Data protection for race officials

Guidance for race officials about their obligations and responsibilities regarding the Data Protection Act 2018 and the General Data Protection Regulations (GDPR).
 

Download as pdf

The Data Protection Act 2018 (Act) and General Data Protection Regulations (GDPR) touch on all aspects of club and event administration when personal data is involved.

What is personal data?

Any information relating to an identified or identifiable natural person (referred to as the Data Subject) is regarded as Personal Data. A person is identifiable if they

can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors, specifically the physical, physiological, genetic, mental, economic, cultural or social identity of that actual person

This means that names and email addresses which can identify an individual are regarded as personal data. It is also worth noting that in many cases boat names and sail numbers can be used to identify an individual and so therefore may be considered personal data. Notes of protest hearings also fall within the definition of Personal Data. Medical information carries additional protections and is referred to as Special Category Data.

What are the obligations in respect of personal data?

Principles of accountability and transparency are far more significant than under the Data Protection Act 1998. It must be possible to demonstrate compliance with the regulations, and for the Data Subject to be able to exercise certain rights in respect of their data. Ultimately, noncompliance may lead to substantial fines.

Of particular relevance is an increasing awareness of the rights of Data Subjects which may lead to those rights being exercised with greater regularity against even the smallest of entities who collect and use personal Data (Data Controllers).

How does this affect Race Officials?

Race Officials may be grouped into two categories:

  1. Those providing a service to another organisation, for instance those invited to officiate at a regatta by virtue of their qualification. They may be provided with access to competitors details on arrival, and should follow the instructions of the organiser regarding how that information is used; and
  2. Those who are part of a club or event management team, and who have both an official function under the Racing Rules of Sailing, in addition to other roles and responsibilities within the club or management team. In that capacity, the individual is likely to have had a role in determining what information is collected, and shaping the internal processes governing its use.

Those falling within (b) will be considered Data Controllers for the purposes of the data protection legislation. The RYA has published extensive guidance on the GDPR and Data Protection Act for those involved in club management, which is available in the Club Zone section of the RYA website, and it is recommended that those acting as Data Controllers familiarise themselves with this guidance.

The implications of the GDPR for those falling within (a) will depend on the circumstances. It is conceivable that the relationship may be interpreted that of Controller-Processor. The Processor of Personal Data acts on behalf on behalf of the Data Controller, following the Data Controllers instruction to perform a specific task e.g. to administer the Racing Rules, and the GDPR requires such a relationship be documented in a data processing agreement.

Alternatively, and perhaps more appropriately Race Officials may be regarded more as an arm of the management team, not in the same way as described in (b) (i.e. in the position of a Data Controller) but as someone within the team who is provided with certain information to perform a particular function just as the treasurer may be provided with payment details, or a booking administrator may be provided with a list of who is attending the event.

Clubs and organisers familiar with their responsibilities as Data Controllers are likely to have internal policies setting out how Personal Data is handled within that organisation. Race Officials should ask if any such polices exist and be prepared to comply with them. Depending on the circumstances, it is possible that a Race Official may be asked to sign a document, perhaps acknowledging they will comply with any procedures in place, and will not share or disclose Personal Data provided to them, or alternatively a formal processing agreement could be requested. A Race Official faced with a request to sign such a document may wish to take advice from the RYA legal department, however it is anticipated that the processes between different event organisers will become more aligned in time.

How much information does the Race Official need?

Those organising a racing event should consider how much information needs to be shared with the Race Official for them to perform their official function.

Many organisers will collect a wide range of Personal Data including payment details, next of kin details and medical declarations from competitors. While such information may be necessary to administer the event, it may not be necessary for the Race Official to perform their official function.

Organisers may therefore want to consider only passing on relevant information to the Race Official if other functions (e.g. payment, first aid etc.) are performed by others within the event.

Reducing the amount of information transferred between individuals will reduce the associated risks.

