Naflic logo


The National Association for Leisure Industry Certification aims to ensure that all personal data collected about members and other individuals is collected, stored and processed in accordance with the Data Protection Act 2018 (DPA 2018), the UK General Data Protection  Regulation (UK GDPR), the Digital Economy Act 2017, the Human Rights Act 1998, PECR and all other relevant legislation.  We will act within the frameworks advised by the Information Commissioner’s Office.

This policy applies to all personal data, regardless of whether it is in paper or electronic format and irrespective of who the data subject is. The information and guidelines in this policy apply to the whole organisation.

Legislation and Guidance

This policy meets the requirements of the UK GDPR and the DPA 2018. It is based on guidance published by the Information Commissioner’s Office (ICO) and the Information and Records Management Society (IRMS).  It follows the ICO’s code of practice for subject access requests.

We are committed to providing and maintaining a data environment that is safe by ensuring our representatives are appropriately trained and by producing additional policies and arrangements as detailed in this document including:

This Policy sets out our obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times including by employees, agents, contractors, or other parties working on our behalf. All those involved in processing data are responsible for assisting us in the achievement of our aims and objectives and will play a positive role in promoting a secure data processing environment where the rights and freedoms of the individual are protected.

Roles and Responsibilities

This policy applies to all NAFLIC representatives and any external organisations or individuals working on our behalf.

Data Protection Officer

The organisation does not require a data protection officer.

NAFLIC representatives

It is the responsibility of all those representing NAFLIC to maintain the quality of the data that we process and to comply with GDPR and the DPA 2018. Anyone who collects data, enters, extracts or analyses data on our IT system should be aware of how their job contributes to this function and the need to ensure the safety and accuracy of the data that they process. Personal data processed by our representatives shall:

Any questions or concerns about the interpretation or operation of this policy should be taken up with the secretary.

The Data Controller and Data Processor

We are both a "data controller" and "data processor" under the data protection regulations. This is because we determine the purpose and the means of processing of personal data as well as carrying out the processing itself of the personal data relating to members and others.

We hold and process information about members and other individuals (data subjects) for a variety of purposes such as to enable correspondence and communications. We have a Legal Basis for processing each category of information and these are clearly articulated in our Privacy Policy and Notice (See Appendix  A).

In this policy the term “personal data” describes any information that relates to an identified or identifiable living individual. This can be as simple as a name or a phone number or could include other factors such as pictures, biometric information or voice recordings. If it is possible to identify an individual directly or indirectly from the information being processed then that information will be classed as personal data.

Legal Obligations

We meet our legal obligations as laid down by the Data Protection Act 2018 by taking steps to establish appropriate retention periods for personal data and ensuring that data subjects' rights can be appropriately exercised. In addition to:

Commitment to GDPR Principles and Accountability Rule

The GDPR is based on data protection principles that we must comply with. Data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The principles say that personal data must be:

In addition to the six principals of processing (above) we have a robust plan to demonstrate our compliance with the Accountability Rule of GDPR. We achieve this by regular oversight of data protection matters and implementing appropriate policies and procedures and will conduct Data Audits and Data Protection Impact Assessments as necessary.

Data Collection

Lawfulness, Fairness and Transparency

All processing of personal data which is undertaken by data users must be in compliance with the principles above. We will process personal data under the following legal reasons:

Special Category Personal Data

We do not at this time process special category personal data.

Limitation, Minimisation and Accuracy

We only collect personal data for specified, explicit and legitimate reasons. We will explain these reasons to the individuals when we first collect their data. If we want to use personal data for reasons other than those given when we first obtained it, we will inform the individuals concerned before we do so and seek consent where necessary.

When we no longer require the personal data that we hold we will ensure it is deleted or anonymised. This will be done in accordance with our Data Retention Schedule and Record of Processing Activities.


Consent will be requested on every occasion where we wish to use personal data for a reason other than that for which it was originally collected.

