A recent survey on data protection practices among the sports industry has revealed significant gaps in compliance and understanding. The Data Protection Commission (DPC) developed the survey to assess various areas of understanding, including training provided to staff, the responsibilities of data processors and controllers, the handling of special category data, and data subject rights. […]
A recent survey on data protection practices among the sports industry has revealed significant gaps in compliance and understanding.
The Data Protection Commission (DPC) developed the survey to assess various areas of understanding, including training provided to staff, the responsibilities of data processors and controllers, the handling of special category data, and data subject rights.
The DPC engaged with over 100 sports clubs across four major sports in terms of participation at a national level: rugby, Ladies Gaelic Football Association (LGFA), Gaelic Athletic Association (GAA), and football. A particular focus of the DPC’s engagement in this area is on children’s data processing, recognising that participation in sport is an important aspect of life for many young people in Ireland. Children, and their parents, should be able to engage in sports activities without undue concern from the perspective of privacy and data protection.
Key Findings
Notably, 56% of sports clubs do not have a data retention schedule, which gives rise to concerns in terms of the storage and retention of personal data for periods far longer than necessary for the purpose for which it was originally obtained.
Furthermore, 41% of clubs reported they do not have any data protection policies. These policies are crucial for ensuring that clubs comply with their obligations under the General Data Protection Regulation (GDPR). More than half of the clubs surveyed do not have procedures in place to deal with subject access requests (SAR) or other data subject rights under GDPR such as erasure or rectification. The absence of procedures in sports clubs to handle SARs and other data subject rights can lead to non-compliance, data breaches, and a loss of trust among members. To mitigate these risks, sports clubs need to implement comprehensive data protection policies, provide clear staff training on data subject rights, and establish clear, efficient processes for responding to SARs and other related requests
The DPC understands that with the evolving technology, sports clubs may be starting to use performance analysis through wearable devices to collect data from players. When a club introduces these types of technology, it is recommended to carry out a Data Protection Impact Assessment (DPIA) in order to assess and mitigate any risks arising from this use. As only 9% of the clubs state that they carried out a DPIA, it is evident that clubs are unaware of their obligations to assess risk arising from data processing, and best practice with regard to carrying out a DPIA.
In terms of specific types of data, 56% of clubs claim they do not to collect special category health data, a concerning 39% of clubs state that they do collect performance data. It is important to emphasise that performance data, collected over time, is likely to be health data, as it relates to the physical and mental well-being of athletes.
Furthermore, one-third of clubs stated that their staff and volunteers use personal devices to manage and access club data. As a data controller, the clubs should ensure their processing of personal data complies with the security and integrity obligations of the GDPR. All the data collected for the clubs’ purposes on a personal device needs to have appropriate measures to protect against unauthorised or unlawful access (e.g., if the device is stolen or lost). The clubs should look at implementing ‘a bring your own device’ policy to ensure appropriate safeguards are in place when staff/coaches are using their personal devices for capturing and collecting data (i.e., even photos at events or matches)
Looking ahead, the DPC plans to take several steps to improve data protection practices across the sports industry. The next goal is to engage with the governing bodies and organisations promoting sports across Ireland, working with them to raise awareness and build knowledge around data protection. By collaborating with these organisations, the DPC hopes to promote better compliance and understanding, ensuring that sports clubs and organisations are better equipped to protect the personal data of athletes, staff, and any data subject they engage with. The aim is to support clubs in meeting their obligations under the GPDR.