There are some significant changes to Data Protection legislation coming into effect on 25 May 2018 which will have an impact on how Tennis Ireland, at all levels, engages with its members. It is also important that every Tennis Club, and indeed every member, is aware of how these changes in the law will affect the ways in which members’ personal information can be collected and used for Tennis purposes.
You must …
Data Protection applies to all businesses, companies, charities and organisations, it is not just relevant for Tennis Clubs, but it is important that Tennis clubs comply with the legislation.
Data Protection legislation applies where an individual or organisation collects, stores or processes any data about living people, often referred to as personal data, on any type of computer or in a structured filing system.
1. Data Controller
A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files. Tennis clubs are data controllers.
2. Data Processor
An individual or legal person who holds or processes personal data, but does not exercise responsibility for or control over the personal data. Examples of data processors include payroll companies, accountants.
3. Personal Data
Data that relates to a living individual who can be identified directly from that data or who’s identity can be derived from that data in conjunction with other data that may be available.
4. Sensitive Personal Information
Data about an individual which relates to race, ethnic group, political affiliation, religion, trade union membership, mental or physical health, sexual orientation or criminal record.
5. How it’s relevant to Tennis clubs
The Data Protection and GDPR legislation applies to Tennis Clubs as personal data relating to living individuals is collected and used for membership registration, managing teams and administering the club.
These are legitimate uses of the data but it is imperative that the data is controlled and processed in compliance with the legislation. It is the responsibility of every club to ensure that the privacy rights of individuals are safeguarded when processing personal data.
Whilst the legislation is complex, the requirements can be summarised under the following seven principles:
The Legislation allows for Tennis Clubs to collect personal information relating to Members, such as Names, Addresses, Dates of Birth, email and telephone numbers for the purposes of administering the club (e.g. registering players, arranging meetings) or other specific purposes with the permission of the individual.
It does not allow for members’ data (such as email addresses) to be used for purposes (such as marketing emails from third parties) without the express permission of the member.
The member must be given the opportunity to ‘Opt-in’ before their details are included in any mailing lists for any communication which is not related to club activity (the original purpose).
In all cases, the personal information relating to members must be kept safe and secure and should never be passed to third parties without the express permission of the member.
At the point of capture, (i.e. registration) members must be informed of the purpose or purposes that their information will be used for (Registration, club activities, fundraising, etc)
When sending emails to a mailing list the Blind Copy address field should be used to ensure that email addresses are not inadvertently disclosed
Do not correspond directly with Juveniles, Parent or Guardian contact details should be used
Members must Opt In to receive correspondence which is not directly related to club activities (not opt out)
Allow members the facility to Opt out on correspondence issued (They must be removed from mailing lists as soon as possible, and at least within 40 days of notification)
Do not contact individuals who have asked to opt out
All Membership forms, in hard copy, should be stored centrally in a secure location
Electronic records should be saved on an access controlled device, preferably encrypted, logons should not be shared.
Data should be held only whilst there is a continued need for it – data should be reviewed and destroyed regularly
Data should be reviewed regularly for completeness and accuracy (at least yearly)
A member can submit a Subject Access Request to request all of the information held about them by the Club – this must be provided within 40 days and a fee may be charged, of no more than €6.35
Where an incident gives rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data, in manual or electronic form, the data controller must give immediate consideration to informing those affected. Such information permits data subjects to consider the consequences for each of them individually and to take appropriate measures.
If the data concerned is protected by technological measures which make it unintelligible to any person who is not authorised to access it, the data controller may conclude that there is no risk to the data and therefore no need to inform data subjects. Such a conclusion would only be justified where the technological measures (such as encryption) were of a high standard.
All incidents in which personal data has been put at risk should be reported to the Office of the Data Protection Commissioner as soon as the data controller becomes aware of the incident, except when the full extent and consequences of the incident has been reported without delay directly to the affected data subject(s) and it affects no more than 100 data subjects and it does not include sensitive personal data or personal data of a financial nature.
In case of doubt- in particular any doubt related to the adequacy of technological risk-mitigation measures – the data controller should report the incident to the Office of the Data Protection Commissioner
The Data Protection Commissioner’s Office provides extensive information and practical guidance on Data protection on its website, www.dataprotection.ie , and clubs should inform themselves further of their obligations by reviewing that site.
If you have any concerns about Data Protection or feel that a breach of Data Protection legislation has occurred, you should raise these concerns immediately to the Data Protection commissioner as soon as possible.
Please note that the Data protection regulations are slightly different in other jurisdictions outside of the Republic of Ireland. Local laws should be consulted and complied with as necessary
There are other Regulations that must be complied with by Tennis Clubs also, including: