Data Protection

Within Cycling Ireland GDPR affects any individual, club, event organizer or commission official who uses people’s personal information.

GDPR applies to anyone considered to be a data controller, or someone who gathers and holds personal information on others. This could be club officials who look after gathering membership fees, or event organisers who are running races or sportives. It also is relevant for Commission officials or team managers who hold information on riders who communicate with them.

The Data Controller determines the purposes for which and the manner in which any personal data are processed. 

The Data Processor processes personal data on behalf of the Controller.

According to the Data Protection Act “personal data” means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or likely to come into, the possession of the data controller. This data can be: Name, Address, Phone number, email address, passport number, medical information, bank details or social media posts by way of examples.

Note that categorizing people’s personal data in such a way that reveals aspects of the person like their ethnicity, disability status or sexual orientation is subject to more stringent rules than the processing of other personal data.

If this information is relevant to the sport, and to their participation in the sport, this data may be relevant. However, it is important to have a valid reason for gathering this information. Examples of where this information could be gathered is: paracycling events or medical information that may be required in case of emergency.

GDPR defines a ‘personal data breach’ as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’. 'Personal data breaches' include:

• Breaches of confidentiality (someone gains access to information who shouldn't have access to it);·         
  
• Breaches of integrity (the information you hold is amended to make it incorrect or inaccurate); and·         
• Breaches of availability (the information can no longer be accessed; for example, in a Distributed Denial of Service (DDoS) attack).

You will only have 72 hours from being aware of a breach to report it to the Data Commissioners. You must also keep a record of any personal data breaches. 

For example, if a club membership secretary holds the membership data unencrypted on their laptop and that laptop is stolen, that personal data has been subject to a data breach which is likely to need to be reported to the Data Commissioner. You need to make sure that personal data is held securely, (e.g. using secure, non-shared passwords and encryption where necessary) and only moved between devices using secure means. Any printed copies of personal data should be stored securely and not left in public places.

You also need to make sure that your volunteers can identify when a breach has happened and that they know what they should do and who they should talk to in such a situation.

One of the principles of the DPA and the GDPR is that you can only process data for the purpose for which it is collected. This means that if you collect the name and contact details of an individual so that they can become a member of your club then, in general, you cannot use that data for something else. Specifically, if people have provided their personal information to you so that they can join, you are not then allowed to use that data to market products or services to them (unless you have their explicit consent to do so). 

Gathering personal information or data is integral to the correct running of clubs. The risk of mismanaging this data is low, but nonetheless it is crucial that the data is managed, collected and stored correctly and in accordance with the GDPR.

In the case of Cycling Ireland clubs, Cycling Ireland is usually considered the Data Controller, with the personal data and information on our database required for the purpose of issuing Cycling Ireland membership. Clubs, in this case, are regarded as the data processor as they are gathering personal data for this purpose. In this case Cycling Ireland is responsible for compliance with data protection legislation and GDPR, and clubs are expected to process data securely.

Club officials must ensure data is processed securely;

• It is updated regularly and accurately;
• It is limited to what the club needs;
• It is used only for the purpose for which it is collected; and
• It is used for marketing purposes only if the individual has given their consent to do so. This needs to be an opt-in consent rather than an opt-out consent.

Should the club ask for any information other than that required by Cycling Ireland for membership, recorded consent from the individuals and the processing of their data must take place outside of the Cycling Ireland system, and the club becomes the data controller with primary responsibility for compliance with data protection legislation including GDPR.

Should clubs fail to comply with data protection and are in serious breach, there will be increased fines. While Cycling Ireland is usually the data controller of personal data on its systems, both data controllers and data processors can be issued with fines under GDPR.

RECOMMENDATION

Club officials should not be using personal email addresses, instead a “club” email address should be used. This increases the likelihood of transparency and maintains continuity. It also keeps the data stored in one place that is only controlled by the club official or data controller.

NEW MEMBERS

If you are a new Cycling Ireland member you log into the Cycling Ireland Membership system HERE and create your own profile, selecting the club you wish to join. The club official will get a notification and approve your request to join. Your information will now appear in Cycling Ireland club official’s profile on the membership system. This personal information can only be used for the purpose of valid activities relating to the club and not for external marketing reasons. Your information will be held for 7 years in line with the statutory limitations in Cycling Ireland. Even if your membership has lapsed you can log into your profile at any stage and either request to be transferred out of the club or to renew your licence.

TRANSFERRING TO ANOTHER CLUB

Cycling Ireland members can request to transfer to another club. Once their request for transfer is approved by both the club they are leaving and the club to which they are moving, their personal data and profile will be removed from the previous club and appear in the profile of the club official or data processor in the club to which they are moving. 

If you are not a member of a Cycling Ireland club, the only people who have access to your membership data are the staff of Cycling Ireland.

If you wish to transfer to a club, then the official of the club into which you are transferring will have access to your data.

All personal data, regardless of whether it is collected manually or digitally, must be managed in accordance with GDPR. This means that the same levels of caution must be used at all times when collecting, retaining and using personal data. A data breach would occur if any personal data were to be passed to someone who has not been permitted to have that data, whether it is in paper form or online.

Cycling Ireland membership is all processed online. Transportation of personal data in any format, including paper, is seen as a risk, and to this end processing membership online is the safest and most secure way to do that.

Online registration is in place for events, where there is less risk involved in terms of transporting personal data and processing information.

Cycling Ireland members store their “In Case of Emergency” (ICE) contact information in their profile on the Cycling Ireland portal. This information can be accessed only by Cycling Ireland designated officials, or by the designated club officials in their club.

Because of the limitations in accessing this information should an incident occur in an event, it is considered good practice for event organisers to capture valid information on riders such as emergency contact details and relevant health and medical information, such as allergies or current medication.

This information should be stored securely and destroyed once they are no longer needed. When riders are signing up for events this information should be disclosed, with details of how long the information will be stored.

Note that personal data and information on riders will be captured by event organisers and commissaires, in the case of competitive events. Both event organisers and commissaires should store information in a secure place at all times, using password protected files and computers.

Following events Commissaires submit their report to Cycling Ireland where it will be retained for a period of time in conjunction with statutory limitation.

There are occasions where paper copies of downloaded personal information may be passed to coaches or volunteers working at an event. This is acceptable if it is necessary for their particular role, and there is valid reason for this information to be passed. After the event note that all paper copies of information should be either stored securely or destroyed (shredded) after use. Information should NEVER be shared with third parties for any reason, and NEVER be used for marketing purposes, unless the explicit consent of the club member to do so have been captured and recorded.

Any Cycling Ireland member can ask for a copy of the personal data that you hold on them. The individual must make the request in writing and give any details that may be required to access the information on them. Under GDPR the SARs must be responded to within one calendar month. Note that having received the access request you cannot change or delete the personal data which you hold. You must provide the information in a clear format and only give this personal information to the individual concerned, or person acting on their behalf and with their authority. If this information is not kept on a computer or relevant filing system, they must be told within one month.

The GDPR includes additional, specific protections for children's personal data. If you collect children's personal data, then you need to make sure that your privacy policy is written in words that they can understand and you may need to obtain consent from the child's parent or guardian.

All members who work with children must complete Garda eVetting forms. These forms are held securely in Cycling Ireland for the appropriate number of years in accordance with statutory regulation. All files will be destroyed (shredded) following this time.