Privacy notice for Sports Governance Academy

The Sports Governance Academy (SGA) is the governance support hub for the sports and physical activity sector. It is provided by The Chartered Governance Institute in partnership with Sport England to help everyone leading, working and volunteering in sports organisations to develop good governance in order to achieve their goals.

This privacy notice sets out the data processing practices of The Chartered Governance Institute as the Data Controller for the SGA. The Chartered Governance Institute UK is the qualifying and membership body for governance professionals, operated under Royal Charter (RC000248). Our registered office is at Saffron House, 6-10 Kirby Street, London, EC1N 8TS.

Please note that all data thus captured will be used and held in accordance with the requirements of the Data Protection Act 2018 (DPA) and the EU General Data Protection Regulation (GDPR).

We have notified the Information Commissioner’s Office (ICO) of our processing operations and our ICO registered number is Z656922X

This notice explains:

• What the Sports Governance Academy does
• How to contact us about our use of your personal data
• Why we process personal data and the legal basis for it
• How we use personal data for marketing purposes
• Recipients of personal data for processing on our behalf
• Our data retention periods
• Your rights as a data subject
• Cookie policy and use
• Third-party websites
• The security of the personal data that we hold
• Changes to our policy and practice

What the SGA does

As the governance support hub for the sports and physical activity sector, we help everyone leading, working and volunteering in sports organisations to develop good governance in order to achieve their goals.

Our goal is to improve the standard of governance in sports organisations in England by supporting, developing and connecting the people who work with, and have an interest in governance in sport. Our services include the provision of:

• Resources to support all aspects of governance practice
• Training courses and webinars to develop governance skills and knowledge
• Networking events and conferences to support the sports governance community

Our services are provided for Sport England funded partners at Tiers 2 and 3. Some elements, such as our resources, are freely available to all with an interest in sport governance.

How to contact us about your personal data

The Chartered Governance Institute is the data controller of the Sports Governance Academy.  If you have any requests about your personal data or queries with regard to how we handle your data you can contact the Information Manager by phone on +44 (0)20 7580 4741, email do@cgi.org.uk, or write to us at Information Manager, The Chartered Governance Institute, Saffron House, 6-10 Kirby Street, London, EC1N 8TS.

Why we process your personal data

We collect and process your personal data in order to provide the Sports Governance Academy services. These include the provision of training courses, webinars, conferences, networking events, blog and report publications, and access to a knowledge base.

In order to provide these services and tell people about them, we collect data directly from individuals through online registration on the Sports Governance Academy website and forum and through the online registration for our events on Eventbrite.

The table below shows our data processing activities in more detail.

 

The legal basis on which we process personal data

We rely upon the different legal basis for the processing of personal data according to the relationship and purpose for which it is collected, as explained below.

Contractual

We need to process personal data about the users of the Sports Governance Academy in order to deliver and administer the services that we provide.

The contract with users includes delivering knowledge, learning and networking services and providing advice and support about sports governance.  SGA users are made up of people who work or volunteer for Sport England funded partner organisations at Tiers 2 and 3 and people from other organisations and locations with an interest in sports governance. Funded partners can access all services, other users can access knowledge services and participate in other activities by request or invitation. We ask for information about users organisation and location in order to provide the right service to them.

Legitimate interest

We keep our users informed about new developments to our resource, events and community support services on the basis of legitimate interest. It is in both the interest of the SGA and its users that they are aware of the activities and initiatives from which they can benefit. This kind of information is also a legitimate part of what anyone subscribing to an education service provided by a professional body might reasonably expect to receive. These updates take place through a regular monthly e-newsletter and the periodic distribution of content updates or key date notifications via email.

We also undertake research to raise the profile of sports governance and those involved in it. This may involve surveys, consultations and interviews.  In many cases, this will involve contact with registered SGA users, and contact with others in roles that are part of, or are linked with, the sports governance profession. This is also a legitimate interest as it is the kind of activity that might reasonably be expected of an educational service provided by a professional body. 

Consent

We seek consent from our users to send them marketing information. Consent is sought for:

• • Marketing information about new SGA services
  • Marketing information about The Chartered Governance Institute products and services that are relevant to sports governance
  • Marketing consent is sought for email

How we use data for marketing purposes

Consent

We gain marketing consent from individuals through the online a self-registration process.

