Data Protection in sport: the key issues to consider

A big part of having an effective and robust safeguarding framework in place is ensuring your organisation is adhering to its data protection obligations.

The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA) will still apply to any club, organisation and the staff and/or coaches where there is the controlling, processing and handling of personal data, regardless of whether they are coaching remotely or they are on the pitch, court or in the pool. A child’s personal data merits particular protection under the UK GDPR and If you process children’s personal data remotely then you need to adapt your systems and processes with this in mind.

What steps should you take if you are unaware of whether you are processing children's data or not?

If your organisation offers online service to children, sometimes it is difficult to tell whether you are processing children's data or not and/or what age range they fall into. Where this is the case, you must adopt a cautious approach, which may mean:

• putting in place proportionate measures to prevent or deter children from providing their personal data online, such as age-appropriate warnings appearing at points on webpages where a child may possibly enter their data;
• taking appropriate actions to enforce any age restrictions you have set; or
• implementing up-front age verification systems.

If you rely on consent as your lawful basis for processing personal data when offering an online service directly to children (e.g. if you or a coach or recording an online session), only children aged 13 or over are able provide their own consent. You may therefore need to verify that anyone giving their own consent in these circumstances is old enough to do so. For children under this age you need to get consent from whoever holds parental responsibility for them - unless the online service you offer is an online preventive or counselling service.

How does the Children’s Code protect children’s privacy online and does it apply to your business?

The Children’s Code (or the Age Appropriate Design Code), a code of practice for online services likely to be accessed by children, came into force on 2 September 2020 with a 12 month transition period to give organisations time to prepare. The code translates UK GDPR requirements into design standards that online services need to follow to make sure children are protected when they are online. Organisations that don’t follow the code could face enforcement action so organisations need to act now to ensure they conform by 2 September 2021. Check out the Childrens Code Hub for more information on you what you need to do. 

How has remote working changed the way we managing children’s data?

Now that working patterns have changed and more and more people are working from home, consideration should be given to how children’s personal data is accessed and shared by staff, coaches, volunteers and other third parties whilst they are working from home.

The core security requirement under Article 32 of UK GDPR states “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”

Using third party online platforms, granting remote access to emails and to an organisation’s database is a security risk. Organisations need to think carefully about how they manage this risk and exposure appropriately and as best they can in the circumstances. Consider sending an email to staff and to remind them of their obligations, ensure any third party processing agreements are in place and update your policies and procedures as to how staff and third party processors should be handling and protecting personal data, specifically reiterating that they must not make any personal or unlawful use of the data.