GOLFWORKS PROGRAM — PRIVACY POLICY ADDENDUM
|
Document Detail |
Value |
|
Effective Date |
April 1, 2026 |
|
Applies To |
GOLFWORKS Youth Employment Program |
|
Applicable Population |
High school students aged 14–18; college-age applicants |
|
Supplements |
MGA Privacy Policy (last updated March 28, 2023) |
|
Posted At |
GOLFWORKS application landing page (hs.mgagolf.org) |
|
Document Version |
Version 3 |
This GOLFWORKS Privacy Policy Addendum (the “Addendum”) supplements the Metropolitan Golf Association’s and the MGA Foundation’s (collectively, the “MGA”) Privacy Policy, last updated March 28, 2023 (the “Privacy Policy”). The Privacy Policy governs the collection, use, and sharing of information gathered through mgagolf.org and the MGA’s mobile applications. This Addendum extends and modifies the Privacy Policy solely as it applies to the collection, processing, storage, and disclosure of personal information submitted through the GOLFWORKS Youth Employment Program application process, which is hosted on the hs.mgagolf.org subdomain.
The GOLFWORKS program recruits and employs high school students aged 14–18, as well as certain college-age applicants, for seasonal employment at participating golf clubs. Because this program collects materially different and more sensitive categories of personal information than the MGA’s general website operations—and because many applicants are minors—this Addendum addresses the unique privacy considerations applicable to the GOLFWORKS application workflow.
Relationship to the Privacy Policy. In the event of any conflict between this Addendum and the Privacy Policy, the terms of this Addendum shall control with respect to GOLFWORKS applicant data. All provisions of the Privacy Policy that are not expressly modified by this Addendum remain in full force and effect. Capitalized terms used but not defined in this Addendum have the meanings assigned to them in the Privacy Policy.
Children’s Privacy — Age Threshold Modification. The Privacy Policy states that the MGA’s Site “is not directed to children under the age of 12.” Because the GOLFWORKS program actively recruits high school students aged 14–18, this Addendum modifies that provision as it applies to GOLFWORKS: the minimum age for GOLFWORKS applicants is 14 years old, and all applicants under 18 must have verifiable parental or guardian consent as described in Section 5 below.
The MGA Foundation, operating the GOLFWORKS program on behalf of the Metropolitan Golf Association, is the data controller for all personal information collected through the GOLFWORKS application process.
GOLFWORKS applicant data is collected, processed, and stored on HubSpot CRM (Enterprise tier), operated by HubSpot, Inc. HubSpot serves as the data processor for this program. HubSpot’s data privacy practices are governed by the HubSpot Privacy Policy (available at legal.hubspot.com/privacy-policy) and the HubSpot Data Processing Agreement (available at legal.hubspot.com/dpa). The MGA has reviewed HubSpot’s data handling practices and determined that they meet the requirements for processing the sensitive data categories collected by the GOLFWORKS program.
HubSpot maintains SOC 2 Type II certification. All data processed within the GOLFWORKS application workflow is encrypted in transit (TLS) and at rest, with additional application-level encryption applied to data designated as Sensitive or Highly Sensitive under HubSpot’s Sensitive Data framework.
Note regarding USGA data sharing. The Privacy Policy discloses that the MGA regularly shares information with the United States Golf Association (USGA). GOLFWORKS applicant personal information—including all sensitive and highly sensitive data described in Section 3 below—is not shared with the USGA. GOLFWORKS data is collected and processed solely within the MGA’s HubSpot CRM and is not part of the jointly owned data referenced in the Privacy Policy.
