Data Protection Law
The EU General Data Protection Regulation 2016/679 (GDPR) came into force on the 25 May 2018, and it is supplemented by the Data Protection Act 2018. We refer to these as “data protection law”.
Data protection law regulates the processing of “personal data” relating to individuals by organisations (known as “data controllers”).
On this page, and the pages which it links to, we have used some words and phrases, and these are explained below.
- “Personal data” means any information which relates to a living, identifiable person. It can include names, addresses, telephone numbers, email addresses etc but it is wider than that and includes any other information relating to that person or a combination of information which, if put together, means that the person can be identified.
- “Special category data” means personal data about a person’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.
- “Processing” covers all activities relating to the use of personal data by an organisation, from its collection through to its storage and disposal and everything in between.
- “Data subject” means the person whose personal data is being processed.
- “Data controller” means the organisation which is responsible for processing data and ensuring that personal data is processed in accordance with data protection law.
University of Birmingham Sport & Fitness as data controller
The University of Birmingham Sport & Fitness (“UoB Sport & Fitness”) is the data controller for the personal data that we process in relation to you.
Occasionally, the University may be a joint data controller with other organisations, or we may be processing data about you on behalf of another organisation, but when this is the case, we will make you aware of this when the information is collected.
Personal data must be processed in accordance with specific principles set out in Data Protection Law. These include the principle that personal data should be processed ‘lawfully, fairly and in a transparent manner’. In order to comply with this principle, UoB Sport & Fitness will advise you on how it will process your information at the time we collect it. This information is normally set out in a “privacy notice” which we publish on our website.
What personal data will be processed
UoB Sport & Fitness processes a range of information about you. This will be information which you provide to us and information generated by us as a result of your membership/contact and will include, as appropriate:
- your name, title, gender and date of birth;
- postal address, email address and phone number;
- photographs including images taken at events or provided by you;
- family and spouse/partner details, relationships to other members;
- emergency contact details (when we ask you to provide these, we assume you have permission to provide these details to us);
- IP address (to authenticate online enquiries);
- Bank details;
- your interests and activities;
- if you are a student or alumni of the University, your programme and (if relevant) year of graduation;
- ticket purchase and event registration / attendance;
- contact preferences;
- information about the activities of our volunteers, including the number of hours they contribute
- carer details and nature of support required for activities undertaken and services used, your fitness levels, coaching, fitness or other relevant qualifications
In addition, the University may need to process some data about you that is classed as ‘special category or sensitive personal data. This includes data about your racial or ethnic origin, sexual orientation, religious beliefs or health/disability data. In particular, this might include:
- Dietary requirements;
- Health or disability information which is relevant to the activities you undertaken and services you use. In the case of outbreak of a pandemic, such as Covid-19, or other emergency, this may include a positive test result;
- Personal Evacuation Plan and Group Emergency Evacuation Plan details
Criminal offence data: The University may request, hold and process data about criminal offences and criminal convictions if you have applied to be a volunteer coach, instructor or club officer, or if it is appropriate, given the circumstances. We will use information about criminal convictions and offences in the following ways:
- To consider your suitability for appointment to the position you have applied for or continuing in that position;
- To comply with regulatory requirements to decide your suitability for the position you have applied for or have been appointed to;
- Consideration of safeguarding issues.
We will only use information relating to criminal convictions where the law allows us to do so and in line with our Data Protection Policy. Personal data relating to criminal convictions will be retained confidentially and securely and access to that data will be strictly controlled.
What is the purpose of the processing?
UoB Sport & Fitness will process your personal data for a range of purposes. These include the following:
- To manage your membership, including payment of any membership or subscription fees;
- To carry out our obligations arising from our relationship with you;
- To send you information about the facilities and services which relate to your membership;
- To manage any queries or concerns you may have;
- To check if we have accurate contact details for you;
- To send you communications which you have requested;
- To seek your views about our facilities and services;
- To process an application made by you, for example, for a volunteering opportunity;
- To process your entry into a competition we are organising;
- To send you promotional, marketing or fundraising information by post or electronic means. We may analyse your personal information to create a profile of your interests and preferences so that we can contact you with communications and information which is relevant to you, which can include:
- Informing you of other related products, services or events, such as exhibitions, events, or retail offers;
- Information about campaigns we are running;
- Information about sponsorship opportunities;
- News, updates and marketing e-newsletters;
- Information on our fundraising operations, including occasional targeted requests to consider giving financial support, or to ask you to consider supporting us in other ways;
- Other relevant communications based upon your relationship with us.
- To provide referee details for volunteers, when necessary.
- To enable us to contact your emergency contact if an emergency arises;
- To process payments, purchases and orders;
- To detect and reduce fraud and credit risk;
- To compile aggregated, anonymised statistics and reports for statutory or regulatory reporting purposes;
- To manage, review, plan and develop the University’s business;
- To fulfil and monitor our legal responsibilities, which includes reporting positive Covid-19 cases to Public Health England or any successor body.
We may make use of additional information about you when it is available from external sources to help us do this effectively. We may also use your personal information.
You can opt out of any / all of our communications at any point, other than those relating to your membership, by contacting us. Each time we communicate with you, we will advise you how you can do this.
Electronic tools may be used to monitor the effectiveness of our communications with you, including email tracking, which records when an e-newsletter from us is opened and/or how many links are clicked within the message.
What is the legal basis of the processing?
