Individuals’ Rights and what it means for Sports Organisations
8 August 2023 | Written by Andy Nutting
Read the latest blog post written by Andy Nutting, Information Governance Manager at Veritau, which focuses on Individuals’ Rights and what it means for Sports Organisations.
The General Data Protection Regulation (GDPR) has been in force since May 2018 and many sports organisations will by now have implemented policies, procedures, and guidance to comply, including appointing a Data Protection Officer (DPO).
The UK’s exit from the European Union in January 2020 introduced a new domestic data privacy law called the UK GDPR, which took effect immediately and incorporated the provisions of the EU GDPR directly into UK law.
Which means, for now, and until such time the Data Protection and Digital Information Bill is enacted, sports organisations need to comply with all the same data protection requirements as they’ve done since May 2018. Including the rights of the data subject.
Of course, one of the major provisions within the Act is an individuals’ right of access to their data, which has been part and parcel of data protection rights since the introduction of the Data Protection Act 1998.
Data Subject Access Request
This allows an individual (data subject) to request and obtain a copy of their personal information held by your organisation and other organisations. In some circumstances it allow parents to access information about their children.
By now all sports organisations should have adopted procedures for handling a request for personal data (subject access request) and trained their staff to recognise one and understand what to do when receiving one.
This is important because most (if not all) sports organisations will process a lot of personal information. Think about membership information or ticketing information for spectator sports. Think also about employee information, including Human Resources, recruitment, and DBS (Disclosure and Barring Service) checks. Then there is performance data that sports clubs are increasingly collecting and processing.
How long before a player or a coach submit an access request for data about an injury predictor or a valuation predicted by an algorithm or machine learning tool? Remember, anyone can submit a request for their own personal data.
Indeed, a player can authorise someone else to make a request on their behalf, for example a player’s agent. Your procedure should ensure a process for ensuring you are confident that the requestor has a right to the information.
So, in the example of a player’s agent requesting personal data on behalf of his/her client, you’ll need to ensure that the player has approved this.
What information is included in a SAR? Well, a search for records should encompass all relevant systems related to the request, across data held electronically (IT systems and apps) and in hard copy (paper files).
This could include information held in databases, emails, filing systems, social media, for example text messages, WhatsApp messages, CCTV/video images and archived data.
In essence you will need to search all areas where information about the data subject might be stored. This is an arduous task at the best of times, but if you’re one of those organisations that hasn’t implemented a records retention policy, then you might end up ploughing through reams and reams of data, particularly if the data subject isn’t specific about the information requested.
A well embedded record retention policy allows you to manage how long you keep information and when to get rid of it. It helps you to manage the data mountain that you’ll otherwise unintendedly build and then be expected to hunt through with a subject access request.
Be aware that you can’t dispose of information that’s past it’s retention as a result of receiving a request! So, it’s no good leaving retention management until you receive a request.
Be proactive, and if you’ve not already developed and implemented a record retention schedule, do it now.
Retention becomes an even brighter idea when you also consider the requirement to redact third party data from the information requested.
If you don’t have software to do this work it can become a hard slog, using a marker pen or something similar. Imagine doing this if you’re not managing the retention on all your information assets?
And don’t forget that you must provide an individual’s information within one calendar month, often considered to be 28 days. You can extend this period by a further two calendar months, but only if the request is complex or you have received several requests from the same individual.
Note that storing up mountains of information is not a reason to extend the statutory timeframe of one calendar month!
What if the individual mentions other rights?
So, if you receive several simultaneous requests from an individual, which relate to other rights under the UK GDPR, such as the right to erasure or the right to restrict processing, the Information Commissioner’s Office (ICO) , advises that you should deal with each request separately.
This means establishing proof of identity for each or ensuring that a third party has authority to act on behalf of the data subject. It’ll also mean determining what information the request relates to.
You might be able to consider an extension of time depending on what the individual is asking for, so check with your DPO about this.
I’ll look at the other rights later in this article, but first, when is a request deemed as complex?
When is a request complex?
Whether a request is complex depends on the specific circumstances of each case. What might be complex for one sports organisation may not be for another. The size and resources of your organisation are likely to be relevant factors.
However, the ICO advises the following as examples of factors that may add to the complexity of a request:
- Technical difficulties in retrieving the information, for example information stored on software no longer supported or accessible.
- Applying an exemption that involves large volumes of particularly sensitive information.
- Clarifying potential issues around disclosing information about a child to a legal guardian.
- Any specialist work involved in obtaining the information or communicating it in an intelligible form.
- Clarifying potential confidentiality issues around the disclosure of sensitive medical information to an authorised third party.
- Needing to obtain specialist legal advice.
Requests that involve a large volume of information may add to the complexity of a request, however a request is not complex solely because the individual requests a large amount of information.
Nor is it complex just because you must rely on a processor (contractor) to provide the information you need to respond.
If you do receive a request that involves a large volume of information, I would recommend asking the data subject if they’re able to be more specific about the information that they’re looking for, and possibly the timeframe from which the information is required. The time limit for responding to the request is paused until you receive clarification, known as ‘stopping the clock’.
That said, you should not seek clarification on a blanket basis and only seek it if:
- It is genuinely required to respond to the request, and
- You process a large amount of information about the individual.
