Data protection guidance for clubs

The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. GDPR replaces the old Data Protection Act 1998 (DPA).

Although many of the GDPR’s main concepts and principles are much the same as those under the DPA, there are a number of changes for clubs to consider.

Sport England recently commissioned the Sport and Recreation Alliance to lead a project to help support the sport sector meet the legislative requirements of GDPR.

Head to the Sport and Recreation Alliance Website to access further guidance documents and FAQs created from questions raised in other sports. Below are some further FAQs we have following workshops held at last years Council and AGM.

Frequently Asked Questions

Do we need to obtain consent or permission to publish contact details in handbooks?
Yes, we would recommend getting consent for this as the information is going to be shared in the public domain.
Do we need to obtain consent or permission to share the details of key contacts with parents?
There will be certain individuals in your club who are designated points of contact, for example the coach or welfare officer. It is acceptable to share their contact details with parents provided that this is explained to such key contacts in advance and confirmed in writing within the clubs privacy notice. We would recommend that club staff and committee members use an email like clubcoach@club.co.uk rather than their personal email address.
Do we need to obtain consent for photographic images?

Yes, clubs should obtain consent for the clubs use any photo of a member. A photograph of an individual does amount to personal data. Wavepower includes template consent forms for clubs to use for collecting consent on behalf of children. However, we recognise practical difficulties when clubs attend away events. Where an event organiser is capturing images or filming an event it may not be possible to obtain consent from all participants.A good practice approach would be to ensure that invited clubs are advised as early as possible of any filming or photography taking place so that they can then raise any concerns with the home club/event organiser and work together to address any concerns.

As well as official photographers, friends and family of children may wish to take photos to celebrate their sporting achievements. If photography is allowed in venue then those taking photos of children should focus on their own family members and friends and if other individuals are identifiable from those images then they should not be shared on social media without permission of the other identifiable individual(s).

Can the committee use personal information they have access to for non-club related activities?
The clubs privacy notice should explain to members how personal data is stored and used. Most of the processing carried out legitimately by clubs will relate to their normal day to day activities. It would not be in the clubs legitimate interests to sell or pass on personal data to a third party marketing agency.
What should happen when a committee member stands down?
Depending on the software management systems used by clubs access to personal data should be removed or any personal data held deleted and/or returned to the club/their successor on standing down. However, this does not apply to any contact details of friends and colleagues made at the club held in a personal rather than club capacity.
Can a club or committee store personal data on a laptop?
Yes, provided the equipment is password protected and access is restricted to those individuals who need it for carrying out club activities. We also recommend that when sharing files containing personal data by email that the files are encrypted.
Can a club allow someone to access personal data in case of emergency?
If another member is covering an activity then they may need one off access to personal data in case of emergency. Some clubs may provide that person keys access to a secure filing cabinet or a password to an online management system or provide the contact details of the person that does have the information. Whatever processes clubs put in place committee members should be discouraged from creating their own contact lists/spreadsheets. Best practice is to keep information central to the clubs online management system.
How long should we keep personal data for?
Personal data should be kept for as long as it is needed or necessary for and this should be confirmed in your privacy notice. For further guidance see the Sport and Recreation Alliance Toolkit.
Do we need to obtain consent for collecting medical information?
Yes, where information about an individual’s health is collected then this should be subject to obtaining explicit consent. Consent needs to cover the processing of any special categories of personal data as well as consent for any sharing. For example consent for being shared for the purpose of performance analysis.
What do we do if we lose personal data?
Be honest – report it to the club secretary or officer that is responsible for club management systems/information. A loss of data is a breach of the GDPR, but not every breach is notifiable to the ICO. For further information on how to decide if a breach has occurred and if it is reportable to the ICO visit their website.
Do clubs need to register as a data controller?
Under the previous data protection regime most organisations were required to register with the ICO as data controllers unless they were exempt. This has been replaced with a register of fee payers. However, some organisations (including not for profit organisations) are exempt from paying a fee. For further information on this please visit the ICO’s website.

There are also a range of guidance documents on the Information Commissioners Office (ICO) website.

The ICO is the regulator for data protection and have issued the following statement:

To small and micro businesses, clubs and associations who are not quite there, I say … don’t panic! As the new ICO Regulatory Action Policy, out for consultation very shortly, sets out, we pride ourselves on being a fair and proportionate regulator.

That will continue under the GDPR. The 25 May is not the end of anything. It is the beginning, and the important thing is to take concrete steps to implement your new responsibilities — to better protect customer data. My office has lots of resources to help you do that.

Top