Data Protection

With thanks to Sport & Recreation

In sport, where the focus is on operational delivery there is a risk in terms of Data Protection of non-compliance with the Principles of the Act and with the Act itself in favour of getting ‘jobs’ done. Any organisation that collects personal data about identifiable individuals such as coaches, officials, players and supporters, should review its policies and procedures to ensure it is fully compliant with the Act.

Following the recommendations in its Red Card to Red Tape report, the Alliance met with the Information Commissioner’s Office (ICO) to discuss the impact of data protection laws on sports clubs. This positive and informative meeting clarified the requirements of the Data Protection Act 1998 on sports clubs, and given the sector an insight and opportunity to input into proposed changes for the future of this legislation.

It was agreed that data protection law should be appropriate to the size and nature of what an organisation is doing, and the sensitivity/confidentiality of the information involved.

As a result, expectations and requirements placed on sports clubs should follow a principle of reasonableness where if no attempt has been made to deceive or mislead someone about the purposes for which their data will be used, then it is unlikely that using the data for those purposes would constitute a breach of the legislation.

Changes are coming

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and like every other organisation in the UK, those operating in the sport and recreation sector need to prepare.

The GDPR will place more stringent conditions on all organisations and so it is important to consider what is required for your organisation to be compliant. At its core, the regulation is designed to strengthen existing data protection laws and standardise the way that personal data is collected, protected and used by organisations.

The GDPR relates to the protection of “personal data” which is defined as any piece of information that can be used to identify an individual. This could relate to staff data, member data, athlete data, event participant data and much more. As a result, the regulation will touch every organisation across the sector and will change the way we all collect, retain and use personal information.

With such a major change on the horizon, the Sport and Recreation Alliance has identified 10 questions   (pdf) to help you navigate your way through GDPR. This member briefing is designed to help you get to grips with the basics of GDPR, outline some of the key considerations and explain why, in the long term, it will benefit your organisation.

The first step for any organisation will be to conduct an audit on the information they collect and ask questions such as – how they obtained it, where is it stored and why do they need it? Importantly, from May, consent must be obtained to use or process personal data. It also means that requests for consent must be obvious and cannot be hidden within lengthy terms and conditions, and pre-ticked boxes or inactivity will no longer constitute consent.

GDPR, at its heart, will help to protect individuals against personal data breaches, but it is also going to help organisations develop a clear understanding of how to handle this sensitive information.

Sport & Recreation have organised a one-day briefing with a number of its partner organisations. BKFA will be attending this and our Data Protection Policy will be updated in light of that briefing.

BKFA’s Data Protection Policy is here.