Free2fight is committed to a policy of protecting the rights and privacy of individuals (includes students, Instructors and others) in accordance with the Data Protection Act. All dojos need to process certain information about its Instructors, students and other individuals it has dealings with for administrative purposes (eg membership details, collection of fees, medical information etc.). To comply with the law, information about individuals must be collected and used fairly, stored safely and securely and not disclosed to any third party unlawfully.

The policy applies to everyone connected with Free2fight.

The Data Protection Act 1998 enhances and broadens the scope of the Data Protection Act 1984. Its purpose is to protect the rights and privacy of living individuals and to ensure that personal data is not processed without their knowledge, and, wherever possible, is processed with their consent.

Personal Data

Data relating to a living individual who can be identified from that information or from that data and other information in possession of the data controller. Includes name, address, telephone number, id number. Also includes expression of opinion about the individual, and of the intentions of the data controller in respect of that individual.

Sensitive Data

Different from ordinary personal data (such as name, address, telephone) and relates to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, criminal convictions. Sensitive data are subject to much stricter conditions of processing.

Data Controller

Any person (or organisation) that makes decisions with regard to particular personal data, including decisions regarding the purposes for which personal data are processed and the way in which the personal data are processed.

Data Subject

Any living individual who is the subject of personal data held by an organisation.

Processing

Any operation related to organisation, retrieval, disclosure and deletion of data and includes: Obtaining and recording data Accessing, altering, adding to, merging, deleting data Retrieval, consultation or use of data Disclosure or otherwise making available of data.

Third Party

Any individual/organisation other than the data subject, the data controller (Free2fight) or its agents.

Relevant Filing System

Any paper filing system or other manual filing system which is structured so that information about an individual is readily accessible. Please note that this is the definition of "Relevant Filing System" in the Act. Personal data as defined, and covered, by the Act can be held in any format, electronic (including websites and emails), paper-based, photographic etc. from which the individual's information can be readily extracted.

• Free2fight as a body corporate is the data controller under the new Act.
• A Data Protection Officer has been appointed who is responsible for providing guidance for the handling of data within Free2fight.
• Compliance with data protection legislation is the responsibility of all members of Free2fight who process personal information.
• Members of Free2fight are responsible for ensuring that any personal data supplied to them is accurate and up-to-date.

All processing of personal data must be done in accordance with the eight data protection principles.

1. Personal data shall be processed fairly and lawfully.
   Those responsible for processing personal data must make reasonable efforts to ensure that data subjects are informed of the identity of the data controller, the purpose(s) of the processing, any disclosures to third parties that are envisaged and an indication of the period for which the data will be kept.
2. Personal data shall be obtained for specific and lawful purposes and not processed in a manner incompatible with those purposes.
   Data obtained for specified purposes must not be used for a purpose that differs from those.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is held.
   Information, which is not strictly necessary for the purpose for which it is obtained, should not be collected. If data are given or obtained which is excessive for the purpose, they should be immediately deleted or destroyed.
4. Personal data shall be accurate and, where necessary, kept up to date.
   Data, which are kept for a long time, must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that they are accurate. It is the responsibility of individuals to ensure that data held by Free2fight are accurate and up-to-date. Completion of an appropriate registration or application form etc will be taken as an indication that the data contained therein is accurate. Individuals should notify Free2fight of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of Free2fight to ensure that any notification regarding change of circumstances is noted and acted upon.
5. Personal data shall be kept only for as long as necessary. (see Section 11 on Retention and Disposal of Data)
6. Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act. (see Section 6 on Data Subjects Rights)
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data. (see Section 8 on Security of Data)
8. Personal data shall not be transferred to a country or a territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
   Data must not be transferred outside of the European Economic Area (EEA) - the fifteen EU Member States together with Iceland, Liechtenstein and Norway - without the explicit consent of the individual. Members Free2fight should be particularly aware of this when publishing information on the Internet, which can be accessed from anywhere in the globe. This is because transfer includes placing data on a web site that can be accessed from outside the EEA.

Data Subjects have the following rights regarding data processing, and the data that are recorded about them:

• To make subject access requests regarding the nature of information held and to whom it has been disclosed.
• To prevent processing likely to cause damage or distress.
• To prevent processing for purposes of direct marketing.
• To be informed about mechanics of automated decision taking process that will significantly affect them.
• Not to have significant decisions that will affect them taken solely by automated process.
• To sue for compensation if they suffer damage by any contravention of the Act.
• To take action to rectify, block, erase or destroy inaccurate data.
• To request the Commissioner to assess whether any provision of the Act has been contravened.

