CIMSPA Privacy Notice

Introduction

Welcome to the Chartered Institute for the Management of Sport and Physical Activity (CIMSPA) Privacy Notice.

As the professional development body for the UK’s sport and physical activity sector, CIMSPA is shaping a recognised and respected sector through its work with individual members and partner organisations. In order to carry out its business, CIMSPA requires personal data and is fully committed to respecting all personal data it collects and stores.

Privacy Notice purpose

CIMSPA’s Privacy Notice will provide information on how CIMSPA protects, manages, stores and deletes personal data. It will also provide information on individual privacy rights and how the data protection law protects an individual’s personal data. Furthermore, it will outline what CIMSPA will do with individual data and who it will share this information with.

It is important that individuals read the privacy notice from time to time so that they can remain fully informed on how and why CIMSPA is using individual data.

CIMSPA’s services are not intended for children and it does not knowingly collect data relating to children.

About CIMSPA

Chartered Institute for the Management of Sport and Physical Activity
SportPark Loughborough University, 3 Oakwood Drive
Loughborough, Leicestershire LE11 3QF
Tel: 01509 226474
Email: info@cimspa.co.uk

Incorporated by Royal Charter Charity registration number 1144545

CIMSPA has a single entry on the Data Protection register held by the ICO. The registrable particulars are as follows:

Registration number: Z299023X
Date registered: 03 January 2012
Registration expires: 02 January 2019
Data controller: Chartered Institute for the Management of Sport and Physical Activity
Other names: CIMSPA

General

CIMSPA collects personal data which is necessary for it to carry out its services that individuals request. This includes delivering memberships, partnership, education, training, events or simply managing a relationship between an individual and CIMSPA.

As a data controller CIMSPA will provide the privacy notice at the point at which it collects data from an individual. For instances where CIMSPA collects personal data indirectly, it will provide the privacy notice at: the first point of direct contact to the individual, when CIMSPA shares the information with a third party or within one month of receiving the data – whichever option is the earlier.

CIMSPA has not appointed a data protection officer as it is not required to do so, but has however, adopted the approach that each head of department will be the responsible lead for data protection within their area of work. The director of strategy will have overall responsibility for data protection compliance and oversee the heads of department and provide further support and guidance where required.

Any questions regarding the privacy notice or requests to exercise individual rights can be sent to CIMSPA at dataprotection@cimspa.co.uk

Personal information CIMSPA collects

Personal data or personal information, means any information about an individual from which that person can be identified. CIMSPA collects personal data in a number of ways:

  • Through membership application.
  • Through partnership application.
  • Through email, telephone or website enquiries.
  • When purchasing a product.
  • When completing a survey.
  • When sending feedback to CIMSPA.
  • Attendance at CPD training, education opportunities, events and conferences.
  • Participating in online learning.

CIMSPA collects the following types of information:

Personal contact – to allow direct communication between CIMSPA and an individual, for example for CIMSPA to service an individual’s membership.

  • Address.
  • Email address(es).
  • Name.
  • Job title.
  • Telephone number.
  • Title.

Organisation details – to apply membership discounts based on employer partnership contracts and additional contact members.

  • Employer.
  • Workplace.

Interactions with CIMSPA – to facilitate interactions and requests between individuals and CIMSPA.

  • Email communications.
  • Telephone conversations.
  • Written correspondence.

Financial details – to enable CIMSPA to receive, make payment and record transactions between individuals or organisations and CIMSPA.

  • Bank details.
  • Batch payment details - bank info included.
  • Cheque/payment details.
  • Credit/debit card details.
  • Delivery notes.
  • Direct Debit Mandates.
  • Member/partner fees.
  • Membership/partnership payment charge.
  • Order details.
  • Purchase invoice.
  • Sales invoices and credits.

Use of CIMSPA services – to enable and record the use of and movement through online systems.

  • Passwords.
  • IP addresses.
  • User names.
  • Record of attendance at events, conferences, CPD etc.

Identification and CIMSPA support – how CIMSPA identifies an individual, captures information to ensure eligibility into membership and services additional support as part of the membership benefits (for example, recording disabilities to ensure needs are met at events).

  • Career history (CV).
  • CPD.
  • Date of birth.
  • Disability.
  • Ethnic origin.
  • Gender.
  • Qualifications.

CIMSPA administration – data that CIMSPA records to fulfil its business functions.

  • Contracts.
  • Mailing preferences.
  • Member/partner category.
  • Membership/partnership number.
  • Membership/partnership renewal date.
  • Membership/partnership start date.
  • Membership/partnership status.
  • Type of membership.

Personal details about ethnic origin, disability etc. are considered ‘sensitive’ personal data and are applicable under data protection laws. CIMSPA processes this data only if the individual has given CIMSPA explicit consent, or it is necessary (for instance if you request special assistance), or you have deliberately made it public.

