SECTION 4: POLICIES

4.8 Privacy Policy

1 Introduction
1.1 As an organisation registered in Great Britain, the International Sports Federation for Athletes with an Intelectual Impairment (including all brandnames ‘Virtus’ and ‘The Virtus Academy’ complies with the Data Protection Act 2018 and the Regulations made under it. These Regulations are referred to as UK-GDPR and they mirror the requirements of the European General Data Protection Regulation (EU-GDPR). VIRTUS is registered with the Information Commissioners Office (ico.org.uk) in Great Britain.

1.2 VIRTUS is committed to protecting information and your privacy. This statement is made in order to comply with best practice regarding Data Protection and to inform on VIRTUS’ data processing practices which will govern the processing of personal data.

1.3 As a membership organisation, VIRTUS also expects and encourages all Member Organisations, Local Organising Committees and other organisations who conduct activity on behalf of VIRTUS to comply with the relevant local legislation and good practice in their area.

2 How does VIRTUS collect information?
2.1 VIRTUS will obtain personal information in a number of ways. This might include:
a) when registering as a member organisation representative
b) when applying for athlete eligibility
c) when entering an event, competition, conference or meeting
d) when elected to or applying for, an official position within the organisation
e) when making a donation, general enquiry or complaint
f) when participating in a research programme or activity
g) when involved in mandatory programmes such as anti-doping
h) when visiting VIRTUS social media pages

2.2 VIRTUS may also receive personal information from third parties, where you have given your consent to do so and subject to the privacy policy of the third party.

3 What information does VIRTUS collect?
3.1 The types of information VIRTUS collects will be relevant and proportional to the purpose for which it is being collected and may include names, addresses, dates of birth, gender, email addresses, telephone numbers, sport history, medical information relating to classification and eligibility, medical conditions that may affect safe participation in events, credit/debit card or bank account information, work history/qualifications and experience, and information regarding any criminal record. For athletes, VIRTUS will also collect medical and psychological information to so support an eligibility application.

4 How does VIRTUS use personal information?
4.1 VIRTUS will use personal information:
a) to provide the information or service a person has requested
b) to uphold the principles of athlete classification and eligibility
c) to ensure compliance with doping control and uphold the principles of fair sport
d) to ensure the successful and safe delivery of events and competition
e) for administration and membership management purposes
f) to further VIRTUS’ charitable aims and to comply with the law.
g) as part of research programmes

4.2 VIRTUS will not share personal information with other third-party organisations including corporate and media partners that we may work with, unless we have a persons specific consent.
However, in certain circumstances, and where it is an essential part of providing the service requested (for example event entry or managing athlete eligibility and classification) VIRTUS may share personal information with specific partner organisations, member organisations and legal authorities.

4.3 VIRTUS will never sell personal details or the information we hold.

4.4 VIRTUS will publish certain athlete information (name, nationality, date of birth, gender, sport and registration status) in the VIRTUS Master List which is an essential service.

5 Data Controller
5.1 The VIRTUS Executive Officer will be the person with responsibility for data protection and management within the organisation.

6 Data Storage and External Processors
6.1 VIRTUS uses third party organisations to store and manage data, for example cloud-based services. We will only use reputable suppliers and ensure that all such services are compliant with UK-GDPR and that appropriate security measures are implemented.

6.2 Where personal information is used by Local Organising Committee, we will require that organisation to develop suitable data protection policies, and to destroy all information held (unless needed for any insurance or legal purposes) within 12 months of the conclusion of that event except where consent to retain
data has been given.

7 The VIRTUS website, use of ‘cookies’ and analytics?
7.1 ‘Cookies’ are small pieces of information sent to a computer and stored on a hard drive when visiting the VIRTUS website.

7.2 Analytics information allows VIRTUS to track visitors to the VIRTUS website and social media channels.
7.3 Both cookies and analytics information collected by VIRTUS is non-identifiable, i.e. we cannot identify an individual person, however in line with good practice we will only collect cookies where a visitor has given us permission to do so when entering the site.

7.4 A visitor can change their cookie preferences at any time by amending the settings in their web browser.

7.5 VIRTUS will retain analytics information for up to 3 years from the most recent visit.

7.6 This privacy policy applies to the VIRTUS websites only and not to any linked or 3rd party sites. VIRTUS does not pass on any personal information to any other site when following a link.

8 Data Retention
8.1 VIRTUS takes appropriate measures to ensure that the information we hold is kept secure, accurate and up to date and kept only for so long as is necessary and for the purposes for which it is used.

8.2 When data is destroyed, it will be destroyed securely in accordance with best practice at the time of destruction.

8.3 For some legal processes and essential services (such as information regarding athlete eligibility, doping control and competition results) it is necessary for VIRTUS to retain data indefinitely.

8.4 Information relating to officers and staff will be retained for the legally necessary period or five years after the person has left, whichever is the longer.

9 Under 18-year olds
9.1 The parent/guardian’s, or the persons representative*, will normally need to give permission before VIRTUS can hold information concerning anyone under the age of 18.

10 Informed consent
10.1 The parent/guardian’s, or the persons representative*, will normally need to give permission before VIRTUS can hold information concerning anyone who is above the age of 18, but is without legal capacity to give informed consent.

10.2 In many cases the representative will be the VIRTUS member organisation representative.

11 Consent
11.1 VIRTUS will clearly state in any website, document or form when requesting consent to provide personal data, including sensitive personal data such as eligibility and medical evidence. This will be done clearly and unambiguously and will state the purposes for which it is needed. By consenting, a person is agreeing to the use of any information provided for the stated above purpose and in accordance with this privacy policy.

12 Right of access and rectification
12.1 Individuals have the right to ask for a copy of the information held (for which VIRTUS may charge a small administration fee) and to have any inaccuracies corrected. Such requests should be made in writing to the data controller.

13 Right to be ‘forgotten’
13.1 Subject to the provisions regarding essential services described above, individuals have the right to request VIRTUS to delete all personal information we hold about that person any time. This request must be made in writing to the data controller.

14 Changes to this policy
14.1 VIRTUS reserves the right to amend this privacy policy at any time. If this happens, VIRTUS will post notice of the change on the website.