Responsibilities of Members

Members are responsible for ensuring that any personal data that they supply to us is accurate and kept up­ to-date. In particular changes of address, telephone number, email address or other personal details should be provided as soon as possible.

Biometric Recognition Systems

We do not use Biometric Recognition Systems.


We do not use CCTV.

Data Sharing

We will not normally share personal data with anyone else, but may do so where:

Our suppliers or contractors need data to enable us to provide services to our members.

When doing this, we will:

    We will also share personal data with law enforcement and government bodies where we are legally required to do so, including for:

We may also share personal data with emergency services and local authorities to help them to respond to an emergency situation.

Where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law.

Disclosure outside the EEA     

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing personal data. A decision will be made on a case by case basis should this situation arise.

Data Security and Storage of Records

We will protect personal data and keep it safe from unauthorised or unlawful access, alteration, processing or disclosure and against accidental or unlawful loss, destruction or damage. In particular:

 Retention of Personal Data for Research and Archive Purposes

Despite the general requirement that data should be retained for no longer than is required, GDPR permits the retention of records for research and archival purposes. We have decided that there is no need for records to be kept for archive and research purposes past their retention period as laid out in our ROPA.

Disposal of Records

Personal data that is no longer needed, has become inaccurate or is out of date will be disposed of securely, where we cannot or do not need to rectify or update it.

We will shred paper-based records and overwrite or delete electronic files. We may also use a third party to safely dispose of records on our behalf. If we do so, we will require the third party to provide sufficient guarantees that it complies with data protection law.

Data Breaches

We will make all reasonable endeavours to ensure that there are no personal data breaches. In the unlikely event of a suspected data breach, we will follow the procedure set out in Appendix C.

Data Subject Rights

GDPR gives rights to individuals in respect of personal data that an organisation holds about them.   Data subjects have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances.  Data Subject rights are:

Subject Access Requests

An individual who wishes to make a "Subject Access Request" (SAR) to obtain a copy of the personal data that we process about them may submit their request to the secretary in any format. Should we receive a SAR we will follow the procedure set out in Appendix D. We will respond to SARs within the required timescale of 30 days unless there are exceptional circumstances.

Other Data Protection Rights of the Individual

In addition to the right to make a subject access request and to receive information when we are collecting their data about how we use and process it, individuals also have the right to:

New or Additional Processing

Our representatives may:

Data Protection by Design and Default

We will put measures in place to show that we have integrated data protection into all of our data processing activities, including:

Monitoring arrangements

Review of the policy will be undertaken on a bi-annual basis or as required.

Appendix A – NAFLIC Privacy Policy

Privacy Statement

This privacy statement was updated on 21 April 2021 and is effective immediately. It tells you everything you need to know about how NAFLIC process, control and protect your personal data and the rights that you have in relation that data. This privacy statement is regularly updated to reflect any changes in the way we handle your personal data or any changes to applicable laws.  


NAFLIC is a membership organisation.

We attach great importance to your right to privacy and the protection of your personal data. We want our members to feel secure that when you deal us your personal data is in good hands. We protect your personal data in accordance with the applicable laws and our data privacy policies. We have appropriate technical and organisational measures in place to protect your personal data against unauthorised or unlawful processing and/or against accidental loss, alteration, disclosure or access, or accidental or unlawful destruction of or damage.


The Data Controller for all personal data collected by us is NAFLIC. We are responsible for deciding what data we collect and how we hold and use your personal data.


We collect personal data on our members so that we can interact with them.

What information do we hold and how do we collect it?


