1. Introduction, Scope & Application

  1. During the course of our activities the IPSF will collect, store and process personal data about our participants be they athletes, officials, coaches, administrators, Board and Committee Members, staff and others. This makes us a data controller in relation to that personal data.
  2. The IPSF is committed to the protection of all personal data for which we are the data controller.
  3. The law (UK) imposes significant fines for failing to lawfully process and safeguard personal data and failure to comply with this policy may result in those fines being applied.
  4. All members of our staff must comply with this policy when processing personal data on our behalf. Any breach of this policy may result in disciplinary or other action.
  5. This policy is drafted in accordance with the requirements of the General Data Protection Regulation (“GDPR”). The personal data which we hold is subject to certain legal safeguards specified in the GDPR, the Data Protection Act 2018, and other regulations (“Data Protection Legislation”).
  6. This policy and any other documents referred to in it set out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
  7. This policy does not form part of any employee's contract of employment and may be amended at any time.
  8. This policy sets out rules on data protection and the legal conditions that must be satisfied when we process personal data.

2. Data Protection Officer

  1. The IPSF is not required to appoint a Data Protection Officer (“CEO”). However any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the CEO.
  2. The CEO is also the central point of contact for all data subjects and others in relation to matters of data protection.

3. Data Protection Principles

Anyone processing personal data must comply with the following principles. Personal data must be:

  1. Processed fairly, lawfully and transparently in relation to the data subject;
  2. Processed for lawful purposes and in a way which is not incompatible with those purposes;
  3. Adequate, relevant and not excessive for the purpose;
  4. Accurate and up to date; not kept for longer than necessary; and
  5. Processed securely using appropriate technical and organisational measures.
  6. Processed in line with data subjects' rights;
  7. Not transferred to people or organisations in other countries without protection.

The IPSF will comply with these principles in relation to any processing of personal data.

4. Fair and Lawful Processing

  1. Data Protection Legislation is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.
  2. For personal data to be processed fairly, data subjects must be made aware:
    1. that the personal data is being processed;
    2. why the personal data is being processed;
    3. what the lawful basis is for that processing;
    4. whether the personal data will be shared, and if so with whom;
    5. the period for which the personal data will be held;
    6. the existence of the data subject’s rights in relation to the processing; and
    7. the right of the data subject to raise a complaint with the Ethics Office in relation to any processing.
  3. We will only obtain such personal data as is necessary and relevant to the purpose for which it was gathered, and will ensure that we have a lawful basis for any processing.
  4. For personal data to be processed lawfully, it must be processed on one of the legal grounds set out in the Data Protection Legislation. We will normally process personal data under the following legal grounds:
    1. where the processing is necessary for the performance of a contract between us and the data subject, such as an employment contract;
    2. where the processing is necessary to comply with a legal obligation that we are subject to;
    3. where the law otherwise allows us to process the personal data or we are carrying out a task in the public interest; and
    4. where none of the above apply then we will seek the consent of the data subject to the processing of their personal data.
  5. When Special Category personal data is being processed an additional legal ground must apply. We will normally only process special category personal data under the following legal grounds:
    1. where the processing is necessary for employment law purposes, for example in relation to sickness absence;
    2. where the processing is necessary for reasons of substantial public interest, for example for the purposes of equality of opportunity and treatment; and
    3. where none of the above apply then we will seek the consent of the data subject to the processing of their special category personal data (e.g., in relation to anti-doping).
  6. We will inform data subjects of the above matters by way of appropriate privacy notices provided when we collect the data or as soon as possible thereafter.
  7. If any data user is in doubt as to whether they can use any personal data for any purpose they must contact the CEO before doing so.

5. Vital Interests

There may be circumstances where it is necessary to process personal or special category personal data in order to protect the vital interests of a data subject. This might include medical emergencies where the data subject cannot give consent. We believe this will only occur in very specific and limited circumstances. We would usually seek to consult with the CEO in advance, although emergency situations may prevent this.

