GDPR

GDPR

There are some significant changes to Data Protection legislation coming into effect on 25 May 2018 which will have an impact on how Tennis Ireland, at all levels, engages with its members. It is also important that every Tennis Club, and indeed every member, is aware of how these changes in the law will affect the ways in which members’ personal information can be collected and used for Tennis purposes.

What is Data Protection?

  • Data Protection legislation is intended to protect the right to privacy of individuals (all of us) and seeks to ensure that Personal Information is used appropriately by third parties that may have it (Data Controllers).
  • In essence, Data Protection relates to any information that can be used to identify a living person such as Name, Date of Birth, Address, Phone Number, Email address, Membership Number, IP Address, photographs etc.
  • There are other categories of information which currently are defined as Sensitive Personal Data which require more stringent measures of protection and these categories include religion, ethnicity, sexual orientation, trade union membership, medical information etc.

Data Protection can be summarised in the following 8 ‘rules’

You must …

  1. Obtain and process the information fairly
  2. Keep it only for one or more specified and lawful purposes
  3. Process it only in ways compatible with the purposes for which it was given to you initially
  4. Keep it safe and secure
  5. Keep it accurate and up-to-date
  6. Ensure that it is adequate, relevant and not excessive
  7. Retain it no longer than is necessary for the specified purpose or purposes
  8. Give a copy of his/her personal data to any individual, on request

What does Data Protection Legislation mean to me and my club?

  • The legislation sets out rules about how this information (personal Information) can be obtained, how it can be used and how it is stored.
  • Every person must give their consent for their data to be collected and processed for a specific purpose which must be communicated to them at the time the data is obtained.
  • They must specifically Opt-In and must be allowed to Opt-Out at any time. They must also be given the opportunity to review the consent they have given on a regular basis (i.e. Yearly)
  • Data must be kept safe and secure and must be kept accurate and up to date
  • An Individual can request a copy of all of the personal information held about them (this is called a Subject Access Request) and must be allowed to have all of their data deleted or returned to them, if they so wish.

What is GDPR?

  • The General Data Protection Regulations (GDPR) is new EU legislation that comes into effect on May 25th 2018.
  • It very clearly sets out the ways in which the privacy rights of every EU citizen must be protected and the ways in which a person’s ‘Personal Data’ can and can’t be used.
  • It places the onus on the person or entity that collects a person’s information (Data Controller) to comply with the legislation and to demonstrate compliance

Data Protection / GDPR and Tennis

Data Protection applies to all businesses, companies, charities and organisations, it is not just relevant for Tennis Clubs, but it is important that Tennis clubs comply with the legislation.

Data Protection legislation applies where an individual or organisation collects, stores or processes any data about living people, often referred to as personal data, on any type of computer or in a structured filing system.

Definitions

1. Data Controller
A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files. Tennis clubs are data controllers.

2. Data Processor
An individual or legal person who holds or processes personal data, but does not exercise responsibility for or control over the personal data. Examples of data processors include payroll companies, accountants.

3. Personal Data
Data that relates to a living individual who can be identified directly from that data or who’s identity can be derived from that data in conjunction with other data that may be available.

4. Sensitive Personal Information
Data about an individual which relates to race, ethnic group, political affiliation, religion, trade union membership, mental or physical health, sexual orientation or criminal record.

5. How it’s relevant to Tennis clubs
The Data Protection and GDPR legislation applies to Tennis Clubs as personal data relating to living individuals is collected and used for membership registration, managing teams and administering the club.

These are legitimate uses of the data but it is imperative that the data is controlled and processed in compliance with the legislation. It is the responsibility of every club to ensure that the privacy rights of individuals are safeguarded when processing personal data.

Whilst the legislation is complex, the requirements can be summarised under the following seven principles:

  1. Lawfulness, Fairness, Transparency
  2. Purpose Limitation
  3. Data Minimisation
  4. Accuracy
  5. Storage Limitation
  6. Integrity and Confidentiality
  7. Accountability

Practical Considerations

The Legislation allows for Tennis Clubs to collect personal information relating to Members, such as Names, Addresses, Dates of Birth, email and telephone numbers for the purposes of administering the club (e.g. registering players, arranging meetings) or other specific purposes with the permission of the individual.

It does not allow for members’ data (such as email addresses) to be used for purposes (such as marketing emails from third parties) without the express permission of the member.

The member must be given the opportunity to ‘Opt-in’ before their details are included in any mailing lists for any communication which is not related to club activity (the original purpose).

In all cases, the personal information relating to members must be kept safe and secure and should never be passed to third parties without the express permission of the member.

At the point of capture, (i.e. registration) members must be informed of the purpose or purposes that their information will be used for (Registration, club activities, fundraising, etc)

When sending emails to a mailing list the Blind Copy address field should be used to ensure that email addresses are not inadvertently disclosed

Do not correspond directly with Juveniles, Parent or Guardian contact details should be used

Members must Opt In to receive correspondence which is not directly related to club activities (not opt out)

Allow members the facility to Opt out on correspondence issued (They must be removed from mailing lists as soon as possible, and at least within 40 days of notification)

Do not contact individuals who have asked to opt out

All Membership forms, in hard copy, should be stored centrally in a secure location

Electronic records should be saved on an access controlled device, preferably encrypted, logons should not be shared.

Data should be held only whilst there is a continued need for it – data should be reviewed and destroyed regularly

Data should be reviewed regularly for completeness and accuracy (at least yearly)

A member can submit a Subject Access Request to request all of the information held about them by the Club – this must be provided within 40 days and a fee may be charged, of no more than €6.35

What Constitutes a Breach?

Where an incident gives rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data, in manual or electronic form, the data controller must give immediate consideration to informing those affected. Such information permits data subjects to consider the consequences for each of them individually and to take appropriate measures.

If the data concerned is protected by technological measures which make it unintelligible to any person who is not authorised to access it, the data controller may conclude that there is no risk to the data and therefore no need to inform data subjects. Such a conclusion would only be justified where the technological measures (such as encryption) were of a high standard.

All incidents in which personal data has been put at risk should be reported to the Office of the Data Protection Commissioner as soon as the data controller becomes aware of the incident, except when the full extent and consequences of the incident has been reported without delay directly to the affected data subject(s) and it affects no more than 100 data subjects and it does not include sensitive personal data or personal data of a financial nature.

In case of doubt- in particular any doubt related to the adequacy of technological risk-mitigation measures – the data controller should report the incident to the Office of the Data Protection Commissioner

Escalation or Queries

The Data Protection Commissioner’s Office provides extensive information and practical guidance on Data protection on its website, www.dataprotection.ie , and clubs should inform themselves further of their obligations by reviewing that site.

If you have any concerns about Data Protection or feel that a breach of Data Protection legislation has occurred, you should raise these concerns immediately to the Data Protection commissioner as soon as possible.

Other Legislation

Please note that the Data protection regulations are slightly different in other jurisdictions outside of the Republic of Ireland. Local laws should be consulted and complied with as necessary

There are other Regulations that must be complied with by Tennis Clubs also, including:

  • Health and Safety
  • Child Protection / Safeguarding
  • PCI (Payment Card Industry) if CC details are held