Protecting personal data

Race Officials are likely to retain a need for some Personal Data. The following guidelines should be applied by those in receipt of Personal Data:

  • You have a responsibility to look after Personal Data which you hold.
  • Security obligations must be taken equally seriously whether you hold data in hard copy or electronically.
  • The organiser, as the Data Controller, may have processes and procedures in place for you to adhere to.
  • Personal Data in hard copy form should be kept under lock and key with restricted access. If that is not practical and you have hard copy data, then it must still be kept securely. This includes keeping any Personal Data stored at home securely, preferably in a locked cabinet to which access is restricted.
  • Consider how Personal Data is transferred. It should not be left unsecured, e.g. in the car or on a boat from where it could be removed by others.
  • If you store Personal Data electronically be very careful if it is stored in "the Cloud".
  • Cloud computing carries data protection risks which are not always obvious. The Data Controller remains responsible for Personal Data, wherever it is stored. If you are accessing a cloud based service provided by an organising authority, consider the security of your own devices used to access those platforms. Cloud computing is not a “one size fits all” and so the data protection issues which apply can vary.
  • There is guidance from the Information Commissioner’s Office (ICO) about cloud computing
  • Data held electronically should be encrypted.
  • Consider when and how data will be destroyed after use. This may be specified by the organiser, if they are the Data Controller.

Racing Rules

Under the Racing Rules, it may be necessary for the Race Official to share Personal Data with third parties, for instance the RYA, other MNAs or World Sailing under the protest, misconduct and appeals procedures.

The legal basis for sharing information under the Racing Rules is contract, and participants should be made aware that personal data may be shared with third parties by the event organiser at the time they enter the event, in order to avoid later questions.

The RYA has produced an ‘Addendum A to RRS Appendix J’ which provides template statements to be included in notices of race. This includes a Privacy Statement, reproduced below, in order to ensure that the necessary information has been provided to participants to facilitate the sharing of their personal information.

Race Officials may therefore want to ensure the necessary statement has been provided to participants or should ensure that this is done before passing information on to third parties such as the RYA, other MNAs or World Sailing.

Rule 65.3 now states that unless there is good reason not to do so, the protest committee may publish the decision (including the facts found, conclusion and any penalties). Protest Committees should ensure that in publishing such decisions they do not inadvertently publish additional information such as phone numbers or email addresses.

Retention of information under the Racing Rules

Personal Data should only be kept for as long as necessary, and it is likely that the organiser, as the Data Controller, will have a policy on retention periods for Personal Data collected for the event.

Such a policy may well cover retention of information for the purposes of administering the Racing Rules, e.g. protests and appeals, and Race Officials should consider where such Personal Data is most appropriately held. With the organiser or the Race Official?

It is known that Race Officials may want to retain certain information as precedents to aid understanding and development of the Racing Rules. Keeping Personal Data indefinitely “because it may come in useful” is no longer appropriate, while retaining information for a period in anticipation of a protest, appeal or even potential legal question (e.g. from insurers) may well be justified, the nature and amount of Personal Data retained must be reviewed. For example, Personal Data retained in connection with a protest hearing may be anonymised once the possibility of an appeal has passed. The Personal Data, e.g. the parties’ names would no longer be needed, although the anonymised facts may be kept for future reference.

Template privacy statement

The personal information you provide to the organizing authority will be used to facilitate your participation in the event. If you have agreed to be bound by the Racing Rules of Sailing and the other rules that govern the event (the rules), the legal basis for processing that personal information is contract. If you are not bound by the rules, the legal basis for processing that personal information is legitimate interest. Your personal information will be stored and used in accordance with the organizing authority’s privacy policy. When required by the rules, personal information may be shared with the RYA, your national authority and/or World Sailing. The results of the event and the outcome of any hearing or appeal may be published.

Further information

RYA members are able to receive further advise from the RYA Legal Team on 023 8060 4223 or legal@rya.org.uk