Wherever possible, personal data or sensitive data should not be obtained, held, used or disclosed unless the individual has given consent. Free2fight understands "consent" to mean that the data subject has been fully informed of the intended processing and has signified their agreement, whilst being in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing. There must be some active communication between the parties such as signing a form and the individual must sign the form freely of their own accord. Consent cannot be inferred from non-response to a communication. For sensitive data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists.

In most instances consent to process personal and sensitive data is obtained routinely by Free2fight (eg when a student signs a membership form). Any Free2fight forms (whether paper-based or web-based) that gather data on an individual should contain a statement explaining what the information is to be used for and to whom it may be disclosed. It is particularly important to obtain specific consent if an individual's data are to be published on the Internet as such data can be accessed from all over the globe. Therefore, not gaining consent could contravene the eighth data protection principle.

If an individual does not consent to certain types of processing (eg direct marketing), appropriate action must be taken to ensure that the processing does not take place.

If any member of Free2fight is in any doubt about these matters, they should consult the Free2fight Data Protection Officer.

All Free2fight members are responsible for ensuring that any personal data (on others) which they hold are kept securely and that they are not disclosed to any unauthorised third party (see Section 10 on Disclosure of Data for more detail).

All personal data should be accessible only to those who need to use it. You should form a judgement based upon the sensitivity and value of the information in question, but always consider keeping personal data:

• in a lockable room with controlled access, or
• in a locked drawer or filing cabinet, or
• if computerised, password protected, or
• kept on disks which are themselves kept securely.

Care should be taken to ensure that PCs and terminals are not visible except to authorised individuals and that computer passwords are kept confidential. PC screens should not be left unattended without password protected screen-savers and manual records should not be left where they can be accessed by unauthorised personnel.

Care must be taken to ensure that appropriate security measures are in place for the deletion or disposal of personal data. Manual records should be shredded or disposed of as "confidential waste". Hard drives of redundant PCs should be wiped clean before disposal.

Members of Free2fight have the right to access any personal data which has been collected in electronic format and manual records which form part of a relevant filing system. This includes the right to inspect confidential personal references received by Free2fight about that person.

Any individual who wishes to exercise this right should apply in writing to the Data Protection Officer. Free2fight reserves the right to charge a fee for data subject access requests (currently £10). Any such request will normally be complied with within 40 days of receipt of the written request and, where appropriate, the fee.

See Section 14 "Procedure for subject access request"

Free2fight must ensure that personal data are not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the Police. All members should exercise caution when asked to disclose personal data held on another individual to a third party. For instance, it would usually be deemed appropriate to disclose an instructor's contact details in response to an enquiry regarding a particular dojo for which they are responsible. The important thing to bear in mind is whether or not disclosure of the information is relevant to, and necessary for Free2fight business. Best practice, however, would be to take the contact details of the person making the enquiry and pass them onto the member of Free2fight concerned.

This policy determines that personal data may be legitimately disclosed where one of the following conditions apply:

1. the individual has given their consent (eg a member has consented to Free2fight corresponding with a named third party);
2. where the disclosure is in the legitimate interests of Free2fight (eg disclosure to members - personal information can be disclosed to other Free2fight members if it is clear that those members require the information to enable them to effectively run their dojo);

The Act permits certain disclosures without consent so long as the information is requested for one or more of the following purposes:

• to safeguard national security*;
• prevention or detection of crime including the apprehension or prosecution of offenders*;
• assessment or collection of tax duty*;
• discharge of regulatory functions (includes health, safety and welfare of persons at work)*;
• to prevent serious harm to a third party;
• to protect the vital interests of the individual, this refers to life and death situations.

* Requests must be supported by appropriate paperwork.

When members of Free2fight receive enquiries as to whether a named individual is a member of Free2fight, the enquirer should be asked why the information is required. If consent for disclosure has not been given and the reason is not one detailed above (ie consent not required), the Free2fight member should decline to comment. Even confirming whether or not an individual is a member of Free2fight may constitute an unauthorised disclosure.

Unless consent has been obtained from the data subject, information should not be disclosed over the telephone. Instead, the enquirer should be asked to provide documentary evidence to support their request. Ideally a statement from the data subject consenting to disclosure to the third party should accompany the request.