The following standard personal information is collected during the GOLFWORKS application process:
The following sensitive personal information is collected via secure document upload. These data categories are not referenced in the Privacy Policy and are disclosed here for the first time:
|
Document |
Sensitivity Level |
Data Contained |
|
W-4 Form |
Highly Sensitive |
Social Security Number, tax filing status |
|
I-9 Form |
Highly Sensitive |
Citizenship and immigration status |
|
Passport, Birth Certificate, or Social Security Card |
Highly Sensitive |
Government-issued identity documents |
|
Photo ID |
Sensitive |
Government-issued identification |
|
Working Papers |
Sensitive |
Minor employment authorization |
|
Direct Deposit Form |
Highly Sensitive |
Bank account and routing numbers |
|
Health Information |
Sensitive |
Health problems or restrictions (field) |
Note on Working Papers: Working paper requirements vary by state. In New York, a certificate of employment (working papers) is required for all minors under 18 under the New York Labor Law §§ 131–133. In New Jersey, employment certificates are required for minors under 18 under N.J.S.A. 34:2-21.1 et seq. In Connecticut, working papers (an “age certificate” or “employment certificate”) are required for minors under 18 under Conn. Gen. Stat. § 31-23 et seq. The applicable state’s requirements govern based on the location of the Host Club where the applicant is placed. The GOLFWORKS application collects working papers as a Sensitive document category; the specific form required is determined by Host Club location. The MGA’s operational onboarding procedures should specify which state form applies for each placement.
The Privacy Policy references health information in the context of golf cart requests at MGA championships. The GOLFWORKS application collects a distinct category of health information: applicants are asked to disclose any health problems or physical restrictions relevant to the employment position. This information is classified as Sensitive and is stored exclusively on the restricted GolfWorks record within HubSpot, accessible only to authorized MGA staff. It is not used for marketing, shared with the USGA, or disclosed to recruiters.
The Privacy Policy’s “Sharing with Third Parties” section permits the MGA to share information with service providers, affiliates, the USGA, and advertisers in certain circumstances. This Addendum restricts those sharing provisions as they apply to GOLFWORKS highly sensitive data. The MGA commits to the following non-disclosure obligations:
Social Security Numbers (SSNs): SSNs collected via W-4 forms will not be disclosed to any person or entity outside of authorized MGA staff responsible for employment processing. SSNs will not be shared with recruiters, schools, guidance counselors, Host Clubs, the USGA, or any other third party. This restriction is not modified by Section 7.4; Host Clubs receive limited standard employment data only and are expressly prohibited from receiving SSNs or W-4 forms.
Government-Issued Identity Documents: Passports, birth certificates, Social Security cards, and photo identification documents will not be disclosed outside of authorized MGA staff.
Immigration Documents: I-9 forms and any supporting immigration documentation will not be disclosed outside of authorized MGA staff responsible for employment eligibility verification.
Banking Information: Direct deposit forms containing bank account and routing numbers will not be disclosed outside of authorized MGA staff responsible for payroll processing.
School and Guidance Counselor Information: The MGA will not disclose applicant personal information, application status, sensitive documents, or employment records to schools, guidance counselors, or other educational institutions unless required by law or authorized in writing by the applicant (or the applicant’s parent or guardian, if the applicant is a minor).
No Marketing Use: Notwithstanding the “Marketing Purposes” section of the Privacy Policy, GOLFWORKS applicant sensitive and highly sensitive data will not be used for marketing, promotional offers, or communication about third-party goods or services.
The Privacy Policy requires parental supervision for children ages 12 and older using the MGA’s Site. Because the GOLFWORKS program actively recruits students aged 14–18 and requires submission of highly sensitive documents—including Social Security Numbers, government-issued identity documents, immigration forms, and banking information—the MGA requires verifiable parental or legal guardian consent before processing sensitive documents submitted by any GOLFWORKS applicant under the age of 18.
The parental or guardian consent process shall be integrated into the GOLFWORKS digital application workflow as follows:
A parental/guardian consent acknowledgment form will be presented as a mandatory step in the application process for all applicants under 18 years of age.
The consent form will identify by category the types of sensitive documents being submitted (W-4, I-9, government identification, banking information) and explain how these documents will be used, stored, and protected.
The consent form will require the parent or guardian’s full legal name, relationship to the applicant, contact email address, and contact phone number.
The parent or guardian must affirmatively acknowledge that they consent to the collection and processing of their minor child’s sensitive personal information for GOLFWORKS employment purposes.
A record of the consent, including the date and time of submission, will be stored on the applicant’s GolfWorks record within HubSpot.
