Data Protection and Privacy.
Data Protection and Privacy Policy.
Website of The British Association of Sport Rehabilitators.
Last updated May 2024.
This document is intended to outline the British Association of Sport Rehabilitators and Trainers (BASRaT) Data Protection Policy.
Contact Information.
If you require additional information, you can contact us using the following details:
BASRaT Administrator
PO Box 627
Manchester
M14 0PN
Tel: 0330 133 2123
Email: administration@basrat.org
Data Protection Officer
The Data Protection Officer (DPO) for BASRaT is Oliver Coburn. To contact the DPO, please use the following information:
BASRaT Data Protection Officer
PO Box 627
Manchester
M14 0PN
Tel: 0330 133 2123
Email: registrar@basrat.org
Introduction
The “British Association of Sport Rehabilitators and Trainers” (BASRaT) is committed to complying with all relevant data protection legislation and protecting the rights and privacy of individuals. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.
BASRaT needs to process personal information about the people we work with, are registered with us or visit our website, in order to undertake its function as a regulator of sport rehabilitators. The processing of personal information (data) is regulated by data protection legislation, which sets out the responsibilities of all organisations processing personal data and provides rights to people whose data is being processed (data subjects).
For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (the "GDPR"), and the Data Protection Act 2018 (the “DPA”)) we (BASRaT) are a 'Data Controller' under the GDPRDPA. This means that if we collect and use your personal data we must comply with the requirements set out in the GDPR and DPA. This policy describes how we collect, use and process your personal data, and how, in doing so, we comply with our legal obligations to you.
What information does this policy apply to?
This policy applies to all Personal Data as defined by the Data Protection Legislation, in both electronic and paper form, held by BASRaT, transferred to or exchanged with third parties, or held by third parties on behalf of BASRaT.
Personal Data: personal data relates to any information relating to an identified or identifiable living individual who can be directly or indirectly identified. This may include a person’s name and address, phone number, e mail address, date of birth, IP address or next of kin.
Special Category Personal Data: special category data is data that relates to an individual’s health, sexual life, sexual orientation, race, ethnic origin, political opinion, religion, genetics, biometrics and trade union membership.
Criminal Offence Personal Data: personal data relating to criminal convictions and offences or related security measures.
Data Protection Principles.
BASRaT processes data in accordance with the key data protection principles set out in Article 5 of the GDPR (and elsewhere in that legislation) which states that personal information must be:
processed fairly, lawfully and in a transparent manner;
processed for specified, explicit and legitimate purposes and not further processed in a matter that is incompatible with those purposes;
adequate, relevant and not excessive;
accurate and up-to-date;
not kept for longer than is necessary;
processed in line with the data subjects’ rights;
secure; and
not transferred to other counties without adequate protection.
We will seek to demonstrate our compliance with, and accountability for, these requirements through this policy; allied policies; our systems and processes; and through ensuring that staff receive regular and relevant training on data protection issues.
Who do we collect information about?
In general terms, we process data about:
people who wish to be, are or have previously been on our register;
people who wish to be, are or have previously been members our organisation;
people working for us;
people helping us to perform our regulatory functions;
external stakeholders and customers engaging with us about the work we do, including those who wish to make a complaint about us or a member;
people who subscribe to our newsletter;
visitors to our website.
The purpose of processing your data.
We collect personal data for the following reasons:
to fulfil our function as a regulator;
To meet the standards for Accredited Registers set out by the Professional Standards Authority for Health and Social Care.
to act as a membership body;
to fulfil obligations as an employer; and
to communicate effectively with members of the public and other stakeholders.
The Lawful basis for processing your data.
BASRaT will only process personal data in accordance with the data protection legislation, for purposes including, but not limited to:
For the performance of a task in the public interest.
