Data Protection Handling Policy

Policy Details

  • 1. Introduction

    Boxing Futures Ltd (“Boxing Futures”, “company”, “we”, “us”, and “our”) takes data protection seriously. We need to gather and use certain information about individuals, these can include our service users, suppliers, business contacts, employees, and other people the organisation has a relationship with or may need to contact during our business and charitable activities.

    This data protection handling policy (“Policy”) ensures Boxing Futures:

    • Complies with data protection law and follows good practice
    • Protects the rights of staff, customers, and partners
    • Is open about how it stores and processes individuals’ data
    • Protects itself from the risks of a data breach

    This Policy describes how personal data must be collected, handled, and stored to meet our data protection standards and to comply with the General Data Protection Regulation (EU) 2016/679, including without limitation the Data Protection Act 2018 and the UK GDPR (together “Data Protection Law”).

    For the purposes of the Data Protection Law, Boxing Futures is the controller of the personal data processed. This means that we are responsible for deciding how we hold and use personal data.
    It is important that you read this Policy, together with our website Privacy Policy available at https://boxing-futures.org.uk/privacy-cookie-policy/.

  • 2. Data Protection Law

    Data Protection Law sets out seven key principles that describe how organisations – including Boxing Futures – must collect, handle and store personal data. These principles lie at the heart of our approach to processing personal data regardless of whether data is stored electronically, on paper or on other materials.

    The principles do not give hard and fast rules, but rather embody the spirit of the general data protection regime – and as such, there are very limited exceptions. Compliance with the spirit of these key principles is a fundamental building block for our good data protection practice. It is also key to our compliance with the detailed provisions of the Data Protection Law.
    Failure to comply with the principles leaves us open to substantial fines.

    The seven principles are:
    1. Lawfulness, fairness, and transparency: whenever we are processing personal data, we should have a good reason for doing so.
    2. Purpose limitation: we should only use personal data for specific activities and our purposes for using the personal data should be clearly established (such as in our website Privacy Policy).
    3. Data minimisation: we should only collect the smallest amount of data we will need to complete our purposes.
    4. Accuracy: we should ensure the data we collect, and store is accurate. It is important to set up checks and balances to correct, update, or erase incorrect or incomplete data that comes in.
    5. Storage limitation: we must justify the length of time you are keeping each piece of data we store. Data retention periods are a good thing to establish to meet this storage limitation policy.
    6. Integrity and confidentiality (security): we should maintain the integrity and confidentiality of the data you collect, essentially keeping it secure from internal or external threats. We must protect data from unauthorized or unlawful processing and accidental loss, destruction, or damage.
    7. Accountability: we must have appropriate measures and records in place as proof of our compliance with the data processing principles.  Supervisory authorities can ask for this evidence at any time.

    We explain some of the key principles further below.

  • 3. Policy Scope

    This Policy applies to all staff and volunteers of Boxing Futures, and all contractors, suppliers and other people working on behalf of Boxing Futures.

    The Policy also applies to all data that the company holds relating to identifiable individuals (“personal data”), as well as any other data that is processed by Boxing Futures. This includes personal data, including (but not limited to):
    • Names of individuals
    • Postal addresses
    • Email addresses
    • Telephone numbers

  • 4. Data protections risks

    This Policy helps to protect Boxing Futures from some very real data security risks, including:
    • Breaches of confidentiality. For instance, information being given out inappropriately.
    • Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
    • Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.

  • 5. Responsibilities

    Everyone who works for or with Boxing Futures has some responsibility for ensuring data is collected, stored, and handled appropriately. Everyone that handles personal data must ensure that it is handled and processed in line with this Policy and data protection principles. The following roles have the following duties –

    • The board of directors is ultimately responsible for ensuring that Boxing Futures meets its legal obligations under Data Protection Law.
    • The Chief Executive Officer is responsible for:
    o Keeping the board updated about data protection responsibilities, risks, and issues.
    o Reviewing all data protection procedures and related policies, in line with an agreed schedule.
    o Arranging data protection training and advice for the people covered by this Policy.
    o Handling data protection questions from staff and anyone else covered by this Policy.
    o Dealing with requests from individuals to see the data Boxing Futures holds about them (also called ‘subject access requests’).
    o Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.

    • The Chief Executive Officer (or a nominated officer) is also responsible for:
    o Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
    o Performing regular checks and scans to ensure security hardware and software is functioning properly.
    o Evaluating any third-party services, the company is considering using to store or process data. For instance, cloud computing services.
    o Approving any data protection statements attached to communications such as emails and letters.
    o Addressing any data protection queries from journalists or media outlets like newspapers.
    o Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.

  • 6. General staff guidelines

    All staff, including any contractors and volunteers, must follow the following guidelines: –
    • The only people able to access data covered by this Policy should be those who need it for their work.
    • Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
    • Boxing Futures will provide training to all employees to help them understand their responsibilities when handling data.
    • Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
    • Strong passwords must be used, and they should never be shared.
    • Personal data should not be disclosed to unauthorised people, either within the company or externally.
    • Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
    • Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.

  • 7. Processed for limited purpose

    We will not use data for a purpose other than those agreed by data subjects. If the data held by us are requested by external organisations for any reason, this will only be passed if data subjects give their informed consent (except where we are legally required to share the information even where consent is not provided).