6. Consent

  1. Where none of the other bases for processing apply, the IPSF must seek the data subject’s consent before processing personal data.
  2. There are strict legal requirements in relation to the form of consent that must be obtained.
  3. Athletes, Coaches and Officials at International Events will be required to complete a consent form covering, among other things, anti-doping and image rights. Where appropriate third parties may also be required to complete a consent form.
  4. For participants under 18 years old we will seek their consent as well as that of a person with parental responsibility.
  5. Consent must:
    1. inform the data subject exactly what we intend to do with their personal data;
    2. require a positive opt-in (no opt-out); and
    3. explain how consent can be withdrawn.
  6. Consent must be freely given; we cannot make services conditional on consent.
  7. The CEO must always be consulted in relation to any consent form before consent is obtained.
  8. A record must always be kept of any consent, including how it was obtained and when.

7. Notifying Data Subjects

If we collect personal data directly from data subjects, we will inform them about our identity and contact details as Data Controller; the purposes and legal basis for processing; categories of third parties we may share with; transfers outside the EEA and safeguards; the retention period by reference to our Document & Data Retention Policy; the existence of any automated decision making and the right to object; and the rights to object or limit processing, request information or deletion, or lodge a complaint with the ICO. If we receive personal data from other sources, we will provide this information as soon as possible, including where we obtained the data.

8. Adequate, Relevant and Non-Excessive Processing

We will only collect personal data to the extent required for the specific purpose notified to the data subject, unless otherwise permitted by Data Protection Legislation.

9. Accurate Data

  1. We will ensure that personal data we hold is accurate and kept up to date.
  2. We will take reasonable steps to destroy or amend inaccurate or out-of-date data.
  3. Data subjects have a right to have inaccurate personal data rectified.

10. Timely Processing

We will not keep personal data longer than is necessary for its purpose. We will take reasonable steps to destroy or erase personal data that is no longer required. For the IPSF, data will be retained in line with our Document & Data Retention Policy.

11. Processing in Line with Data Subject's Rights

We will process all personal data in line with data subjects' rights, in particular their rights to:

  1. request access to any personal data we hold about them;
  2. object to the processing of their personal data, including direct marketing;
  3. have inaccurate or incomplete personal data rectified;
  4. restrict processing of their personal data;
  5. have personal data erased;
  6. have their personal data transferred; and
  7. object to automated decision-making.

12. The Right to Object

  1. In certain circumstances data subjects may object to us processing their personal data.
  2. This right may be exercised where processing is based on a legitimate interest or a statutory/public-interest task.
  3. An objection need not be complied with where the IPSF can demonstrate compelling legitimate grounds overriding the data subject’s rights.
  4. Such considerations are complex and must always be referred to the CEO upon receipt of the request.
  5. In respect of direct marketing any objection must be complied with.
  6. The IPSF is not obliged to comply where the personal data is required in relation to a claim or legal proceedings.

13. The Right to Rectification

  1. If a data subject informs the IPSF that personal data held about them is inaccurate or incomplete, we will consider the request and respond within one month.
  2. For complex issues we may extend the response by up to two months, informing the data subject within one month of the extension.
  3. If we determine that proposed changes should not be made, we will explain why and inform the data subject of their right to complain to the Ethics Office.

14. The Right to Restrict Processing

  1. Data subjects have a right to “block” or suppress processing. The IPSF may continue to hold the personal data but not do anything else with it.
  2. The IPSF must restrict processing:
    1. while considering a rectification request;
    2. while considering an objection to processing;
    3. where processing is unlawful and the data subject asks us not to delete the data; and
    4. where we no longer need the data but the data subject asks us to retain it for a legal claim.
  3. If the IPSF has shared the data with other organisations we will inform them of any restriction unless impossible or disproportionate.
  4. The CEO must be consulted on such requests.

15. The Right to be Forgotten

  1. Data subjects have a right to have personal data erased only where:
    1. the personal data is no longer necessary for the original purpose;
    2. the data subject withdraws consent (where consent was the basis for processing);
    3. the data subject objects and there is no overriding legitimate interest;
    4. processing is otherwise unlawful; or
    5. erasure is necessary to comply with a legal obligation.
  2. The IPSF is not required to comply where processing is necessary:
    1. to exercise freedom of expression or information;
    2. to comply with a legal obligation or perform a public-interest task;
    3. for public health purposes in the public interest;
    4. for archiving in the public interest, research or statistics; or
    5. in relation to a legal claim.
  3. If data was shared with others we will inform them of any erasure unless impossible or disproportionate.
  4. The CEO must be consulted on such requests.

