The Data Protection Act 2018 (Act) and General Data Protection Regulations (GDPR) touch on all aspects of club and event administration when personal data is involved.
Any information relating to an identified or identifiable natural person (referred to as the Data Subject) is regarded as Personal Data. A person is identifiable if they
‘can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors, specifically the physical, physiological, genetic, mental, economic, cultural or social identity of that actual person’
This means that names and email addresses which can identify an individual are regarded as personal data. It is also worth noting that in many cases boat names and sail numbers can be used to identify an individual and so therefore may be considered personal data. Notes of protest hearings also fall within the definition of Personal Data. Medical information carries additional protections and is referred to as Special Category Data.
Principles of accountability and transparency are far more significant than under the Data Protection Act 1998. It must be possible to demonstrate compliance with the regulations, and for the Data Subject to be able to exercise certain rights in respect of their data. Ultimately, noncompliance may lead to substantial fines.
Of particular relevance is an increasing awareness of the rights of Data Subjects which may lead to those rights being exercised with greater regularity against even the smallest of entities who collect and use personal Data (Data Controllers).
Race Officials may be grouped into two categories:
Those falling within (b) will be considered Data Controllers for the purposes of the data protection legislation. The RYA has published extensive guidance on the GDPR and Data Protection Act for those involved in club management, which is available in the Club Zone section of the RYA website, and it is recommended that those acting as Data Controllers familiarise themselves with this guidance.
The implications of the GDPR for those falling within (a) will depend on the circumstances. It is conceivable that the relationship may be interpreted that of Controller-Processor. The Processor of Personal Data acts on behalf on behalf of the Data Controller, following the Data Controllers instruction to perform a specific task e.g. to administer the Racing Rules, and the GDPR requires such a relationship be documented in a data processing agreement.
Alternatively, and perhaps more appropriately Race Officials may be regarded more as an arm of the management team, not in the same way as described in (b) (i.e. in the position of a Data Controller) but as someone within the team who is provided with certain information to perform a particular function just as the treasurer may be provided with payment details, or a booking administrator may be provided with a list of who is attending the event.
Clubs and organisers familiar with their responsibilities as Data Controllers are likely to have internal policies setting out how Personal Data is handled within that organisation. Race Officials should ask if any such polices exist and be prepared to comply with them. Depending on the circumstances, it is possible that a Race Official may be asked to sign a document, perhaps acknowledging they will comply with any procedures in place, and will not share or disclose Personal Data provided to them, or alternatively a formal processing agreement could be requested. A Race Official faced with a request to sign such a document may wish to take advice from the RYA legal department, however it is anticipated that the processes between different event organisers will become more aligned in time.
Those organising a racing event should consider how much information needs to be shared with the Race Official for them to perform their official function.
Many organisers will collect a wide range of Personal Data including payment details, next of kin details and medical declarations from competitors. While such information may be necessary to administer the event, it may not be necessary for the Race Official to perform their official function.
Organisers may therefore want to consider only passing on relevant information to the Race Official if other functions (e.g. payment, first aid etc.) are performed by others within the event.
Reducing the amount of information transferred between individuals will reduce the associated risks.
Race Officials are likely to retain a need for some Personal Data. The following guidelines should be applied by those in receipt of Personal Data:
Under the Racing Rules, it may be necessary for the Race Official to share Personal Data with third parties, for instance the RYA, other MNAs or World Sailing under the protest, misconduct and appeals procedures.
The legal basis for sharing information under the Racing Rules is contract, and participants should be made aware that personal data may be shared with third parties by the event organiser at the time they enter the event, in order to avoid later questions.
The RYA has produced an ‘Addendum A to RRS Appendix J’ which provides template statements to be included in notices of race. This includes a Privacy Statement, reproduced below, in order to ensure that the necessary information has been provided to participants to facilitate the sharing of their personal information.
Race Officials may therefore want to ensure the necessary statement has been provided to participants or should ensure that this is done before passing information on to third parties such as the RYA, other MNAs or World Sailing.
Rule 65.3 now states that unless there is good reason not to do so, the protest committee may publish the decision (including the facts found, conclusion and any penalties). Protest Committees should ensure that in publishing such decisions they do not inadvertently publish additional information such as phone numbers or email addresses.
Personal Data should only be kept for as long as necessary, and it is likely that the organiser, as the Data Controller, will have a policy on retention periods for Personal Data collected for the event.
Such a policy may well cover retention of information for the purposes of administering the Racing Rules, e.g. protests and appeals, and Race Officials should consider where such Personal Data is most appropriately held. With the organiser or the Race Official?
It is known that Race Officials may want to retain certain information as precedents to aid understanding and development of the Racing Rules. Keeping Personal Data indefinitely “because it may come in useful” is no longer appropriate, while retaining information for a period in anticipation of a protest, appeal or even potential legal question (e.g. from insurers) may well be justified, the nature and amount of Personal Data retained must be reviewed. For example, Personal Data retained in connection with a protest hearing may be anonymised once the possibility of an appeal has passed. The Personal Data, e.g. the parties’ names would no longer be needed, although the anonymised facts may be kept for future reference.
RYA members are able to receive further advise from the RYA Legal Team on 023 8060 4223 or firstname.lastname@example.org