What happens to information held about you? Your rights and our obligations to you.
How We Use Personal Data
This document explains how Aneurin Leisure obtains, holds, uses and discloses information about people (their personal data), the steps we take to ensure that it is protected, and also describes the rights individuals have in regard to their personal data handled by Aneurin Leisure.
The use and disclosure of personal data is governed by the Data Protection Act 2017 (‘the Act’). Aneurin Leisure is registered with the Information Commissioner’s Office as a ‘data controller’ for the purposes of the Act. As such Aneurin Leisure is obliged to ensure that it handles all personal data in accordance with the Act.
Aneurin Leisure takes that responsibility very seriously and takes great care to ensure that personal data is handled appropriately in order to secure and maintain individuals’ trust and confidence.
- Why do we handle personal data?
Aneurin Leisure processes personal information to enable it to provide a range of services to its customers which include:
- Maintaining our own accounts and records
- Supporting and managing our employees
- Promoting the services that Aneurin Leisure provides
- What type/classes of personal data do we handle?
In order to carry out the purposes described under section 1 above Aneurin Leisure may obtain, use and disclose personal data including the following:
- Personal details
- Family details
- Lifestyle and social circumstances
- Goods and services
- Financial details
- Employment and education details
- Visual images
- Business activities
- Physical or mental health details
- Racial or ethnic origin
- Trade union membership
- Offences (including alleged offences)
- Religious or other beliefs of a similar nature
Aneurin Leisure will only use appropriate personal data necessary to fulfil a particular purpose or purposes. Personal data could be information which is held on a computer, in a paper record i.e. a file, as images, but it can also include other types of electronically held information e.g. CCTV images.
- Who information is processed about
In order to carry out the purposes described under section 1 above Aneurin Leisure may obtain, use and disclose personal data about the following:
- Staff, persons contracted to provide a service
- Complainants, enquiries or their representatives
- Professional advisors and consultants
- Students and pupils
- People captured by CCTV images
- Representatives of other organisations
- Where do we obtain personal data from?
In order to carry out the purposes described under section 1 above Aneurin Leisure may obtain personal data from a wide variety of sources, including the following:
- HM Revenue and Customs;
- Voluntary sector organisations;
- Approved organisations and people working with the Aneurin Leisure;
- Central government, governmental agencies and departments;
- Individuals themselves;
- Relatives, guardians or other persons associated with the individual;
- Current, past or prospective employers of the individual;
- Education, training establishments and examining bodies;
- Business associates and other professional advisors;
- Employees and agents of Aneurin Leisure;
- Suppliers, providers of goods or services;
- Persons making an enquiry or complaint;
- Financial organisations and advisors;
- External claims handlers
- Medical consultants and GPs
- Trade, employer associations and professional bodies;
- Local government;
- Voluntary and charitable organisations;
- Ombudsman and regulatory authorities;
- The media;
- Data Processors working on behalf of Aneurin Leisure;
- Information openly available on the internet;
- Other departments within the Trust.
Aneurin Leisure may also obtain personal data from other sources such as its own CCTV systems, or correspondence.
- How do we handle personal data?
In order to achieve the purposes described under section 1 Aneurin Leisure will handle personal data in accordance with the Act. In particular we will ensure that personal data is handled fairly and lawfully with appropriate justification. We will strive to ensure that any personal data used by us or on our behalf is of the highest quality in terms of accuracy, relevance, adequacy and non-excessiveness, is kept as up to date as required, is protected appropriately, and is reviewed, retained and securely destroyed when no longer required.
- How do we ensure the security of personal data?
Aneurin Leisure takes the security of all personal data under our control very seriously. We will ensure that appropriate policy, training, technical and procedural measures are in place, including audit and integrity monitoring, to protect our manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so, and then under strict guidelines as to what use may be made of any personal data contained within them. These procedures are continuously managed and enhanced to ensure up-to-date security.
- Who do we disclose personal data to?
We sometimes need to share information with the individuals we process information about and other organisations. Where this is necessary we are required to comply with all aspects of the Act. What follows is a description of the types of organisations we may need to share some of the personal information that we process with for one or more reasons:
- Family, associates or representatives of the person whose personal data we are processing
- Healthcare, social and welfare organisations
- Providers of goods and services
- Financial organisations
- Educators and examining bodies
- Local and central government
- Ombudsman and regulatory services
- Press and the media
- Professional advisers and consultants
- Trade unions
- Professional bodies
- Survey and research organisations
- Police forces
- Voluntary and charitable organisations
- Data processors
- Regulatory bodies
- Law enforcement agencies and bodies
- Security companies
- Service providers
- Press and the media
- Current past and prospective employers and examining bodies
- Legal representatives, defence solicitors
- The disclosure and barring service
- External claim handlers
- Loss Adjusters
- Insurance Brokers and Insurers
It may sometimes be necessary for Aneurin Leisure to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the Act.
- What are your rights in relation to your personal data which is handled by Aneurin Leisure?
Individuals have various rights under the Act:
Right of access
You can obtain a copy, subject to exemptions, of your personal data held by Aneurin Leisure. A copy of the application form is available on the Trust’s website.
Under the Act you are also entitled to obtain confirmation as to whether or not data concerning you is being processed by the Trust. Where that is the case, you are entitled to the following information subject to exemptions:
- The purposes of and legal basis for the processing
- The categories of personal data concerned
- The recipients to whom the personal data has been disclosed
- The period for which it is envisaged that the personal data will be stored
- Communication of the personal data undergoing processing and of any available information as to its origin.
*Please note that ‘processing’ means an operation or set of operations performed on personal data such as collection, recording, organisation, structuring, storage, adaption, alteration, erasure, restriction, retrieval.
Proof of ID and any further information needed to locate the information may be required before the Trust can comply with your request.
Any request for the above information should be made in writing to the Data Protection Officer and the Trust will respond within one month.
Rectification of data
You can request the Trust to rectify inaccurate personal data relating to you. If the data is inaccurate because it is incomplete, the Trust must complete it if required to do so by you.
A request should be made in writing to the Data Protection Officer and a response will be sent within one month.
Erasure or restriction of personal data
You can request that the Trust erase your data or restrict any processing of your data, subject to exemptions.
All requests should be made to the Data Protection Officer. The Trust will then inform you of whether the request has been granted and if it has been refused, the reasons for the refusal.
Right not to be subject to automated decision-making
Under the Act you have the right not to be subject to a decision when it is based on automated processing and it produces a legal effect or a similarly significant effect on you. You have a right to express your point of view and obtain an explanation from the Trust of its decision and challenge it.
However, it should be noted that this right does not apply to all decisions as there are exemptions for example, performance of a contract to which you are a party.
- How long does Aneurin Leisure retain personal data?
Aneurin Leisure keeps personal data as long as is necessary for the particular purpose or purposes for which it is held in accordance with the statutory retention periods and national guidelines.
- Contact Us
Any individual with concerns over the way Aneurin Leisure handles their personal data may contact Aneurin Leisure’s Data Protection Officer as below:
Legal & Corporate Compliance, General Offices, Ebbw Vale, Gwent, NP23 6DN.
Telephone 01495 311556
You can also raise concerns with the Information Commissioner for Wales. The Information Commissioner can be contacted at:
Information Commissioner’s Office – Wales
Telephone: 02920 678400 Fax: 02920 678399