What information we hold

What we use it for

Our lawful basis for holding this information

When we delete it

Your Name, address (if given), telephone numbers, email address

So that we can contact you regarding a contract we have with you

It is Necessary for a Contract we have with you

  • It is kept for our own records while we have a contract with you unless you request that we remove it from our database.
  • Historical data is deleted after 6 years

Your contact details for marketing communications

To send you details of offers and events


We ask for explicit consent for marketing and you have the option to unsubscribe at any time

Information you have made public access such as social media, online directories and internet searches

To interact with you on line

Public information

Social media interactions on our company social media profiles will remain there until you request that we remove it.  Historical data is deleted after 6 years

Computer IP address and Cookie ID

  • When you contact us via our website
  • Our website contains a banner explaining what cookies are placed on your device

It is Necessary for a Contract we have with you

Website data and history are kept for our own records for 6 years or until you advise us that we should remove it from our database

Bank account details

To receive payments

It is Necessary for a Contract we have with you

Transaction information is kept for 7 years

Who do we share your personal information with?

We do not routinely share your information except in the following circumstances:

What happens if you do not wish to share your personal data with us?

Transferring your data outside of the United Kingdom

We do not share your personal information outside the United Kingdom.

Sensitive data

We do not process sensitive data (medical and disability information).


We are committed to data security and have appropriate organisational, physical and technical security measures in place.

We only process your personal data in accordance with the applicable data privacy laws (including the General Data Protection Regulation).


We will retain your personal data only for as long as is necessary (as listed in the table on page 1 of this policy). Thereafter personal data is deleted or destroyed in accordance with industry best practice.


You have the following rights with respect to your personal data:

  1.         the personal data is no longer required for the purpose it was collected for.
  2.         you withdraw consent (where processing is based on consent).
  3.         you object to the processing (certain rules apply).
  4.         the processing is for direct marketing purposes (we provide the option to unsubscribe in all our direct marketing communications).  If you make an objection, we will cease to process your personal data for this purpose.
  5.         the personal data has been unlawfully processed.

​In all cases you must provide us with evidence of your identity before we will respond to a subject access request and we would prefer if your request could be sent to us in writing with a signed for delivery service. We may contact you to confirm the details of your request it in order ensure that we provide the detail that you require.


Our website does not drop cookies.


Please contact us if you have any questions about how we protect your personal data or if you wish to exercise your rights in relation to your personal data or if you wish to make a complaint. In such circumstances please direct your enquiry to the secretary, Andrew Mellor, via email –

If you wish to make a complaint about our use of your data you have the right to contact the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF (Tel: 0303 123 1113 or

Appendix B - IT Acceptable Use Policy

All representatives must read and comply with our Data Protection Policy and Privacy Notice. All those working with our IT equipment must ensure that they have read, and agree to abide by, the points below. Our systems and equipment are provided for professional use and the guidelines below apply to all use on premises, elsewhere via e-mail or ‘Remote Access’ and when using material stored on external devices such as USB memory sticks/hard drives. In complying, representatives agree to the following:

Data Protection and Privacy

Appendix C - Data Breach Procedure

This procedure is based on guidance on personal data breaches produced by the ICO.

On finding or causing a breach, or potential breach, the representative or data processor must immediately:

  1.         A description of the nature of the personal data breach.
  2.         The name and contact details of the DPO.
  3.         A description of the likely consequences of the personal data breach.
  4.         A description of the measures that have been, or will be taken, to deal with the breach and mitigate any possible adverse effects on the individual(s) concerned.
  5.         Where all details are not yet known, the ORGANISATION will report as much as they can within 72 hours, explaining the reason for the delay and confirming when the organisation expects to have further information. The organisation will submit the remaining information as soon as possible.
  1.         If the risk is high, the organisation will promptly inform all individuals whose personal data has been breached giving a description of the likely consequences of the personal data breach.
  2.         Description of the measures that have been, or will be, taken to deal with the data breach and mitigate any possible adverse effects on the individual(s) concerned.
  3.         If the there is no risk to the rights and freedoms of individuals the organisation will annotate the breach log accordingly and consult with the Directors whether it is appropriate to advise the data subjects.
  1.         Facts and cause.
  2.         Effects.
  3.         Action taken to contain it and ensure it does not happen again (such as establishing more robust processes or providing further training for individuals).

Details of all breaches will be appropriately recorded and maintained.