The Privacy Policy describes broad uses of personal information, including marketing, data aggregation, USGA sharing, and third-party promotional purposes. This Addendum narrows the permitted uses of GOLFWORKS applicant data to the following:
Evaluating and processing GOLFWORKS employment applications
Verifying employment eligibility as required by federal and state law (I-9, working papers)
Processing payroll and direct deposit for hired applicants
Communicating with applicants regarding their application status
Matching applicants to participating golf clubs
Program administration, reporting, and alumni tracking (using de-identified or aggregated data where possible)
The MGA will not use GOLFWORKS applicant data for marketing, promotional offers, third-party advertising, or any purpose unrelated to the GOLFWORKS program without the applicant’s (or, for minors, the parent or guardian’s) separate written consent.
The Privacy Policy identifies “service providers, technical consultants, and vendors” as parties with whom the MGA may share information. Independent contractor recruiters engaged by the GOLFWORKS program are granted limited access to applicant Contact records within the MGA’s HubSpot CRM. Recruiter access is restricted to the following standard application data:
Applicant name, email, and phone number
School name and GolfWorks region
Application phase status (e.g., interest submitted, application received, recruiter review outcome)
Assigned golf club
Recruiters have zero access to the sensitive and highly sensitive employment documents, which are stored exclusively on the restricted GolfWorks custom object record within HubSpot:
W-4 forms (SSNs, tax information)
I-9 forms (citizenship/immigration status)
Passports, birth certificates, Social Security cards
Photo identification
Working papers
Direct deposit forms (banking information)
Health information
All independent contractor recruiters engaged by the GOLFWORKS program are required to execute a Data Processing Agreement (DPA) and a Data Confidentiality Agreement before being granted access to any applicant data. These agreements require recruiters to:
Use applicant data solely for GOLFWORKS program purposes and only as necessary to perform their recruiter function
Refrain from personally retaining, copying, downloading, or storing any applicant data outside of the MGA’s HubSpot CRM platform
Report any actual or suspected data breach or unauthorized access to MGA staff within 24 hours of discovery
Properly handle and protect any applicant data collected off-platform (e.g., notes from school visits, parent conversations, or interactions at golf clubs), and transmit such information to the MGA through approved channels only
Not disclose any applicant data to any third party, including schools, guidance counselors, golf clubs, or family members, except as expressly authorized by MGA in writing
Return or destroy all applicant data upon termination of their independent contractor engagement
Participating golf clubs (“Host Clubs”) are third-party recipients of limited GOLFWORKS applicant data necessary to manage the on-site employment relationship. The MGA will share the following standard employment data with the assigned Host Club, and only to the extent necessary for the Host Club to fulfill its obligations as the applicant’s worksite employer:
Applicant name, email address, and phone number
Work start and end dates, scheduled absences, and transportation method
Emergency contact names and phone numbers
Work accommodations or placement instructions communicated by the MGA (limited to the accommodation itself—e.g., “this employee should not be assigned to cart operations”—without disclosure of the underlying health information or diagnosis, which remains classified as Sensitive Employee Data and is not shared with Host Clubs)
Employment eligibility verification status (i.e., the determination that the applicant is authorized to work—not the underlying I-9 form or supporting documents)
Data Host Clubs May Not Receive. Notwithstanding the above, Host Clubs shall not receive or have access to any of the following: Social Security Numbers or W-4 forms; I-9 forms or underlying immigration documents; passports, birth certificates, Social Security cards, or photo identification documents; direct deposit forms or banking information; working papers in their original document form; or full school records, GPA, or guidance counselor information. The restrictions in Section 4 of this Addendum apply in full to Host Clubs with respect to sensitive and highly sensitive data categories.
Host Club Confidentiality Obligations. Prior to receiving any applicant data, each Host Club must execute a Data Confidentiality Agreement with the MGA requiring the Host Club to: (a) use applicant data solely for the purpose of managing the GOLFWORKS employment placement; (b) not disclose applicant data to third parties; (c) implement reasonable security measures to protect applicant data; and (d) destroy or return all applicant data upon the conclusion of the placement or upon the MGA’s written request.
The Privacy Policy states that the MGA will use “reasonable precautions” to protect personal information and references SSL encryption. The GOLFWORKS application workflow implements enhanced security measures beyond those described in the Privacy Policy, as detailed below.
All GOLFWORKS application data is submitted through a secure, password-protected digital form hosted on hs.mgagolf.org. No sensitive documents are transmitted via email.
Sensitive employment documents are temporarily staged on the applicant’s Contact record during form submission, then automatically transferred to the restricted GolfWorks custom object record and cleared from the Contact within seconds by automated workflow.
