GAA Clubs collect and use information about members for a variety of purposes. The nature of the information held, i.e. personal information about individuals, means that Data Protection legislation applies. Data Protection legislation is in place to protect all of us from the misuse of our information. There is a requirement for Clubs to ensure that they adhere to the legislation and guidelines provided by the Data Protection Commissioner
Please Note: The information contained on these pages does not constitute legal advice and is intended as a guideline only. Legal advice should be sought for Data Protection queries.
Overview of legislation
Data Protection is fundamentally about an individual’s right to privacy and the Data Protection Acts of 1988 & 2003 and the EC Electronic Communications Regulations (2011) have enshrined this right in Irish law. The Acts set out the general principle that individuals should be in a position to control how data relating to them is used.
Data Protection applies to all businesses, companies, charities and organisations, it is not just relevant for GAA Clubs but it is important that GAA clubs comply with the legislation.
Data Protection legislation applies where an individual or organisation collects, stores or processes any data about living people, often referred to as personal data, on any type of computer or in a structured filing system.
A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files. GAA clubs are data controllers.
An individual or legal person who holds or processes personal data, but does not exercise responsibility for or control over the personal data. Examples of data processors include payroll companies, accountants.
Data that relates to a living individual who can be identified directly from that data or who’s identity can be derived from that data in conjunction with other data that may be available.
Sensitive Personal Information
Data about an individual which relates to race, ethnic group, political affiliation, religion, trade union membership, mental or physical health, sexual orientation or criminal record.
How it’s relevant to GAA clubs
The Data Protection legislation applies to GAA clubs as personal data relating to living individuals is collected and used for membership registration, managing teams and administering the club. These are legitimate uses of the data but it is imperative that the data is controlled and processed in compliance with the legislation. It is the responsibility of every club to ensure that the privacy rights of individuals are safeguarded when processing personal data. Whilst the legislation is complex, the requirements can be summarised under the following eight rules:
1. Obtain and process information fairly
2. Keep it for one or more specified, explicit and lawful purposes
3. Use and disclose it only in ways compatible with these specified purpose(s)
4. Keep it safe and secure
5. Keep it accurate, complete and up-to-date
6. Ensure that it is adequate, relevant and not excessive
7. Retain it for no longer than is necessary for the specified purpose or purposes
8. Give a copy of his/her personal data to an individual, on request
- The Legislation allows for GAA clubs to collect personal information relating to Members, such as Names, Addresses, Dates of Birth, email and telephone numbers for the purposes of administering the club (e.g. registering players, arranging meetings) or other specific purposes with the permission of the individual.
- It does not allow for members’ data (such as email addresses) to be used for purposes (such as marketing emails from third parties) without the express permission of the member.
- The member must be given the opportunity to ‘Opt-in’ before their details are included in any mailing lists for any communication which is not related to club activity (the original purpose).
- In all cases, the personal information relating to members must be kept safe and secure and should never be passed to third parties without the express permission of the member.
- At point of capture (i.e. registration) members must be informed of the purpose or purposes that their information will be used for (Registration, club activities, fundraising, etc)
- When sending emails to a mailing list the Blind Copy address field should be used to ensure that email addresses are not inadvertently disclosed
- Do not correspond directly with Juveniles, Parent or Guardian contact details should be used
- Members must Opt In to receive correspondence which is not directly related to club activities(not opt out)
- Allow members the facility to Opt out on correspondence issued (They must be removed from mailing lists as soon as possible, and at least within 40 days of notification)
- Do not contact individuals who have asked to opt out
- All Membership forms, in hard copy, should be stored centrally in a secure location
- Electronic records should be saved on an access controlled device, preferably encrypted, logons should not be shared.
- Data should be held only whilst there is a continued need for it – data should be reviewed and destroyed regularly
- Data should be reviewed regularly for completeness and accuracy (at least yearly)
- A member can submit a Subject Access Request to request all of the information held about them by the Club – this must be provided within 40 days and a fee may be charged, of no more than €6.35
What constitutes a breach?
Where an incident gives rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data, in manual or electronic form, the data controller must give immediate consideration to informing those affected. Such information permits data subjects to consider the consequences for each of them individually and to take appropriate measures.
If the data concerned is protected by technological measures which make it unintelligible to any person who is not authorised to access it, the data controller may conclude that there is no risk to the data and therefore no need to inform data subjects. Such a conclusion would only be justified where the technological measures (such as encryption) were of a high standard.
All incidents in which personal data has been put at risk should be reported to the Office of the Data Protection Commissioner as soon as the data controller becomes aware of the incident, except when the full extent and consequences of the incident has been reported without delay directly to the affected data subject(s) and it affects no more than 100 data subjects and it does not include sensitive personal data or personal data of a financial nature.
In case of doubt- in particular any doubt related to the adequacy of technological risk-mitigation measures - the data controller should report the incident to the Office of the Data Protection Commissioner
Escalation or Queries
- The Data Protection Commissioner provides extensive information and practical guidance on Data protection on her website, www.dataprotection.ie, and clubs should inform themselves further of their obligations by reviewing that site.
- If you have any concerns about Data Protection or feel that a breach of Data Protection legislation has occurred, you should raise these concerns immediately by emailing firstname.lastname@example.org. You should also notify the Data Protection commissioner as soon as possible.
- Please note that the Data protection regulations are slightly different in other jurisdictions outside of the Republic of Ireland. Local laws should be consulted and complied with as necessary
There are other Regulations that must be complied with also, including:
- Health and Safety
- Child Protection
- PCI (Payment Card Industry) if CC details are held