Actions to minimise the impact of data breaches

We will take the actions set out below to mitigate the impact of different types of data breach, focusing especially on breaches involving particularly risky or sensitive information. We will review the effectiveness of these actions and amend them as necessary after any data breach.

Sensitive information being disclosed via email

Other types of breach that could occur:

Appendix D – Subject Access Request

Individuals have a right to make a ‘subject access request’ to gain access to personal information that we hold about them.

The rights of individuals include:

Although we recognise that subject access requests may be made in any way, we request that subject access requests are submitted in writing, either by letter, email or fax to the secretary. In order to respond to a request in a timely manner requests should include:

Any NAFLIC representative who receives a subject access request must immediately forward it to the organisation so that the information can be entered in the “Subject Access Request Log.” If the request is made verbally then the representative to whom the request is made should take sufficient notes to answer the request.

Children and subject access requests

We do not process personal data about children.

Requests for large amounts of personal data

If we need more information before responding to a request then we will let the individual know as soon as possible. The timescale for responding to the request begins when you receive the additional information.  If an individual refuses to provide any additional information, we will still endeavour to comply with their original request.

Requests made on behalf of others

When a SAR is made via a third party such as a solicitor we will need to be satisfied that the third party making the request is entitled to act on behalf of the individual. The third party should provide us with evidence of this entitlement (either written authority or a more general power of attorney).

Processors and Subject Access Requests

As Data Controller we are responsible for complying with a SAR. We will therefore ensure that we have contractual arrangements in place to guarantee that SARs are dealt with properly, irrespective of who they are sent to.

Responding to Subject Access Requests

Prior to responding to requests, we:

We will:

We will not disclose information if it:

Subject Access Responses

The information provided in any response will be concise, transparent, intelligible and in an easily accessible form, using clear and plain language. Any internal codes used in the source document will be explained. We are not required to decipher poorly written notes or to ensure that that the information is provided in a form that can be understood by the individual making the request.

If data is regularly updated or altered it will be supplied as at the time of sending out a response, even if this is different to information which was held when the request was received. We recognise that it is an offence to make an amendment simply to prevent disclosure.

If possible or appropriate we will consider providing Data Subjects with remote access to a secure self-service system so that they can see all the personal information that is held on them (as long as this does not adversely affect the rights and freedoms of others).

Our SAR response will include:

  1.         Our purpose for processing.
  2.         The categories of data we process.
  3.         Who we share/disclose the data with.
  4.         How long we store the data or, how we determine how long to store it.
  5.         Confirmation of their right of rectification, erasure or to restrict processing relevant to the situation (depending on your legal basis for processing).
  6.         Confirmation that they have a right to complain to the supervisory authority.
  7.         Information about the data source (if it is not themselves).
  8.         Information if automated decision-making takes place (including profiling).
  9.         Details of the safeguards we provide if we transfer personal data to a third country or international organisation.

What is NOT included in our SAR Response

An individual is not entitled to receive any information that relates to another person in a SAR response (unless they are acting on behalf of someone e.g. a Lawyer or Parent). Therefore we will remove or redact any data which relates to other individuals. It is up to us to decide if the information requested falls within the definition of personal data or not.

Recording SAR Requests

The organisation will record the details of any SAR we receive in the SAR Log. Each request will be date stamped if necessary and saved in a specific folder for future reference.


In addition to the manifestly unfounded or excessive exemption there are several statutory exemptions contained in the DPA18. The majority of these exemptions relate to the detection and prevention of crime, national security and public functions such as immigration control.

Exemptions which relate to a commercial context include if the information:

Information about a third party may only be disclosed where that person has consented to the disclosure or where it is reasonable to disclose the information without their consent. Therefore, we will balance the rights of all the individuals involved taking into account:

In a 'tie-breaker' situation, the presumption will fall in favour of non-disclosure.

Refusing a SAR

In accordance with the regulations we reserve the right to reject repeated or vexatious requests where a reasonable period has not elapsed between requests and may charge for large volumes of documents.  A request will be deemed to be unfounded or excessive if it is repetitive, or asks for further copies of the same information.  When we refuse a request, we will tell the individual why, and tell them they have the right to complain to the ICO.