In accordance with the DPA, the Institute requires marketing consent to be freely given, specific and fully informed. It is revocable at any time and we keep a digital record of your consent including when consent is given or withdrawn.

Marketing consent has to be given directly to us by the individual concerned and cannot be given by a third party.

For marketing consent to be fair and transparent, our privacy notice is available at the point at which consent is collected so that you understand what you are consenting to and how you can change it.

If you opt-in to marketing, we will use your personal information to send you the information that you have consented to receive about services that will be most relevant to you. We will never pass your personal data to third parties for marketing purposes.

If at any point you would like to opt-out of receiving communications from us please contact do@cgi.org.uk or write to the Information Manager at  The Chartered Governance Institute, Saffron House, 6-10 Kirby Street, London, EC1N 8TS.

Recipients of personal data for processing on our behalf

In carrying out our business, including meeting our obligations to our registered users, funding partners and other stakeholders, we use specialist sub-contractors who process the personal data that the SGA holds on our behalf. These are:

• • Eventbrite for the provision of event booking services (Note: Eventbrite transfers of data are carried out outside of the EU.
  • Eventbrite participate in and comply with the EU-U.S. and Swiss-U.S. Privacy Shield Framework as set forth by the US Department of Commerce.
  • You can view Eventbrite’s Privacy Shield Framework https://www.eventbrite.ie/support/articleredirect?anum=31015)
  • Mailchimp for email broadcasting services (Note: Mailchimp transfers of data are carried out outside of the EU.  Mailchimp participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield website available here.)
  • Mailgun for email broadcasting services (triggered service emails) (Note: Mailgun transfers of data are carried out outside of the EU. The EU-US Privacy Shield is one of the lawful mechanisms they use to transfer data between the EU and the US. Mailgun is self-certified to the EU-US Privacy Shield Framework maintained by the US Department of Commerce (Privacy Shield). You can inspect Mailgun’s certification in the Privacy Shield list of the US Department of commerce by searching for “Mailgun" here https://www.privacyshield.gov/list. In addition to the Privacy Shield, our DPA includes the EU Standard Contractual Clauses, which are another a valid mechanism for the transfer of data outside of the EEA. The Standard Contractual Clauses are model clauses published by the EU commission and designed to facilitate transfers of personal data from a data exporter located in the EEA and a data importer located outside of the EEA.)
  • Umbraco for the provision of a Content Management system and Database
  • Unicorn for the provision of e-learning services
  • Tribe for the provision of an online community platform

We will ensure that all the suppliers that we work with are required to respect your privacy and abide by all data protection laws.

Retention periods

We retain your personal data whilst you are registered with the Sports Governance Academy and for 12 months thereafter. After this time your name and contact details are securely deleted.

Data subject’s rights

You have the following rights in respect of your personal data.  In order for you to exercise these rights, we will need to confirm your identity. This may be by you providing your email address or a form of ID such as a passport or driving licence so that we can verify that you are the data subject before releasing information to you.

The right to be informed

You have the right to be told about the collection and use of the personal data you provide. This privacy notice sets out the purpose for which we process your personal data, how long we will keep your data and with whom we will share your data. If you have any questions on how and why we process your data, please contact the Information Manager. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/

Right of access

You have the right to know whether we are processing your personal data and to a copy of that data. We would need as much information as possible to enable us to locate your data. We will respond to your request within 28 days of receipt of your request. If you want to exercise this right, please contact the Information Manager at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

Right to rectification

You have the right to have any incorrect personal data corrected or completed if it is incomplete. You can make this request verbally or in writing. We will need as much information as possible to enable us to locate your data. We will look at any request and inform you of our decision within 28 days of receiving the request. If you want to exercise this right, please contact the Information Manager at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-rectification/

Right to erasure

This right often referred to as the right to be forgotten, allows you to ask us to erase personal data where there is no valid reason for us to keep it. We will look at any request and inform you of our decision within 28 days of receiving the request. If you want to exercise this right, please contact the Information Manager at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

Right to restrict processing

You have the right to ask us to restrict the processing of your data. We will look at any request and inform you of our decision within 28 days of receiving the request.  If you want to exercise this right, please contact the Information Manager at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-restrict-processing/

Right to data portability

You have the right to move, copy or transfer your personal data from one IT environment to another. This right applies to data that you have provided to us and that we are processing on the legal basis of consent or in the performance of a contract and where that processing is by automated means. We will respond to your request within 28 days of receipt of your request. If you want to exercise this right, please contact the Information Manager at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/

Right to object

You have the right to object to our processing of your personal data based on (i) legitimate interests, or for the performance of a task in the public interests/exercise of official authority (including profiling); (ii) direct marketing (including profiling); and (iii) for purposes of scientific/historical research and statistics.

