What do you need to remember when processing personal data?
Personal data must always be processed with care. You need to take principles such as the minimisation of data and security of processing, as well as rules governing the disclosure of data, into account when processing personal data
In data protection legislation, the principle of data minimisation means that the controller may not process unnecessary personal data. As a coach, you may not process unnecessary personal data either. The controller is only allowed to process data necessary for a specific purpose.
- For example, if a club asks for information on a member’s illnesses and allergies so that it can take them into account in the activity, it should not ask for the member’s complete health information, but only the information relevant to the hobby. Necessary data could include information on food allergies if the club sometimes provides packed lunches, for example.
- Some data are necessary for hobby activities and can thus be collected. Obviously, the hobby organiser needs to know the name and contact details of the participating child or young person, or at least those of their parents, so that it can communicate with the participants.
You must also remember that personal data may not be disclosed to third parties. As a rule, the players in a sports team do not have the right to access their team mates’ personal data, such as their contact details or health information. Nor do all employees or volunteers working for the controller, such as the club, necessarily have the right to process the children’s information.
Personal data must be stored securely so that it does not end up in outside hands. This could mean a secure information system or, for example, keeping papers containing personal data in a locked space that outsiders cannot access. People organising hobby activities should always consider whether it is necessary to carry a list of club members and their personal data with you, for example.
- A child or young person or their parent can sometimes give coaches information on the child’s health even if not asked, such as sending a text message if the child is ill and cannot come to practice. Even though the child or parent has disclosed this information to you on their own initiative, you must still remember that you have been sent special categories of personal data that must be processed with special care. If the information was sent in a text message or email, for example, you must make sure that outsiders cannot access your phone or any messages that they are not authorised to read. Also make sure to delete such messages when their processing is no longer necessary.
When processing data, you need to take into account the potential consequences to the children or young people if their personal data end up in unauthorised hands. A child or young person may not want other children and adults to know all their personal data. The careless processing of personal data can have a variety of negative consequences, such as:
- the spread of the data to more and more people, for example on social media;
- bullying;
- reputation damage;
- identity theft; and
- financial losses to the child or young person or their parents.
As the controller, the hobby organiser has the primary responsibility for ensuring that you know how to process personal data with care as a coach or instructor. The controller should have instructions on where and how the participants’ data is stored and which coaches or instructors are permitted to process it. When working as a coach or instructor, you need to follow the club’s instructions on the processing of personal data.
More detailed information on the requirements for processing is available in the guide for the board of the associaton.