Why CIMSPA collects personal data

CIMSPA will only collate and use personal data where the law permits. CIMSPA processes personal information to enable it to provide a voluntary service for the benefit of the national public as specified in CIMSPA’s chartered statutes.

Lawful data collection

CIMSPA most commonly uses personal data in the following circumstances:

  • Consent – where CIMSPA obtains genuine consent from an individual in relation to their personal data.
  • Contract – where CIMSPA needs to perform the contract that the individual or organisation is about to enter into or has entered into.
  • Legal obligation – where CIMSPA has legal or regulatory purposes, such as the powers within its chartered statutes or HMRC requirements.
  • Legitimate interests - where it is necessary for CIMSPA’s legitimate interests, and an individual’s interests or fundamental rights do not override CIMSPA’s interests.

Marketing preferences

CIMSPA provides information based on membership and partnership contracts and benefits. Individuals can change their preferences on their marketing preferences at any point in time. Marketing preferences do not include communications specifically relating to or regarding the management of contracts, membership or partnerships with CIMSPA.

Cookies

CIMSPA uses data analytics on its website to improve the function, products, services, marketing, customer relationship and experiences to ensure that the website remains up to date and relevant to the needs of its users. Further information can be found in CIMSPA’s Cookies policy.

Data retention

CIMSPA keeps personal data only for as long as is necessary.

Contract/membership/partnership

Individuals with a live contract, membership or partnership with CIMSPA will have their data used and held by CIMSPA in accordance with its privacy statement, data protection and IT security policies and procedures.

Contract/membership/partnership

If an individual terminates their contract, membership or partnership with CIMSPA, their data will be retained as per the data retention schedule below. Wherever possible, CIMSPA will pseudonymise individual records by deleting personal data and retaining membership numbers, for example. This will allow CIMSPA to manage risk and maintain business continuity.

Opting in

Individuals who have opted-in to communication from CIMSPA will have their data used and held by CIMSPA in accordance with its privacy statement, data protection and IT security policies and procedures.

Opting out

An individual who has opted-out of communications from CIMSPA will have their data retained as per the data retention schedule below. Wherever possible, CIMSPA will pseudonymise individual records by deleting personal data and retaining membership numbers, for example. This will allow CIMSPA to manage risk and maintain business continuity.

Right to erasure

Individuals who request to delete their data will have this deleted in accordance with the data retention schedule below. Data which cannot be deleted immediately will be held for CIMSPA’s legal, regulatory or business purposes which are governed by other legal or regulatory bodies, for example the HMRC. 

The CIMSPA Data Retention Schedule is detailed below: 

Data security

CIMSPA is committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout its operations. CIMSPA has put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

In accordance with its data protection and IT security policy and procedures, CIMSPA limits access to personal data to employees, volunteers, contractors and disclosed third parties who have a business function to complete. The personnel and organisations will only process personal data on CIMSPA instructions and are subject to a duty of confidentiality.

CIMSPA has procedures in place to monitor, identify and manage any suspected breaches of personal data. If a breach has occurred, CIMSPA will notify the individuals involved, of this breach where it is legally required to do so.

Sharing personal information

CIMSPA discloses personal information to third party organisations in order to operate its business. This is largely to service the benefits of memberships and partnerships with CIMSPA. Where CIMSPA shares personal data with third parties, it has made arrangements to protect and secure this data. Outside of these third parties, CIMSPA does not disclose personal information unless it is required to do so by law.

Routine data controllers include organisation in Banking, CRM, eLearning, marketing and publishers, CIMSPA ensures that they are GDPR compliant which is recorded and monitored through its contracts.

CIMSPA may share information with a third party, for example an employer or education provider only where the individual has approved the sharing of the information. In order to carry out its business, CIMSPA may (with the individuals permission) also share personal data with the following:

  • External quality assurers.
  • Couriers.
  • IT system providers e.g. telephone/video conference services.
  • Police, law enforcement and security services.

Individual legal rights

  • The right to be informed.
  • The right of access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.
  • Rights in relation to automated decision making and profiling.

Individuals have the right to invoke any of the above at any point to CIMSPA and can do this by emailing dataprotection@cimspa.co.uk or calling 01509 226 474.

Privacy policy and notice

CIMSPA will provide the privacy notice at the start of the relationship with an individual, it will also be available on its website so that individuals can continuously access this information. Where CIMSPA makes substantial changes or a new use for individual data is identified, it will provide individuals with an update version of the privacy notice before changes or new uses take place.

It is therefore important that individuals inform CIMSPA of any changes to the personal data that it holds to ensure that CIMSPA can continue to communicate with the individual effectively.