We act as a regulatory body, and part of our role is to protect the public. To do this, we keep a register of professionals who are appropriately qualified and meet our standards of ethics and behaviour. We also sanction any registrants that fail to meet those standards. Processing is necessary to protect the public against dishonesty, malpractice, unfitness or incompetence, and these functions must be carried out without the ‘consent’ of the data subject so as not to prejudice the exercise of that function, and is necessary for reasons of substantial public interest. Performance of these tasks in the public interest is required of us in order to meet the standards for Accredited Registers set out by the Professional Standards Authority for Health and Social Care.
Legitimate interests.
For BASRaT’s (or a third party’s) legitimate interests, where that data would be used in a way that would be reasonably expected and which will have minimal or proportionate privacy impact on the data subject. For example, we may need to process personal data to provide members with newsletters or information about BASRaT events.
Consent.
We do not generally rely on consent to process personal data and special category personal data. However, where BASRaT does obtain the consent of the data subject, we will ensure that:
There has been a genuine choice by the data subject;
The consent has been freely given by the data subject;
The data subject has been fully informed about the data processing to which they have consented;
The data subject has been informed of their right to withdraw consent at any time and there is a mechanism to withdraw their consent.
Consent will be refreshed at appropriate intervals to be determined for every instance where consent is the lawful condition for processing. Under any circumstance where activities we carry out may not be covered by the above, we will record the legal basis for processing.
Special Category Data.
BASRaT processes special category data and criminal offence data as part of our regulatory and employer obligations. For example, information relating to health data of or cautions and convictions of registrants and employees. In general terms, the legal bases for such processing are:
For employee special category and criminal offence data, the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the BASRaT or an employee in the field of employment; and
for registrant special category and criminal offence data, the processing is necessary for health or social care purposes for the management of health care or social care services, those services being the regulation of sport rehabilitators.
How we use your data.
How we use your information will vary depending on your relationship with us.
Registrants.
If you are applying to be a registrant, or you are a registrant of BASRaT, we will use your personal data to:
Process and administer your application, including verifying the information you have provided. In doing so, we may share and/or receive your data from relevant third parties (such as referees, education providers, other regulators or employers);
manage your ongoing registration to maintain the accuracy of our register;
comply with our responsibility to monitor professional standards of our registrants, protect the public and maintain public confidence in the profession;
send you communications connected with your registration and about the organisation as a whole;
send you communications relevant to your profession and professional development (such as conferences, CPD events, lectures, journal material etc);
respond to members of the public or employers regarding the status of your registration;
investigate complaints made about you, or by you, as part of our Fitness to Practise processes, including making any necessary publications about the investigation;
deal with any contact you make with the organisation.
Members.
If you are applying to be a member of the organisation, or you are a current member of the organisation, we will use your personal data to:
Process and administer your application;
administer your ongoing membership;
respond to members of the public or employers regarding the status of your membership;
send you communications connected with your membership and about the organisation as a whole;
send you communications relevant to your profession and professional development (such as conferences, CPD events, lectures, journal material etc);
deal with any contact you make with the organisation.
Public.
If you are a member of the public, or anybody raising a concern about a registrant of BASRaT, we will use your personal data to:
Process and manage your complaint, including sharing your complaint with relevant third parties during the course of any investigation;
normally, if an investigation progresses, we will have to disclose your identity to the registrant you have raised a concern about. We will try to respect any request by you not to be identified, but it may not be possible for us to pursue your complaint on an anonymous basis;
keep your personal information on file as part of the record of your concern;
deal with any contact you make with the organisation;
respond to your enquiries and provide you with relevant information or services;
investigate concerns raised by you about our organisation or employees;
obtain further information in respect of any enquiry or complaint made by you.
Register Check.
Members of the public can check a registrant’s status via the “register check” function of our website. Members of the public are able to access a registrants full name, their registration status, registration number, locality (town/county) and details of any Fitness to Practise proceedings and outcomes. It functions to protect the public and maintain public confidence in the profession.
Employees.