• • Legitimate interests/legal task – your objection should be based on your particular situation. We can continue to process the data if we can demonstrate compelling legitimate grounds which override your interests.
  • Direct marketing – you have an absolute right to ask us to stop processing for the purposes of direct marketing. We will action your request as soon as possible.
  • Scientific/historical research and statistics - your objection should be based on your particular situation. If we are conducting research where the processing is necessary for the performance of a public task, we can refuse to comply with your objection.

If you want to exercise this right, please contact the Information Manager at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/

Rights relating to automated decision making including profiling

You have rights in respect of automated decision making, including profiling. Where we carry out solely automated decision making, including profiling, which has legal or similarly significant effects on you, we can only do this if it is in connection with a contract with you, we have a right under law or you have provided your explicit consent. We will tell you if this happens and tell you how you can request human intervention or challenge the decision. If you want to exercise this right, please contact the Information Manager at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling/

Processing based on consent

Where we process your personal data based on your consent you have the right to withdraw that consent at any time without reason. You can do opt-out by using the unsubscribe option in any marketing that we send you.

The right to lodge a complaint to a supervisory authority

If you are unhappy with any aspect of our handling of your data, you can make a complaint to the Head of Secretariat at The Chartered Governance Institute  who will consider the matter for you: https://www.cgi.org.uk/making-a-complaint

If you are still not satisfied, you can make a complaint to the Information Commissioner’s Office: https://ico.org.uk/concerns/

Cookies

A cookie is a small piece of information sent by a web server to a web browser, which enables the server to collect information from the browser.  Find out more about cookies on http://www.allaboutcookies.org/  

We use cookies to identify you when you visit this website and to keep track of your browsing patterns and build up a demographic profile of our site users so that we can continue to improve it.

Our use of cookies also allows registered users to be presented with a personalised version of the site, carry out transactions and have access to information about their account.

Most browsers will allow you to turn off cookies.  If you want to know how to do this please look at the menu on your browser, or look at http://www.allaboutcookies.org/  Please note, however, that turning off cookies will restrict your use of our website.

The table below demonstrates which cookies we use, what they do and what disabling them will mean for your continued use of our online services.

 

By continuing to use the SGA website you agree to accept cookies on your device in accordance with this policy. This policy only relates to our website and does not cover links to third parties.

Use of HotJar on our website

We use Hotjar in order to better understand our users’ needs and to optimise this service and experience. Hotjar is a technology service that helps us better understand our users experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices (in particular device's IP address (captured and stored only in anonymized form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), preferred language used to display our website). Hotjar stores this information in a pseudonymized user profile. Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user. For further details, please see Hotjar’s privacy policy by clicking on this link.

You can opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Hotjar’s use of tracking cookies on other websites by following this opt-out link.

Third-party websites

Our website may contain links to other websites that are outside our control and are not covered by this privacy notice.  If you access other sites using the links provided, the operators of these sites may collect information from you that will be used by them in accordance with their privacy policy, which may differ from ours.

The security of the personal data that we process

The Chartered Governance Institute protects the personal data that it holds to deliver the SGA service with technical and organisational security measures. Our cybersecurity arrangements and framework of data protection policies, procedures and training are kept under regular review to ensure that we keep the data we hold secure.

Changes to the privacy notice

This privacy notice was published on 24 April 2021. It is regularly reviewed and will be updated when necessary. If we make any significant changes, we will communicate them to you.

Queries

If you have any queries about the policy and how it affects you, please contact the Information Manager via do@cgi.org.uk or in writing at The Chartered Governance Institute, Saffron House, 6-10 Kirby Street, London, EC1N 8TS.