 Appendix E - Key Terms



Personal data

Any information relating to an identified, or identifiable, individual.

At our this includes the following:

Name, Student Number, Tax Information, Address, Photograph, On Line Identifier, Sexual Orientation, Location Data, Character Traits, Biographical Information, Current Living Situation, Email address, phone number, Location, Financial information, Educational Information, Private and Subjective Data, Sickness, Date of Birth, Appearance and Behaviour

Special categories of personal data

Personal data which is more sensitive needs more protection. At our we process the following special categories of data:

Racial/Ethnic Origin, Religious/Philosophical Views, Health, Genetic/Biometric Data, Criminal Record


Anything done to personal data, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disseminating, erasing or destroying.

Processing can be automated or manual.

Data subject

The identified or identifiable living individual whose personal data is held or processed.

Data controller

A person or organisation that determines the purposes and the means of processing of personal data (our).

Data processor

A person or other body, other than a representative of the data controller, who processes personal data on behalf of the data controller.

Data breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

A-Z of Data Protection Terms




Software to detect, stop and remove viruses/ malicious software from a system


A collection of information/records with a specific focus or  theme (e.g. letters, documents, minutes, registers, maps, photographs, digital files, sound recordings)


Someone who exploits computer systems in a malicious way

Biometric Data

Personal data relating to physical, physiological or behavioural characteristics from which a person can be identified (e.g. fingerprints, images)


A network of infected devices which are connected to the internet to commit coordinated cyber-attacks without their owner's knowledge

Brute Force Attack

When computer power is used to automatically send a vast number of requests or input a series of numbers in order to discover passwords and gain access to a system

Click Farm

Where a large group of low paid workers are employed to click on advertising links in order to generate better results for the organisation being reviewed


Any freely given, specific, informed and unambiguous indication that the data subject agrees to an action (may be a statement or by clear affirmative action)

Cross Border Processing

Where personal data is processed by organisations in more than one Member State

Cyber Attack

A malicious attempt to damage/disrupt/gain unauthorised access to computer systems/networks/devices by cyber means

Cyber Incident

A breach of cyber security rules

Data Minimisation

Where an organisation collects and keeps only the personal data it requires in order to achieve an intended purpose

Data Protection Authority

A national authority responsible for data privacy (the UK ICO)

Data Protection By Design And Default

A principle whereby data subject's rights are taken into account at the design and development stage

Data Protection Impact Assessment

A tool used to identify and minimise data protection risks in new projects

Data Protection Officer

An individual who is appointed to ensure an organisation implements and complies with the policies and procedures set out in the GDPR

Data Transfer

The movement of personal data between organisations and people

Denial Of Service

When legitimate users are denied access to computer services or resources

Digital Footprint

The 'footprint' of digital information that a user's online activity leaves behind

Download Attack

The unintentional installation of malicious software or virus onto a device without the user’s knowledge or consent

Encrypted Data

Personal data which has been translated into another form or code so that only people with specific access can read it


A natural or legal person engaged in an economic activity,

irrespective of its legal form (includes partnerships or associations)

EU-US Privacy Shield

A set of GDPR standards that allow for the legal transfer of personal data between the EU and US for commercial reasons

Fairness Principle

The principle that requires personal data to only be used in a way that is fair and not detrimental, unexpected or misleading to the individuals concerned

Filing System

Any structured set of personal data, accessible according to specific criteria (may be centralised, decentralised or dispersed )


Hardware or software which uses a defined rule set to constrain network traffic and prevent unauthorised access to/from a network

Group Of Undertakings

A controller and the group of undertakings or institutions affiliated to it


Someone who uses their computer skills to break into computers, systems and networks

Health Data

Personal data that relates to an individual’s physical or mental health (including the provision of health care services)


A decoy system to attract potential attackers that helps limit access to actual systems

