The new European regulations brought in protect an individual’s information could affect your club, events and popular rankings websites.
Unless you’ve been living on the moon recently – well, outside the European Union to be more precise – you won’t have failed to have heard of GDPR or at least received hundreds of emails connected to it.
The new General Data Protection Regulation, which comes into to force today (May 25), affects many companies and organisations, large and small – so how does it concern athletics clubs and organisers of events?
Clubs and organisers will almost certainly be “data controllers” as they will hold personal data such as names, addresses and dates of birth.
However, despite the hullabaloo, GDPR may not be as much of an issue for clubs as you may fear – although officials will certainly need to read up on it.
Your club should have received information from England Athletics or the appropriate national body giving plenty of advice on how to make sure you’re compliant. Templates are provided by these bodies which should hopefully make the process as smooth as possible.
Scottish Athletics issues six general principles regarding what clubs need to do:
1) Ensure they identify a lawful basis to process the personal data (from the list set out in the GDPR) and provide a privacy notice to the individual, which tells individuals how the club uses their proposal data (one of the templates provided).
2) Only collect, use and keep personal data for specific purposes – i.e. only use a member’s personal data for membership purposes.
3) Only collect, use and keep personal data that clubs actually need.
4) Keep personal data up-to-date where possible.
5) Only keep personal data for as long as clubs need it – i.e. when a member leaves a club, clubs should review all the member’s personal data held to see whether they still need it after a specific period of time (for example, three years).
6) Protect personal data and keep it secure.
England Athletics advises that, in order to comply with GDPR, organisers of events need to include the following on entry forms: “You agree that we may publish your personal information as part of the results of the event and may pass such information to the governing body or any affiliated organisation for the purpose of insurance, licences or for publishing results either for the event alone or combined with or compared to other events.
“Results may include (but not be limited to) name, any club affiliation, race times, occupation and age category.”
As Dan Isherwood, head of insight and performance management at England Athletics said, clubs should be informed but have no need to panic.
“While the GDPR (General Data Protection Regulation) has had a lot of attention lately all organisations have previously had responsibilities under the Data Protection Act,” he said. “So although the GDPR updates this, it’s not new that all organisations, including our member clubs, have responsibilities regarding the data they hold.
“It is important that clubs understand their responsibilities with regards data and act on these responsibilities, particularly regarding any changes they need to make due to GDPR.
“Therefore, since last year, we have been communicating with clubs – including emailing information to club secretaries, putting information in other ebulletins and publishing information on our website – to make them aware of guidance and resources we have produced to help them with GDPR coming into effect.
“We recognise that this guidance and these resources are important for the volunteers in the sport. We are mindful that some of what has been published in the media, and particularly on social media, may not have been helpful to clubs or may even have been misleading.
“This is why we have worked with a range of people to produce the resources, including taking legal advice on a range of situations and activities that are relevant to athletics and running clubs. It is important that the volunteers in our clubs have robust and practical advice that is relevant to them, the situations they face and the way they use data.”
What about services like Power of 10?
A since removed post on the homepage of the English Schools Athletic Association website did enough to raise questions over whether GDPR could have serious implications for rankings sites like Power of 10 and Tops In Athletics.
The 738-word notice suggested that rankings websites would not be able to publish details of performances unless they had the explicit permission of the athlete. That could spell Armageddon for popular athletics rankings sites, however, in reality, it’s likely little will change.
Rob Whittingham, who operates rankings website Topsinathletics.com, is confident GDPR will not affect his processing of results. “The information I keep is a matter of public record,” he says. “I have no private information. If I’ve got the athlete’s address, telephone numbers, email address and things, that’s very different. But just athletic performances, I don’t think GDPR could apply to.”
The subject of dates of birth is a contentious one. Power of 10 no longer publishes these on athlete profiles, but Whittingham continues to do so on Tops In Athletics – unless specifically requested by an athlete – as he asserts it is publicly available information that can be found on birth certificates.
However, in an age when the public is becoming obsessed with the data held on them, it would be no surprise if websites containing performance information in future were to be challenged by individuals.
In the past, there have even been examples of races which in the interests of privacy don’t publish results. Particularly as a growing number of people enter races without being concerned with their time, this could become a trend.
Of course, we probably all have certain items of data we would like removed from our Power of 10 record – that “personal worst” or DNF, but for now at least we are stuck with them.