HubSpot’s Sensitive Data framework applies tiered encryption: standard encryption in transit and at rest for all data, plus additional application-level encryption for Sensitive data, plus value-level click-to-decrypt encryption for Highly Sensitive data.
Role-based access controls ensure that only authorized MGA staff with the appropriate security scope can access sensitive and highly sensitive applicant documents.
HubSpot maintains SOC 2 Type II certification and provides audit logging for all record access and modifications.
The Privacy Policy does not include breach notification procedures. This Addendum establishes breach notification obligations for GOLFWORKS applicant data in accordance with the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act (N.Y. Gen. Bus. Law § 899-aa), the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-161 et seq.), and the Connecticut breach notification law (Conn. Gen. Stat. § 36a-701b). Because GOLFWORKS applicants may include residents of New York, New Jersey, and Connecticut, all three state notification frameworks apply.
In the event of a breach of the security of the system involving the private information of GOLFWORKS applicants, the MGA will:
The MGA will notify the New York Attorney General’s office, the Department of State’s Division of Consumer Protection, and the State Police in the most expedient time possible whenever notice of a breach is provided to any New York resident—there is no minimum number of affected residents required to trigger this obligation under the SHIELD Act. In addition, if a breach affects more than 500 New York residents, the MGA will notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, consistent with N.Y. Gen. Bus. Law § 899-aa(8).
Any breach notification will include: a description of the categories of information that were or are reasonably believed to have been accessed or acquired, contact information for the MGA, and contact information for the relevant state and federal agencies that provide consumer protection assistance.
In the event of a data breach or unauthorized access to GOLFWORKS applicant data, the MGA will follow its internal incident response procedures, including: identifying the scope of affected records, reviewing HubSpot audit logs, revoking or rotating access tokens if compromised, notifying affected applicants and their parents or guardians (if the applicant is a minor), and documenting the incident and all remediation steps.
In the event of a breach involving the personal information of New Jersey residents, the MGA will comply with the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-161 et seq.). Notification obligations under New Jersey law are substantially similar to those under the NY SHIELD Act; the MGA will notify affected New Jersey residents in the most expedient time possible and without unreasonable delay. If the breach affects 1,000 or more New Jersey residents, the MGA will also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. The MGA will notify the New Jersey Division of State Police within the Division of Criminal Justice of the timing, distribution, and content of any notification sent to New Jersey residents. In addition, the New Jersey Data Privacy Act (P.L. 2023, c. 266, effective January 15, 2025) may impose broader obligations—including data minimization, purpose limitation, and individual rights (access, correction, deletion, opt-out of targeted advertising and profiling)—if the MGA meets the Act’s applicability thresholds (processing personal data of 100,000 or more New Jersey consumers in a calendar year, or 25,000 or more New Jersey consumers where the organization derives revenue from the sale of personal data). The MGA should confirm annually whether its New Jersey applicant and alumni volume triggers compliance obligations under this Act.
In the event of a breach involving the personal information of Connecticut residents, the MGA will comply with Connecticut’s breach notification law (Conn. Gen. Stat. § 36a-701b). Connecticut law requires notification to affected residents in the most expedient time possible, but no later than 60 days after the discovery of the breach. Notification must be provided to the Connecticut Attorney General’s office no later than the time that notice is provided to affected Connecticut residents. Connecticut law requires the MGA to offer identity theft prevention services at no cost to affected individuals for a period of not less than 24 months following the date of the notification if the breach involves Social Security Numbers, taxpayer identification numbers, driver’s license or state ID numbers, or financial account numbers. In addition, the Connecticut Data Privacy Act (CTDPA, Conn. Gen. Stat. § 42-515 et seq., effective July 1, 2023) may impose broader obligations—including data minimization, purpose limitation, and individual rights (access, correction, deletion, opt-out of sale)—if the MGA meets the CTDPA’s applicability thresholds (processing personal data of 100,000 or more Connecticut consumers in a calendar year, or 25,000 or more Connecticut consumers where the organization derives revenue from the sale of personal data). The MGA should confirm annually whether its Connecticut applicant and alumni volume triggers CTDPA compliance obligations.
