data lying around in random files.
Photography and digital media
Please see the separate AHA Digital Media Policy for details about data protection with regard to images and videos.
Sharing your information
We will not share your information with any third party unrelated to the transaction of goods or service that you make with us, unless demanded to do so by a British court of law, or unless you give us your permission to share your personal information with another person or company for a specific purpose.
We expect that affiliated clubs will abide by a similar rule.