Information Society Service

Any service normally provided for remuneration, at a distance, by electronic means and at the request of a recipient (e.g. social media)

Integrity & Confidentiality Principle

A key requirement of GDPR for personal data to be processed using appropriate technical, organisational and security measures

International Data Transfer

The movement of personal data to countries outside the EU/EEA or to international organizations (this includes viewing data hosted in another location)

International Organisation

An organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries

Internet Of  Things (Iot)

Everyday objects such as televisions (not computers and devices) that connect to the Internet


Software that tracks keyboard inputs – used to monitor the user

Legal Person

A human being, firm, or government agency that is recognized as having privileges and obligations

Legitimate Interests

Where an organisation believes there is justification to process personal data because it will either benefit society as a whole or a particular company

Main Establishment Of The Controller

The place, in the EU, where a data controller has their central

administration or decision-making function

Main Establishment Of The Processor

The place where a processing organisation's central administration or main processing activities take place


Using online advertising to deliver malware


Malicious software (viruses, trojans, worms or any code) that could have an adverse impact on organisations or individuals

Man-In-The-Middle Attack

Computer eavesdropping whereby an attacker secretly relays computer communications through themselves thus compromising the integrity or confidentiality of messages

Natural Person

A living and breathing individual human being


Updates for firmware or software to improve security and/or enhance functionality


An authorised test of a computer network or system designed to look for security weaknesses so that they can be fixed

Personal Data

Any information relating to an identified or identifiable natural person who can be identified, directly or indirectly by some element of that data (e.g. name, identification number, location)


An attack on a network that results in a user being redirected to an illegitimate website even though they entered the correct address


Untargeted, mass emails asking for sensitive information (such as bank details) or directing them to a fake website or malicious link

Pii - Personally Identifiable Information

Information that can be used to identify, contact, or locate a single person, or to identify an individual either on its own or when combined with other information

Privacy Impact Assessment

A tool used to identify the privacy risk

Privacy Notice

A document setting out (at the time of data collection) what data will be collected, the organisation’s purpose and legal basis for processing the data, the subject’s rights, how long the data is retained, who it will be shared with and how it will be disposed of


Any form of automated processing which uses that data to evaluate certain personal aspects.  In particular where it is used to analyse or predict aspects of that person's performance or movements


The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information (e.g. a key)

Purpose Limitation

The principle that information may only be used for the specified, explicit and legitimate purpose for which it was collected and not for any other purpose


A notification that an account’s defences have been compromised


Malicious software that makes data or systems unusable until the victim makes a payment


A natural or legal person, public authority, agency or another body, to whom personal data is disclosed

Relevant And Reasoned   Objection

An objection to a draft decision by a supervisory authority or opinion that an envisaged action by a controller or processor does not comply with this Regulation


A person within the EU who is chosen or appointed to act or speak for a controller or processor who is based outside the EU


Electronic or physical destruction methods to securely erase or remove data from memory


Phishing via SMS text

Software As A Service (Saas)

A business model where consumers access centrally-hosted software applications over the internet


A targeted form of phishing, where the email is designed to look like it comes from a person the recipient knows and/or trusts


Faking (or imitating) a sending address to get access to a system

Subject Access

The right of the subject to obtain or request certain information relating to their personal data from a data controller

Third Party

An organisation or person (other than the data subject, controller, processor) who has been authorised to process personal data by the Data Controller/Processor


A malware or virus disguised as legitimate software and used to hack into the victim's computer

Two-Factor Authentication

The use of two different components to verify a user's identity


A fake website (or a compromised real one) which exploits visiting users


Highly targeted phishing attack (masquerading as a legitimate emails) aimed at or purporting to come from senior executives


A list of approved applications or addressees in an organisation which protects systems from potentially harmful applications


Get In Contact

07778 643820

Members Area

The Members Only area provides NAFLIC members with an array of resources that include copies of technical guidance documents and papers, HSE documents, training papers and more.

Member login details are required to access this area.