As an alternative to disclosing personal data, Free2fight may offer to do one of the following:

• pass a message to the data subject asking them to contact the enquirer;
• accept a sealed envelope/incoming email message and attempt to forward it to the data subject.

Please remember to inform the enquirer that such action will be taken conditionally: ie "if the person is a member of Free2fight" to avoid confirming their membership.

Free2fight discourages the retention of personal data for longer than they are required. Considerable amounts of data are collected on Members. However, once a member has left Free2fight, it will not be necessary to retain all the information held on them. Some data will be kept for longer periods than others.

Students Members

Due to the sometimes sporadic nature of attendance, student member records should be kept for at least one year after a period of unexplained absence but not more than two years.

Instructor Members

After notification of leaving Free2fight instructor records should be held for at least 5 years.

Disposal of Records

Personal data must be disposed of in a way that protects the rights and privacy of data subjects (eg, shredding, disposal as confidential waste, secure electronic deletion).

All members of Free2fight should note that occasionally Free2fight publishes a number of items that include personal data.

Examples of these would be; Instructor contact details, Instructor qualifications, Student achievements.

It is recognised that there might be occasions when a member of Free2fight, requests that their personal details remain confidential or are restricted to internal access. All individuals should be offered an opportunity to opt-out of the publication of the data. In such instances, Free2fight should comply with the request and ensure that appropriate action is taken.

If a member group of Free2fight uses personal data for direct marketing purposes must inform data subjects of this at the time of collection of the data. Individuals must be provided with the opportunity to object to the use of their data for direct marketing purposes (eg an opt-out box on a form).

Individuals wishing to access their personal information should submit a request in accordance with the following notes:

1. Make your request, in writing, to the Data Protection Officer.
2. The request should include details and provide documented evidence of who you are (e.g. driving licence, passport, birth certificate). You should also provide as much detail as possible regarding the information you wish to access (e.g. where and by whom information is believed to be held, specific details of information required etc).
3. You are not required to state WHY you wish to access the information: the details we require are merely those that will aid the efficient location and retrieval of information.
4. Free2fight adopts a general policy of openness in terms of allowing individuals access to their personal information and wherever possible we aim to waive the £10 administration fee (permitted under the Data Protection Act 1998).
5. Once the Data Protection Officer receives a Subject Access Request, all efforts will be made to fully comply within 40 days. In any event, you will receive all the information that has been located and can be released within 40 days and an explanation for any information that cannot be provided at that time.
6. In accordance with the Data Protection Act 1998, Free2fight does not usually release information held about individuals without their consent. Therefore if information held about you also contains information related to a third party, Free2fight will make every effort to anonymise the information. If this is not possible, and Free2fight has been unable to secure the relevant consent, Free2fight may decide not to release the information.

General Photographs

If individuals are not readily identifiable from the photograph and it seems unlikely that any damage or distress will result from such processing then it will not be necessary to obtain consent. Therefore, students and staff whose images appear as incidental detail (e.g. general degree day or campus photographs) in publicity photographs will not need to give consent for the use of their image.

Photographs of Group Activities

Where photographs are to be taken of a group activity (e.g. a seminar) then this should be announced in advance so that individuals may leave the room briefly if they do not wish to appear in the photographs.

Photographs of Small Groups/Individuals

Where photographs are to be taken of a single individual, or a small group of individuals, where individuals are the main subject of the photograph (even if they are not identified by name), consent should be sought before any photographs are taken. When gaining consent, it is important to ensure that individuals are informed of what the images will be used for (e.g. where they will be printed and who will have access to them). In most cases, verbal consent is all that will be required.

Publishing Photographs on the Web

If it is intended to make photographs available on the web, wherever possible this should be restricted to the Intranet rather than the Internet. Publishing on the Internet potentially transfers personal data outside of the EEA (the fifteen EU Member States together with Iceland, Liechtenstein and Norway) for which rules on gaining consent from individuals are much stricter. If photographs (except where member’s images appear as incidental detail) are to be published on the Internet, explicit consent should be obtained.

Photographs of Children

In cases where children are the subject of the photograph Free2fight members should ensure that other than parental or official photographers no other person is allowed to take photographs. Under no circumstances are images of children to be used on a website or published where they can be directly identified, even if explicit parental consent is received.