HASSRA Privacy Notice
1.1 The HASSRA Privacy Notice tells you about the types of personal data we may collect about you when you interact with HASSRA, its volunteers, officers and commercial partners. It also tells you about how we store and manage that data and the steps we take to keep it safe. Our aim is to comply with all the requirements of the General Data Protection Regulation 2018 so that:
1.1.1 We only hold data necessary to support your membership of HASSRA.
1.1.2 Your data is stored and processed safely, securely and for legitimate purposes.
1.1.3 You have access to the data we hold about you and can rectify any errors in that data.
1.1.4 You have the right to be “forgotten” (except where there may be legal reasons by which we are compelled to keep that data).
1.2 If you have any questions about anything in this notice, please do get in touch.
2. What is HASSRA?
2.1 HASSRA is the official sports and leisure provider for DWP and DH, their agencies and arms-length bodies. It is a not-for-profit organisation which ploughs all its income into membership benefits and services at local, regional and national levels.
2.2 For the purposes of this notice, ‘we’ and ‘us’ means HASSRA, its volunteers, officers, officials and any other organisations which provide services directly to members on behalf of HASSRA.
3. What is Personal Data
3.1 Personal data is any information relating to an identified or identifiable living person. It includes online identifiers such as IP addresses and cookies capable of being linked to an individual.
4. Legal Bases for Collecting and Keeping Your Data
4.1 The General Data Protection Regulation (GDPR) sets out a range of reasons for which organisations may collect and process your personal data. These include:
4.1.1 Consent: In certain situations we can collect and process your data with your consent, for example, when you tick a box on one of our forms – paper or online - agreeing to receive emails and other communications. We will always tell you which data is needed to perform any particular service.
4.1.2 Contractual Obligations: Sometimes we will need your personal data to meet our contractual obligations in connection with your membership. For example, when you join HASSRA we need certain data in order to collect your subscriptions, and when you claim expenses from HASSRA we need certain data in order to pay them.
4.1.3 Legitimate Interest: Sometimes we will need your data to operate our business effectively on your behalf, but always in ways which do not affect your rights, freedom or interests. For example, we might combine statistics on take-up of HASSRA activities and offers to keep up with what members want from HASSRA; we might also use records of your individual HASSRA activities to personalise offers and communications to make sure you get the most from your membership.
4.1.4 Legal Compliance: Sometimes the law may require us to collect and process your data. For example, we may have to pass on data about people involved in criminal activity affecting HASSRA to the police and other law enforcement agencies.
5. Personal Data We Collect
5.1 There is a range of circumstances in which we collect and keep your personally identifiable information, which may include but is not limited to your name, date of birth, staff number, national insurance number, home and office address, home and work telephone number, work and private email address:
5.1.1 When you join HASSRA.
5.1.2 When you purchase shares in the HASSRA Lottery.
5.1.3 When you register an account with and purchase products and services from the HASSRA on-line shop.
5.1.4 When you enter our competitions and prize draws.
5.1.5 When you sign up for any of our activities and events.
5.1.6 When our suppliers and partners share information with us about any of their products or services you have purchased or used.
5.1.7 When you claim expenses for attendance at a HASSRA event.
5.1.8 When you attend one of our events and have your photograph taken, which may be added to our photo archives and/or used in any of our communications or promotional materials.
5.1.9 When you engage with us and other members on social media.
5.1.10 When you download or install our apps.
5.1.11 When you contact us in writing, by telephone, by email or by any other means to ask a question, comment on what we do, or make a complaint.
5.1.12 When you ask us or any of our volunteers, officers or officials to send you information about any of our products and services.
5.1.13 When you complete any of our surveys or comment on or review our products and services.
5.1.14 When you fill in any of our forms.
6. Why We Collect Your Personal Data and How We Use It
6.1 We only collect personal data about you in order to maintain your membership and ensure you have access to our services and products:
6.1.1 When you join HASSRA we need to maintain a membership record and be able to confirm that your subscriptions are in payment and to allow you to enjoy our activities, events, offers and products. To do this we need a range of unique identifiers to ensure we do not confuse members who share the same name. Our aim is to ensure that every member – and only members - can access all the services and benefits offered by HASSRA. We do this on the basis of your consent and to fulfill contractual commitments to you.
6.1.2 When you join the HASSRA Lottery we need to maintain a record of your lottery share(s) and to confirm you have paid for your share each time the lottery is drawn. To do this we collect the same information as for membership of HASSRA and for the same purposes of identity verification. Our aim is to ensure that lottery prizes are only awarded in respect of paid up shares and to the correct shareholders. We do this on the basis of your consent and to fulfill contractual commitments to you.
6.1.3 When you purchase a product or service from the HASSRA on-line shop we need your personal data to be able to fulfill your orders and comply with our contractual and legal obligations. We keep details of your transactions so that we can keep you informed about offers, events and services that we believe will be of interest to you. We’ll do this on the basis of our legitimate business interest.
6.1.4 We also use your personal data from our own and our partners’ systems about your favourite activities and products to display the most interesting content to you on our websites or apps. We do so on the basis of your consent to receive app notifications and/or for our website to place cookies or similar technology on your device.