16. Right to Data Portability

  1. In limited circumstances a data subject has a right to receive their personal data in a machine-readable format and to have this transferred to another organisation.
  2. Such requests must be referred to the CEO.

17. Data Security

  1. We will take appropriate security measures against unlawful/unauthorised processing and against accidental loss or damage.
  2. We will maintain security from collection to destruction.
  3. Security procedures include:
    1. Report any stranger seen in the IPSF Secretariat to the CEO.
    2. Secure lockable desks and cupboards for confidential information.
    3. Dispose of paper by shredding; physically destroy digital storage devices when no longer required; dispose of IT assets in line with ICO guidance.
    4. Ensure monitors do not show confidential information to passers-by and log off when unattended.
    5. Guidance for safe transportation of paper documents off site.
    6. Guidance for safe use of electronic devices off site.
    7. Collect documents from printers immediately; do not leave on photocopiers.
  4. Breaches of these security measures may result in disciplinary action.

18. Data Protection Impact Assessments

  1. The IPSF will consider and comply with Data Protection Legislation in all activities, in line with the principles of data protection by design and default.
  2. We will carry out detailed assessments of proposed processing, including use of new technologies posing high risk to data subjects.
  3. The CEO should be consulted as to whether a DPIA is required and how to undertake it.

19. Disclosure and Sharing of Personal Information

  1. We may share personal data about data subjects, without their consent, with other organisations.
  2. We will inform data subjects of any sharing unless not legally required (e.g., sharing with police during criminal investigations).

20. Data Processors

  1. We contract with various organisations providing services to the IPSF (e.g., database provider, payroll).
  2. To provide these services we may need to transfer personal data to such processors.
  3. Personal data will only be transferred where the processor agrees to comply with our procedures and policies, or has adequate measures to the IPSF’s satisfaction. Due diligence will be undertaken before any transfer.
  4. Contracts with processors will comply with Data Protection Legislation and include explicit obligations to ensure compliance and respect the rights of data subjects.

21. Images and Videos

  1. Participants and others attending IPSF events are allowed to take photographs for domestic purposes. The IPSF does not prohibit this as a matter of policy.
  2. The IPSF does not agree to such photographs or videos being used for other purposes, but acknowledges this is largely outside its ability to prevent.
  3. We may use images and videos in promotional materials or in the media to celebrate achievements. Consent will be sought from athletes, coaches and officials, and a parent/guardian where under 18.

22. Definitions

Term Definition
Data Information stored electronically, on a computer, or in certain paper-based filing systems.
Data Subjects All living individuals about whom we hold personal data (e.g., staff, IPSF Board, Committee and Panel Members, Judges and other individuals). All data subjects have legal rights in relation to their personal information.
Personal Data Any information relating to an identified or identifiable natural person, directly or indirectly, such as a name, identification number, location data, an online identifier or factors specific to the identity of that person.
Data Controllers People or organisations which determine the purposes for which, and how, any personal data is processed. We are the data controller of all personal data used in our business for our own purposes.
Data Users Members of our workforce (including staff, IPSF Board and volunteers) whose work involves processing personal data. They must protect the data they handle in accordance with this policy and any applicable data security procedures.
Data Processors Any person or organisation that is not a data user and processes personal data on our behalf and on our instructions.
Processing Any activity involving the use of data, including obtaining, recording, holding, collection, organisation, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure or destruction, and transfer to third parties.
Special Category Personal Data Information about a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or condition, sexual life, or genetic or biometric data.
Workforce Any individual employed by IPSF such as staff and those who volunteer in any capacity including IPSF Board, Committee and Panel Members, Judges and Judges Support Personnel.
We use cookies

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.

Ok Decline
More information | Imprint