If you are applying for a post or are a current or former employee of BASRaT we will use your personal data to:
Process and manage your application, including verifying the information that you have provided. In doing so, we may share it with third parties (such as referees, educators, former employers or regulators);
sharing it with third parties who provide payroll or pension services;
managing and developing our relationship with you;
investigating concerns raised about you or by you in your capacity as an employee;
fulfilling any legal or regulatory requirements as necessary in our role as an employer. For full information please refer to our “Employee Privacy Policy”.
Data sharing, disclosure and transfer to third parties.
There are a number of occasions where it will be necessary for BASRaT to share personal data collected with other organisations.
We may be required to disclose personal information in response to requests from a court, tribunal, other healthcare regulator, or otherwise as part of the litigation process or as part of our regulatory function. We may also be required to disclose your personal data for recruitment or membership vetting purposes.
BASRaT will only share personal data with or otherwise disclose personal data where there is a legal basis for doing so. No data sharing or disclosure is permitted without a legally enforceable agreement for doing so We will never provide your personal data to third parties for their marketing purposes.
International transfers.
We would only transfer data outside of the European Union (the EU) where it was necessary to:
fulfil our regulatory functions;
satisfy public interest (for example, to a regulator in another country);
defend legal claims; or
the data subject had provided explicit consent.
Any transfers outside of the EU will be compliant with the conditions for transfer set out in Chapter V of the GDPR. We will only transfer your personal data outside the EU where the organisation receiving the personal data has provided adequate safeguards.
Data Security.
We will ensure that we only collect data for the purposes outlined above. We will not go on to process data in any way that is incompatible with the original purposes. We will process personal data in a way that is adequate, relevant and limited to what is necessary for our purposes and will handle such data in line with the requirements of the GDPR and DPA. We will develop, implement and maintain appropriate data security systems to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. This will ensure a level of security appropriate and proportionate to the risks arising from the processing of personal data.
Retention Periods for Data.
We will ensure that data is not kept in an identifiable form for any longer than is required for our interests and functions as a regulator or as is required under any relevant legal or regulatory requirements. Due to our regulatory function, we are required to keep some data for longer periods of time. For example, we keep Fitness to Practise files beyond the closure of the case. This is so that we can refer back to that information should an allegation be raised against a registrant or our decision making is challenged. Other forms of data, such as educational data and employment information, may also be kept for longer periods of time for statistical purposes.
Record Keeping.
BASRaT keeps and maintains accurate corporate records.
Privacy by design.
BASRaT will seek to implement appropriate technical and organisational measures (for instance the encryption or pseudonymisation of personal data), in an effective manner, to ensure compliance with data privacy by design principles.
BASRaT will also integrate safeguards into data processing to meet the GDPR requirements and protect data subject’s rights. In doing so, BASRaT will assess what privacy by design measures can be implemented on all programmes, systems and processes that process Personal Data by taking into account the following:
the cost of implementation;
the nature, scope, context and purposes of processing; and
the risks of varying likelihood and severity for rights and freedoms of Data Subjects posed by the Processing.
Data protection impact assessments.
BASRaT will consider the need for, and where appropriate go on to conduct, Data Protection Impact Assessments (DPIAs) in respect of its Processing. BASRaT will conduct a DPIA (and discuss the findings with BASRaT’s DPO) where it is undertaking a new processing activity and where the Processing is likely to result in a high risk to the rights and freedoms of natural persons or in connection with surveillance activities. The record of the DPIA must be filed with the DPO.
Automated processing and decision making.
Generally, BASRaT does not engage in automated processing/profiling, or automated decision making. Where BASRaT does engage in automated decision making/profiling, BASRaT will take steps to inform the data subject of the logic involved in the decision making or profiling, the significance and envisaged consequences and give the data subject the right to request human intervention, express their point of view or challenge the decision. Where possible BASRaT will do this prior to the decision being taken.
Your rights in respect of data processing.
BASRaT is committed to respecting the rights you have in relation to your personal data. The GDPR provides the following rights for individuals:
The right to be informed.