6.1.5 When you register to take part in a HASSRA event, such as a Summer Festival or a free prize draw, we need your personal data to administer your application and facilitate your participation, based on your consent given at the time of applying. Similarly, we need your personal information to process payments, such as expenses for attending HASSRA events, and to prevent fraudulent claims and attacks on our systems. We do this on the bases of your consent, to fulfill contractual commitments to you, and a legitimate interest to do so.
6.1.6 When we respond to your queries and complaints we keep your personal data to enable us to respond appropriately and keep a record of that response for future reference. We do this on the bases of a legitimate interest to do so.
6.1.7 When we send you requests to take part in HASSRA surveys or provide feedback we use your personal data to help improve our products and services. These requests will not include any promotional content and do not require prior consent when sent by email or text message. We have a legitimate interest to do so because this helps make our products or services more relevant to you.
6.1.8 When we are protecting HASSRA and you from fraud and other illegal activities we use your personal data to maintain, update and safeguard your account. We also monitor your browsing activity with us to quickly identify and resolve any problems and protect the integrity of our websites. We’ll do all of this as part of our legitimate interest.
6.1.9 When we need to send you communications required by law or which are necessary to inform you about changes to the services we provide to you, such as updates to this Privacy Notice. These service messages will not include any promotional content and do not require prior consent when sent by email or text message.
6.1.10 When we need to comply with any contractual or legal obligations to share data for the purposes of law enforcement. If we discover any criminal activity or alleged criminal activity in any of our systems, we will use this data for the purposes of preventing or detecting unlawful acts. We aim to protect our members, officers, officials and business partners from criminal activities.
6.2. If you want to change how we use your data, you’ll find details in the “My Rights” section below. But remember, if you decide not to share your personal data with us, or refuse certain contact permissions, we might not be able to provide some or all of the services your HASSRA membership offers.
7. Protecting Your Personal Data
7.1 We are committed to keeping your personal data safe and secure, and we treat your data with the greatest care and take all appropriate steps to protect it:
7.1.1 We secure access to all transactional areas of our websites and apps using ‘https’ technology.
7.1.2 Access to your personal data is password-protected, and sensitive data (such as payment card information) is secured by SSL encryption.
7.1.3 We regularly monitor our system for possible vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security.
8. Keeping Your Personal Data
8.1 We will only keep your data for so long as it is needed for the purpose for which it was collected. At the end of that time your data will either be deleted or anonymised. We will only anonymise it so that it can be used for statistical purposes or for developing our services to members. In all such cases it will only be used in a non-identifiable way.
9. Sharing Your Personal Data
9.1 We may from time to time provide aggregate statistics about our members’ activities, purchases and related information to reputable third-parties, but these statistics will never include personally identifiable information.
9.2 We never provide your personal data to third parties for their own purposes but we do sometimes share your personal data with trusted third parties for the purposes of providing HASSRA activities, services and products to you. Where we do share data it is subject to the following conditions:
9.2.1 Only information required to deliver a specific HASSRA service or product may be provided.
9.2.2 Your data may only be used for the exact purposes specified in our service agreement or contract with them.
9.2.3 Any of your data held by them will be deleted or anonymised when the purpose for which it was collected has passed or when the service agreement or contract comes to an end.
9.3 Please note that we may provide aggregate statistics about our customers, sales, traffic patterns, and related site information to reputable third-parties, but these statistics will not include personally identifying information.
10. Where Your Personal Data Is Processed
10.1 Your personal data will only be kept and processed inside the European Economic Area (EEA). The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway.
11. Your Rights
11.1 You have the right to:
11.1.1 Access the personal data we hold about you.
11.1.2 Have your personal data corrected when incorrect, out of date or incomplete.
11.1.3 Withdraw your consent at any time to your data being held.
11.1.4 Insist that we stop using your personal data for direct marketing through any or all channels.
11.1.5 Raise an objection where we have no legitimate interest in keeping your data once the purpose for which it was collected has come to an end.
11.2 To ask for your information, please contact the Data Compliance Manager.
11.3 To ask for your information to be amended, please contact the Data Compliance Manager.
11.4 Where you ask us to stop processing your personal data we will usually do so unless we believe we have a legitimate overriding reason to continue to do so.
11.5 In all cases if we decide not to action your request we will explain to you the reasons for our refusal.
11.6 Any request made under this privacy notice must be supported by proof of your identity to help us protect the confidentiality of your information. If you have asked someone else to submit a request for you, they must prove they have your permission to act on your behalf.
11.7 Under the GDPR you have an absolute right to know about the personal data we hold on you and how we process it. We must execute any requests to access data without undue delay and at the latest within one month of receipt of the request. Where requests to access data are clearly unfounded or excessive, HASSRA may levy a fee for providing access.
12. Contacting the Regulator
12.1 If you feel we have contravened any of your rights regarding your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office. You can contact them by calling 0303 123 1113 or go online to www.ico.org.uk/concerns.
10th May 2018