We process your data for the above purposes either with your consent or because:
- So we can perform our obligations under our agreement with you relating to your membership;
- It is necessary to comply with legal obligations to which the University is subject, for example for compliance with money laundering rules, Gift Aid requirements, equalities law, immigration requirements, money laundering requirements, terrorism law, safeguarding requirements, health and safety law and public safety legislation;
- It is necessary to do so in your (or another person’s) vital interests (ie in an emergency);
- It is necessary for one of the tasks which the University carries out in the public interest;
- It is necessary in our legitimate interests in fundraising, to maintain a strong relationship with our supporters or to manage and develop the University’s business.
We usually process your special category data with your consent, unless:
- It is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (but not for the purpose of making decisions about you);
- Very occasionally, if it is necessary to protect your vital interests of the data subject (or those of another person) when you (or that person) cannot give consent;
- It is necessary for the establishment, exercise or defence of legal claims.
Who will your personal data be shared with?
Within the University, your data is shared with those University staff and departments who need access for the purpose of delivering the services and facilities. Your personal data may be disclosed to internal and external auditors when it is necessary.
Membership and supporter information is shared with the University’s Development and Alumni Relations team (DARO). You can find out how DARO uses personal data in the Alumni & Supporters Privacy Notice.
Your personal data is shared as is necessary with several external organisations which assist us in providing our services. It is also sometimes necessary for us to share personal data with third parties, for example:
- Event venue providers or organisers – names and accessibility and assistance requirements and related information;
- The Charity Commission – for compliance with charity law;
- The Office for Students – as our principal regulator for charity law purposes;
- Public Health England (or relevant successor body) – to comply with our legislative requirements on Covid-19 reporting and comply with the health and safety duties of the University;
- HMRC – as required for Gift Aid purposes; and
- Occasionally and when necessary internal and external auditors or regulators.
These organisations act on our behalf in accordance with our instructions and do not process your data for any purpose over and above what we have asked them to do. They will not contact you directly or send you any marketing materials. We make sure we have appropriate contracts in place with them.
Sometimes your personal data may be processed by these organisations outside the European Economic Area (e.g. because they use a cloud-based system with servers based outside the EEA), and if so, we make sure that appropriate safeguards are in place to ensure the confidentiality and security of your personal data.
When you make payments for an event using our website, your payment is processed by a third party payment processor who specialises in the secure online capture and processing of credit/debit card transactions.
We do not disclose or sell personal data to any third parties or external organisations for marketing or any other purposes.
Except as we have explained above, we will not normally publish or disclose any personal data about you to other external enquirers or organisations unless you have asked us to do or have consented to it, or in an emergency situation.
How long is your personal data kept?
We will retain most of your data indefinitely in support of your relationship with us or until there is no longer a legal basis for holding it or you object to the use of your data for direct marketing purposes.
Membership information: This is normally retained for a period of 7 years after you cease to be a member.
Information held to enable us to communicate with you or send marketing information is retained indefinitely until either there is no longer a legal basis for holding it or you object to the use of your data for direct marketing purposes.
Gift Aid Data: In order to meet HMRC requirements, we will store any gift aid declarations for admissions, memberships and donations for a period of 7 years.
Student Data (eg RHS Courses or Adult learning): Paper application forms for RHS courses are stored securely for the duration of the student’s course plus one year, after which they are securely destroyed.
Volunteer Data: Paper application forms for volunteers are stored securely for 1 year after which they are securely destroyed.
Data relating to those who attend an event organised or held by us is kept for 7 years from booking or attending.
Attendance data and data on a suspected or positive Covid-19 test, where solely for the purposes of NHS Track and Trace and compliance with the University’s health and safety duties in respect of a pandemic (e.g. Covid-19) or similar emergency: 21 days from attending.
Your rights in relation to your personal data?
As a data subject, you have the following rights in relation to your personal data which is processed by UoB Sport & Fitness:
- to access the personal information the University holds about you. This is known as a Subject Access Request. More information about making Subject Access Requests can be found on our website, and you will find it helpful to read this before making a Subject Access Request;
- to correct inaccuracies or, where appropriate and taking into account the purpose for which we process your data, the right to have incomplete data completed;
- to have your personal data erased. This is a limited right which applies, among other circumstances, when the data is no longer required or the processing has no legal justification. There are also exceptions to this right, such as when the processing is required by law or in the public interest (e.g. when the University needs to retain a historical archive);
- to object to the processing of your personal data for marketing purposes. If you ask us to delete your personal data, we will continue to maintain a core set of personal data comprising very brief information to ensure that we do not inadvertently contact you in future. We may also need to retain some financial records for statutory purposes;
- to object to the processing of your personal data when that processing is based on specific criteria such as the public interest or other legitimate interests, unless we have compelling lawful grounds to continue;
- to restrict the processing of your personal data. This is a limited right which will apply in specific circumstances and for a limited period;
- to ask for the transfer of your data electronically to a third party;
- where the legal basis for us processing your personal data is your consent, to withdraw that consent at any time.
Exercising your rights, queries and complaints
- you would like more information on your rights;
- you would like to exercise any right; or
- you have any queries relating to the University’s processing of your personal data
- The Information Compliance Manager
The University of Birmingham
Telephone: +44 (0)121 414 3916
More information on making a Subject Access Request can be found on the University’s website. Please do read this before making a request.
If you wish to complain
If you wish to make a complaint about how your data is being or has been processed, please contact our Data Protection Officer:
- Mrs Carolyn Pike, OBE
The Data Protection Officer
The University of Birmingham
Telephone: +44 (0)121 414 3916
You also have a right to complain to the Information Commissioner’s Office (ICO) about the way in which we process your personal data. You can make a complaint using the ICO’s website.