This guidance was provided by McClure Naismith LLP, a commercial law firm based in Scotland, acting on behalf of sportscotland to provide information for the use of sports organisations and associations.
The guidance concerns Data Protection Compliance and whether clubs may benefit from the "not-for-profit” exemption from notification under the Data Protection Act 1998. The following guidance refers to personal data which is processed automatically (i.e. electronically). Clubs which process personal data on a manual basis shoud refer to the guidance provided below under the heading Manual Data Processing.
Please address any questions you may have concerning Data Protection to Mountaineering Scotland.
We have been asked to consider whether individual member clubs of SGBs benefit from the "not-for-profit” exemption from notification under the Data Protection Act 1998. This is of not inconsiderable practical significance as the requirement to notify for individual member clubs of SGBs would be administratively onerous, time consuming as well as expensive. We understand that at the present time the majority, if not all, SGB member clubs have not made data protection notifications. Although the notification fee is currently £35 (VAT nil) we recognise this would be an unwelcome additional cost for many clubs and associations.
The Data Protection Act 1998 exempts certain data controllers from having to notify their processing of personal information to the Information Commissioner’s Office. There is a specific exemption from notification for data controllers that are a body or association not established or conducted for profit contained in The Data Protection (Notification and Notification Fees) Regulations 2000 as amended. The "not-for-profit” exemption is intended to be used by the likes of small clubs and other voluntary organisations. We have considered this specific exemption on the assumption that all member clubs are not established or conducted for profit. In stating this member clubs, as not-for-profit organisations, are allowed to make a profit for their own purposes but the profit should not be used to enrich others, i.e. any money raised should be used for their own activities.
The exemption from notification is narrow and for member clubs to take advantage of it they must meet each of the following requirements:-
(i) Personal data must only be processed (i) for the purposes of establishing or maintaining membership of or support for the club or (ii) providing or administering activities for individuals who are either members of the club or have regular contact with it (the "exempt purposes”).
(ii) The individuals about whom personal information is held are either past, existing or prospective members of the club or have regular contact with the club in connection with the exempt purposes or their personal information is necessary for the exempt purposes.
(iii) The personal information used by clubs consists of the name, address and other identifiers or information as to (i) eligibility for membership of the body; (ii) other matters the processing of which is necessary for the exempt purposes (i.e. places limits on the information which they can hold).
(iv) The clubs do not disclose the personal information to any third party except with the consent of the individual concerned or where it is necessary for the exempt purposes. Where clubs do not make it clear to their members that by being a member of the club the individual will also become a member of their SGB, their permission to disclose their information to the SGB should be sought.
The mere fact that individual clubs disclose information about their members to their SGB does not prevent them from being exempt from notification. Instead, individual clubs must be satisfied that when disclosing information about their members to others, it is necessary for establishing or maintaining membership of or support for the body (as it is for membership to the SGB) or for providing or administering activities for individuals who are either members of the body or have regular contact with it. Clubs should ensure that they have obtained the consent of the individual concerned, wherever possible, and ensure that the individual knows that their information will be passed onto identified classes of bodies when completing any forms, prior to disclosing information to such other bodies.
(v) The personal information must not be kept after the relationship ends unless (and for so long as) it is necessary to do so for the exempt purpose.
Clubs which are in the habit of holding on to information indefinitely once someone has ceased to be a member should note the following: If clubs wish to take advantage of the exemption from notification, then we recommend that they review the personal information which they hold and delete that which is no longer necessary for establishing or maintaining membership of or support for the club or providing or administering activities for individuals who are either members of the club or have regular contact with it.
Where a SGB has numerous affiliated but independent clubs across the country, and those clubs and associations exist to undertake limited activities for their local membership and pass on members details to the SGB for membership administration they may be able to rely on the exemption from notification.
From the foregoing, it can be noted that where clubs decide to rely on this exemption, they are, as a result, limited in terms of:-
(i) the purposes for which the personal information can be used;
(ii) the people about whom they can hold personal information;
(iii) the type of information they can hold about people;
(iv) the disclosures of personal information which they can make; and
(v) how long information may be held.
We cannot, of course, provide a definitive view on this matter. This is because we cannot comment on all the purposes for which individual clubs may hold person information, the people to whom such information relates, the type of information held about them, to whom their information is disclosed and for how long their information is retained. To provide a definitive view would require an investigation into the personal data handling activities of each individual club. However, what we can do is advise that if individual clubs meet the requirements of the exemption then they will not need to notify to the Information Commissioner’s Office.
Based on our discussions and the information provided to us, we consider that individual clubs ought to be capable of falling within the terms of this exemption. However, we are of the view that to do so they may need to review their record collection and data retention practices and ensure that inappropriate personal information is not collected and used and that personal information is not held any longer than is necessary for the exempt purposes.
In practical terms exemption means that clubs are automatically classed as being exempt from notification – they do not have to register as being exempt.
It is important to note, however, that an exemption from notification would not remove the need for individual member clubs to comply with the other requirements of the Data Protection Act 1998. They would also be required to respond within 21 days to a written request to provide the information that would have been included in the public register maintained by the Information Commissioner’s office had they notified. Needless to say, individual clubs should regularly review and assess whether the exemption from notification remains applicable. This is because it is a criminal offence for an organisation not to have notified its data processing activities to the information Commissioner’s Office where not exempt from doing so. Even where exempt from notification, individual clubs can decide to make a voluntary notification should they so wish.
McClure Naismith LLP
Generally, under the data protection rules, processing of personal data without notification is lawful where it consists of information which:-
(i) is recorded as part of a relevant filing system; or
(ii) forms part of an accessible record
However, clubs which both manually and automatically processes personal data will need to notify in respect of the automatically processed data.
Although clubs which process information in the manner noted above will not be required to notify the Information Commissioner, Section 24 of the Data Protection Act 1998 imposes a duty on data controllers who are exempt from the need to notify (and choose not to register with the Information Commissioner on a voluntary basis) that they must, within 21 days of receiving a written request from any person, make the relevant particulars (listed in section 16 (1)) available in writing to that person free of charge. Thus lack of notification, and hence lack of registration, does not mean that a data controller will not be required to make appropriate disclosure to a data subject.