We will be open and transparent about the information we process, the retention periods for the data we store, who we share the data with and how we use it. We will regularly review our privacy information and bring to your attention new uses of data before we start the processing. We do that through this policy and the provision of more specific information as necessary/on request.
The right of access.
You have a right to access the information that we hold about you. You can request this by making a “subject access request” to us verbally or in writing. We will not charge you for this unless there are extenuating circumstances, as detailed below. We will aim to provide you with this information within 1 month. If your request is for a large amount of information, we may extend this period by a further two months, we will inform you if this is the case. We can refuse to comply with a request in circumstances where it is manifestly unfounded, repetitive or excessive. If the request is deemed to be manifestly unfounded, repetitive or excessive, we can charge you a “reasonable fee” to deal with the request, or refuse the request.
The right to rectification.
If we hold inaccurate information about you, you have the right to request it be corrected. You can make this request verbally or in writing to the Data Protection Officer. If you are a registrant or member of BASRaT you can update your information through securely logging in to your members portal on the BASRaT website.
The right to erasure.
You have the right to request that your data be deleted. However, we will be unable to comply with such a request where processing is necessary for:
Public health purposes in the public interest (e.g. ensuring high standards of quality and safety of health care);
To exercise the right of freedom of expression and information;
To comply with a legal obligation;
The performance of a task carried out in the public interest or in the exercise of an official authority;
Archiving purposes in the public interest or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
The establishment, exercise or defence of legal claims.
The right to restrict processing.
You have the right to request that the processing of your data is restricted in certain circumstances, this may be when you feel the information we hold is inaccurate or you have concerns with how we have obtained it. If a valid request of this type is made, we can still store your data, but we cannot use it. In some circumstances, we can still use the information. For example, it is for reasons of important public interest. The restriction can be lifted when:
we are given explicit consent to do so;
we override the restriction bases on legitimate grounds (e.g. Processing is necessary for public interest);
we have rectified inaccurate information and informed the data subject.
The right to portability.
This right allows you to easily switch between service providers by obtaining your personal data in an easily reusable format. There may, sometimes, be legitimate reasons why we cannot undertake the transmission (for example it if would adversely affect the rights or freedom of others).
The right to object.
You can make a request that we stop processing your data. However, some of the data we process is necessary to perform our regulatory function in the public interest and for legitimate interests. If processing your data is needed to perform these tasks it is likely that we will be unable to agree to stop processing your data. Additionally, if we can demonstrate that our reasons for processing your data are more compelling than your reasons for wanting us to stop, then we can refuse your request.
Rights in relation to automated decision making and profiling.
You have a right to stop your personal data being used to make decisions about you without human involvement. We do not use your data to carry out any profiling or automated decision making.
Sources of personal data we collect.
The majority of information we collect is provided by you as an applicant, registrant or member of the public. In certain circumstances, we may obtain data from other sources where information is publicly available. For example, contact information published on a website or social media.
The existence of automated decision making, including profiling.
We do not have any automated decision-making or profiling processes or systems.
Our response to your rights.
You can decide to exercise any of your rights by contacting the BASRaT Data Protection Officer (DPO) either verbally or in writing to:
BASRaT Data Protection Officer
PO Box 627
Manchester
M14 0PN
Tel: 0330 133 2123
Email: registrar@basrat.org
If you choose to exercise any of your rights, we will respond to your request within one calendar month.
Your right to withdraw consent.
We do not generally rely on consent for the processing of data. We rely on the lawful bases, as outlined in section 4 of this document. However, if consent is the lawful basis for processing, individuals are advised that can be withdrawn at any time by contacting our DPO (details above).
Complaints.
You can contact the Information Commissioners Office (ICO) to discuss any concerns you have about our processing of your personal data.
Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF helpline: 0303 123 1113 Website: www.ico.org.uk
Accessible information.
If you require any further information or require this document in a more accessible format, please make contact with the BASRaT office via administration@basrat.org or 0330 133 2123.