The Privacy Policy does not specify retention periods. This Addendum establishes the following retention schedule for GOLFWORKS applicant data:
|
Data Category |
Retention Period |
|
Sensitive employment documents (W-4, I-9, SSN documents, banking information, photo ID, working papers) |
For the duration of the active program relationship and for 4 years after the end of employment, or as required by applicable federal or state law, whichever is longer |
|
Standard application data (name, contact information, school, questionnaire responses) |
Retained in CRM for program relationship management and alumni tracking |
|
Health information |
For the duration of the active program relationship and for 4 years after the end of employment, or as required by applicable federal or state law, whichever is longer |
|
Parental consent records |
Retained for the duration of the associated applicant’s record retention period |
The extended retention period reflects the typical multi-year program relationship between GOLFWORKS interns and their Host Clubs (commonly 3 or more years) and ensures compliance with federal employment record retention requirements. Specifically: (a) IRS regulations require W-4 forms to be retained for at least 4 years after the date the tax becomes due or is paid, whichever is later (26 C.F.R. § 31.6001-1(e)(2)); and (b) federal I-9 regulations require retention for 3 years from the date of hire or 1 year after the date employment ends, whichever is later (8 C.F.R. § 274a.2(b)(2)). Because an intern may be employed across multiple years, the MGA’s records management staff must calculate each document’s retention deadline individually based on these federal minimums, using the “whichever is longer” standard in the table above as the governing rule. The MGA will not retain sensitive personal data beyond the applicable period unless required by law or a documented organizational purpose specifically justifying continued storage.
The Privacy Policy’s “Access, Corrections, Questions” section allows individuals to request information or corrections by contacting support@mgagolf.org. This Addendum extends that right for GOLFWORKS applicants to include deletion. Any applicant (or, for minors, a parent or legal guardian) may request that the MGA delete all personal information related to the applicant from MGA systems and HubSpot. This right applies regardless of whether the GOLFWORKS program is subject to FERPA (see Section 11). Upon receipt of a deletion request, the MGA will:
Delete or de-identify all personal information associated with the applicant from HubSpot (both Contact and GolfWorks records) within 30 days, unless retention is required by applicable law.
Confirm receipt and completion of the deletion in writing to the requestor.
Notify any independent contractor recruiters who accessed the applicant’s Contact record that the record has been deleted and that they must destroy any off-platform notes or data related to the applicant.
Because the GOLFWORKS program is not funded in whole or in part by the U.S. Department of Education, the Family Educational Rights and Privacy Act (FERPA) does not impose direct obligations on the MGA with respect to GOLFWORKS applicant data. However, the MGA recognizes that recruiters work directly with schools and guidance counselors, and that applicants may have a reasonable expectation of privacy consistent with FERPA principles.
Accordingly, if an applicant or parent/guardian requests that the MGA not release any personal information—a request analogous to a FERPA opt-out—the MGA will comply with that request and acknowledge receipt in writing. The MGA will not share applicant data with schools or guidance counselors unless required by law or authorized in writing by the applicant or their parent/guardian.
In addition to the access and correction rights described in the Privacy Policy, GOLFWORKS applicants (and, for minors, their parents or legal guardians) have the following rights:
Requests should be directed to the MGA GOLFWORKS program administrator at info@mgagolf.org or (914) 347-4653. Written requests may be sent to: Metropolitan Golf Association, 49 Knollwood Road, Elmsford, NY 10523. The MGA will respond to all requests within 30 days, consistent with the response timeline stated in the Privacy Policy’s “Your Choices — Opting Out” section.
Consistent with the Privacy Policy’s “Updates to Our Privacy Policy” section, the MGA reserves the right to update or modify this Addendum at any time. If material changes are made to how GOLFWORKS applicant personal information is handled, the MGA will notify affected applicants and their parents or guardians by email prior to the change becoming effective, and will provide a 30-day opt-out period consistent with the Privacy Policy. The updated Addendum will be posted on the GOLFWORKS application landing page with the revised effective date.
For questions, concerns, or requests related to this Addendum or the handling of GOLFWORKS applicant data, please contact:
Metropolitan Golf Association
GOLFWORKS Program Administrator
49 Knollwood Road, Elmsford, NY 10523
Email: support@mgagolf.org
Phone: (914) 347-4653
