CONTACT 01692 598691 or 01692 598432 secretary@hicklingbarn.com NR12 0YU

Data Protection




This policy applies to the work of the Hickling Playing Field or Recreation Ground Charity (HPFRGC). It details how personal information will be gathered, stored, and managed in line with data protection principles and the General Data Protection Regulation. The policy is reviewed on an ongoing basis by HPFRGC trustees to ensure that the charity is compliant. This policy should be read in tandem with our privacy policy.


This data protection policy ensures that HPFRGC:

  • Complies with data protection law and follows good practice.
  • Protects the rights of members, staff, customers and partners.
  • Is open about how it stores and processes the data submitted by charity members and persons hiring charity facilities (customers).
  • Protects itself from the risks of a data breach.


  • The only people able to access data covered by this policy should be those who need to communicate with, or provide a service to, the members and customers of HPFRGC.
  • Data should not be shared informally or outside of HPFRGC.
  • HPFRGC will provide induction training to committee members and trustees to help them understand their responsibilities when handling personal data.
  • Committee members and trustees should keep all data secure, by taking sensible precautions and following the guidelines below.
  • Strong passwords must be used and they should never be shared.
  • Personal data should not be shared outside HPFRGC unless with prior consent and/or for specific and agreed reasons.
  • Member and customer information should be reviewed and consent refreshed periodically or when the policy is changed.


The General Data Protection Regulation identifies eight data protection principles.

Principle 1 - Personal data shall be processed lawfully, fairly and in a transparent manner

Principle 2 - Personal data can only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Principle 3 - The collection of personal data must be adequate, relevant and limited to what is necessary.

Principle 4 – Personal data held should be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate are erased or rectified without delay.

Principle 5 – Personal data which is kept in a form which permits identification of individuals shall not be kept for longer than is necessary.

Principle 6 - Personal data must be processed in accordance with the individuals’ rights.

Principle 7 - Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Principle 8 - Personal data cannot be transferred to a country or territory outside the European Union unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of personal data.


HPFRGC requests personal information from members for the purpose of sending communications about their involvement with HPFRGC. It also receives information from customers who hire the charity’s facilities. The forms used to request personal information will contain a privacy statement informing members and customers why the information is being requested and what the information will be used for. Members and customers will be asked to provide consent for their data to be held and a record of this consent will be securely held. HPFRGC members and customers will be informed that they can, at any time, remove their consent and how to do so. Once a HPFRGC member or customer requests not to receive certain communications this will be acted upon promptly and the individual will be informed when the action has been taken.


Members and customers will be informed as to how their information will be used and the trustees of HPFRGC will seek to ensure that information is not used inappropriately. Appropriate use of information provided by members and customers will include:

  • Communicating with members and customers about HPFRGC’s events and activities.
  • Communicating with members about specific issues relating to the charity that may have arisen during the course of their membership.

HPFRGC will ensure that trustees and committee members are made aware of what would be considered appropriate and inappropriate communication. Inappropriate communication would include sending HPFRGC members and customers marketing and/or promotional materials from external service providers.

HPFRGC will ensure that information is managed in such a way that the following individual rights are not infringed:

  • The right to be informed.
  • The right of access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.


Members and customers of HPFRGC will only be asked to provide information that is relevant for communication purposes. This may include:

  • Name
  • Postal address
  • Email address
  • Telephone number

When additional information is required, eg. health-related information for gym members, this will be obtained with the specific consent of the member who will be informed why this information is required, and the purpose that it will be used for.

There may be occasional instances where personal data needs to be shared with a third party due to an accident or incident involving statutory authorities. Where it is in the best interests of the individual, or where HPFRGC has a legitimate concern, then consent does not have to be sought from the individual.


HPFRGC has a responsibility to ensure personal information is kept up to date. Members and customers will be requested to let the secretary know if any of their personal information changes.


HPFRGC trustees are responsible for ensuring that the charity remains compliant with data protection requirements and provide evidence that it has. For this purpose, those from whom data is obtained will be asked to provide consent. The evidence of this consent will then be securely held as evidence of compliance. HPFRGC trustees shall ensure that new trustees or committee members receive an induction into how data protection is managed within HPFRGC and the reasons for this. Trustees and committee members shall also stay up to date with data protection guidance and practice. The trustees will review data protection, and who has access to information, on a regular basis as well as reviewing what data is held.


The trustees of HPFRGC have a responsibility to ensure that data is both securely held and processed. This will include:

  • Using strong passwords
  • Not sharing passwords
  • Restricting the sharing of personal information to those who need to communicate with members and customers on a regular basis.
  • Using password protection on computers and other devices that contain or access personal information.
  • Using password protection or secure cloud systems when sharing data between trustees and committee members.
  • Providing firewall security for trustees' or committee members' computers or other devices that contain or access personal information.


HPFRGC members and customers are entitled to request access to the information that is held by HPFRGC. The request needs to be in writing to the secretary. Once received, the request will be formally acknowledged and dealt with within 14 days unless there are exceptional circumstances why the request cannot be granted. HPFRGC will provide a written response detailing all information held on the individual. A record shall be kept of the date of the request and the date of the response.


If a member or customer believes there has been a data protection breach by HPFRGC, they will be asked to provide an outline of their concerns. If the initial contact is by telephone, the individual will be asked to send an email or a letter detailing their concern. This will be investigated by trustees who are not implicated in the breach. Alleged breaches will be subject to a full investigation, records will be kept, and all those involved notified of the outcome. If a data breach is found, action will be taken to minimise the harm by ensuring all trustees and committee members are aware of the breach and how it had occurred. The trustees will seek to rectify the cause of the breach as soon as possible. The Chair of HPFRGC will decide where necessary if the Information Commissioner's Office should be notified.