  • 8. Not kept longer than necessary

    We discourage the retention of data for longer than it is required. All personal data will be deleted or destroyed by us after one year of non-membership has elapsed or in accordance with our data retention schedule.

  • 9. Data Storage

    These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or the Chief Executive Officer in their absence.

    When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it. These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
    • When not required, the paper or files should be kept in a locked drawer or filing cabinet.
    • Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
    • Data printouts should be shredded and disposed of securely when no longer required.

    When data is stored electronically, it must be protected from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to:
    • Data should be protected by strong passwords that are changed regularly and never shared between employees.
    • If data is stored on removable media (like a USB memory sticks, CD or DVD), these should be kept locked away securely when not being used.
    • Data should only be stored on designated drives and servers and should only be uploaded to an approved cloud computing services by Boxing Futures.
    • Servers containing personal data should be sited in a secure location, away from general office space.
    • Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
    • Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
    • All servers and computers containing data should be protected by approved security software and a firewall.

  • 10. Data Use

    Personal data is of no value to Boxing Futures unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption, or theft:
    • When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
    • Personal data should not be shared informally. It should never be sent by email, as this form of communication is not secure.
    • Data must be encrypted before being transferred electronically.
    • Personal data should never be transferred outside of the European Economic Area or the UK, unless there are adequate safeguards in place in line with Data Protection Law.
    • Employees should avoid saving copies of personal data to their own computers where possible. Always access and update the central copy of any data.

  • 11. Data Accuracy

    The Data Protection Law requires Boxing Futures to take reasonable steps to ensure data is kept accurate and up to date. It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

    • Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
    • Staff should take every opportunity to ensure data is updated. For instance, by confirming customer’s details when they call.
    • Boxing Futures will make it easy for data subjects to update the information Boxing Futures holds about them. For instance, via the company website.
    • Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
    • It is the marketing manager’s responsibility to ensure marketing databases are checked against industry suppression files every six months.

  • 12. Individual’s rights and subject access requests

    All individuals who are the subject of personal data held by Boxing Futures have the following rights:
    • The right to access: The right to request a copy of their personal data which Boxing Futures holds about them, where possible this will be provided within 30 days of request. If an extension is required due to the complexity of the request, then this will be agreed in writing by both parties.
    • The right to rectification: The right to request that Boxing Futures corrects any personal data if it is found to be inaccurate or out of date.
    • The right to erasure: The right to request that their personal data is erased where it is no longer necessary for Boxing Futures to retain such data.
    • The right to restrict processing: The right, where there is a dispute in relation to the accuracy or processing of their personal data, to request a restriction is placed on further processing.
    • The right to object to processing: The right to object only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics.
    • The right to data portability: The right to request that their personal data, where possible, is transmitted to another controller. This right only applies where the processing is based on consent or is necessary for the performance of a contract with the data subject and in either case the controller processes the data by automated means.
    • The right to lodge a complaint: with the Information Commissioners Office, https://ico.org.uk.

    If an individual contacts the company requesting this information, this is called a subject access request. Subject access requests from individuals can be made verbally or in writing, including on social media. A request is valid if the individual is asking for their own personal data. An individual does not need to use a specific form of words, refer to legislation or direct the request to a specific contact.

    If a subject access request has been made to you or if you would like to make a subject access request on your behalf, please notify Anthony York at anthony.york@boxing-futures.org.uk as soon as practicable.

    In most cases, you cannot charge a fee to comply with a subject access request. However, a reasonable fee for the administrative costs of complying with a request may be charged but only if it is manifestly unfounded or excessive, or if an individual requests further copies of their data. We must comply with a subject access request without undue delay and at the latest within one month of receipt of the request. The time for a response can be extended by a further two months if the request if complex or we have received several requests from the individual. If we decide that it is necessary to extend the time limit by two months, we must let the individual know within one month of receiving their request and explain why.

  • 13. Disclosing information for other reasons

    In certain circumstances, the Data Protection Law allows personal data to be disclosed to law enforcement agencies without the consent of the individual/data subject. Under these circumstances, Boxing Futures will disclose the requested personal data. However, we must ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.

  • 14. Providing Information

    Boxing Futures aims to ensure that individuals are aware that their data is being processed, and that they understand how the data is being used, and how to exercise their rights. To these ends, the company has a Privacy Policy on our website, https://boxing-futures.org.uk/privacy-cookie-policy/, setting out how data relating to individuals is used by the company.

  • 15. Policy Approval

    This policy was approved on 26th October 2023.

    Review date: October 2024.

  • Contacting us

    If you have any questions about this policy, please contact us:

      • Email: info@boxing-futures.org.uk
      • Call: 0300 102 4452
      • Write to us at our office address:
        Boxing Futures Ltd,
        12 Crusader Court, Harrier Way, Eagle Business Park, Peterbrough PE7 3PU

    Or you can contact us about our Code of Conduct Policy here:

    CONTACT US
  • About Boxing Futures

    This website is owned and operated by Boxing Futures Ltd

    We are a charity registered in United Kingdom No.1162086

    Our registered office is:
    Anzo Group, 25 Golden Square, London W1F 9LU