As mentioned, you can ask the requester to provide additional details about the information they want to receive, such as the context in which you may have processed their information and the likely dates of when you processed it.
However, you cannot force an individual to narrow the scope of their request, as they’re entitled to ask for ‘all the information you hold’ about them.
If an individual responds to you and either repeats their request or refuses to provide any additional information, you must comply with the request by making reasonable searches for the information.
Whether you consider the request to be complex and ask the data subject further questions about their request or apply the extended time, the likelihood is that you will need to process the request.
You will need a procedure to do this, ensure employees recognise a request and what to do with one, and allocate resources to deal with the request. And the people dealing with the request will need to understand how to undertake one, i.e., have undertaken specialist training.
Apart from access to their personal data, the UK GDPR affords other rights to individuals about their personal data. Here are a few of these that as a sports organisation you will need to consider and have processes in place to deal with:
- The right to be informed – you need to tell individuals what data is being collected, how it’s being used, how long you will keep it for, and whether it will be shared with third parties. This information is often communicated through a Privacy Notice and published on a website.
- The right to rectification – an individual can request an organisation to update or correct any records which they suspect is inaccurate or incomplete about them. As with the right of access, you have one month to do this, and the same exemptions apply.
- The right to erasure (also known as the right to be forgotten) – individuals can request organisations to erase their data in certain circumstances. Such circumstances might include when the data is no longer necessary, or the data was unlawfully processed, or it no longer meets the lawful ground for which it was collected. This includes instances where the individual withdraws consent.
- The right to restrict processing – individuals can request that you limit the way their personal data is used. This is an alternative to requesting the erasure of data and might be used when an individual contests the accuracy of their personal data.
- The right to object – individuals can object to the processing of personal data that is collected on the grounds of legitimate interests. If this happens, you must stop processing information unless you can demonstrate compelling legitimate grounds for processing that overrides the interests, rights and freedoms of the individual. You can also refuse this right if the processing is for the establishment or exercise of the defence of a legal claim.
These are the rights a sports organisation is more likely to be faced with, but there are two others that they should be aware of.
One is the right to data portability, where at the request of the individual, you are required to transmit the individual’s data that is in your possession or under your control, to another organisation in a commonly used-machine-readable format.
The second one, is the right not to be subject to a decision based solely on automated processing. This includes a provision for decisions made with no human involvement, such as profiling, which uses personal data to make calculated assumptions about individuals.
At the moment, individuals are permitted to challenge and request a review of the processing if they believe the rules aren’t being followed. For example, an online decision to withdraw membership of an individual from a sports club.
Back to subject access requests
Whilst you need to have processes in place to deal with these other rights, without doubt, the most common one you will receive is the request for personal information.
As outlined earlier, you need to be prepared for these by having a process in place, resources available to administer them, and structured information assets in place to enable quick access to meet the statutory timescale.
The ICO issued a blog post in September last year highlighting common compliance issues they had seen across 35,000 complaints every year. In this blog post they identified four common themes emerging:
- Delay – organisations taking too long to respond to information requests.
- Relationship breakdown – no responsible contacts at the organisation for dealing with subject access requests or organisations providing incomplete and/or unsatisfactory responses.
- Trust – lack of trust from the individual in what they are being told.
- Understanding – organisations lack of understanding of individuals’ requests.
From the themes above, the ICO prepared a set of recommendations for organisations, including:
- Talk to your customers – customers are less likely to complain to the ICO if you handle their data protection complaint well. If you’re not able to meet a subject access request, inform your customer.
- Maintain dialogue – a lot of data subject’s request all their personal information, when they only want information relating to a specific incident. You cannot ask the individual to narrow the scope of their request, but you can ask them to provide additional details to help you locate the requested information.
- Build trust – if you are dealing with a complex or large subject access request, explain to the individual that your organisation will send information in batches and provide a timeframe for this. If any exemptions apply, you need to provide an explanation of this.
- Use plain English – data protection is complex; individuals want information that they can understand.
There is no doubt that a subject access request can be resource intensive, it may feel like they impede progress on other priorities in the organisation and be perceived to be of little value or worth to the data controller.
However, the numbers of data subject access requests are increasing as people become more aware of their rights under UK GDPR.
In fact The Guardian recently reported that their use has exploded in recent years and is commonly used as a tool by individuals in dispute with organisations.
And of course, there is the recent example of Nigel Farage utilising a subject access request to obtain information that his bank account at Coutts Bank was closed because of his political values, resulting in the resignations of the CEO at NatWest Bank (owners of Coutts) and Coutts Bank.
Indeed, a survey by Opinium Research in 2020 for the DPO Centre found that 11% of respondents had considered submitting a subject access request after feeling that a company had mishandled their data, equating to 6 million people in the UK!
So, the message is clear. Take subject access requests seriously. Don’t ignore the possibility of you receiving one. If you haven’t already, be prepared for them.
If you don’t feel like you have the expertise and/or resources to handle one, engage a third party to do them for you. We at Veritau have a dedicated team of experts who focus on handling subject access requests and who are willing to assist you with yours. Don’t get stuck, if you feel that we can help you, why not give me a call for an initial chat?
If you’d like support managing your organisation’s data, our team can help.
You can keep up to date with Andy’s blogs on his LinkedIn profile.