Legitimate Interest and Special Category Data

This covers our basis under GDPR for processing data and information about our justification with regards to special category data. The ICO page contains a lot of information relating to the legitimate interest lawful basis for processing.

In this document, "we" or "our" refers to Athlete Manager, "you" refers to you and your account and "group" and "club" can be used interchangeably to mean any organisation or charitable cause that is associated with Special Olympics GB.

Why is this justification appropriate?

This page uses quotes from the ICO page. A quote can be identified by the vertical grey bar next to it, the webpage it was taken from will then be linked below it.

Legitimate interest is our basis under Article 6 (Lawful Basis) of GDPR.

Explicit consent and vital interests are our basis under Article 9 (Special Category Data) of GDPR.

A Legitimate Interests Assessment (LIA) has been produced to demonstrate compliance.

Because some of the information that is held is sensitive, a Data Protection Impact Assessment (DPIA) has been produced.

It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

Legitimate Interests | ICO

We believe this is appropriate for several reasons.

  1. Most of the information that is processed will be supplied by the or, where appropriate, a guardian.
  2. The data that is collected is the same data that is required in the day to day administration and functioning of a group.
  3. The ultimate goal of the processing is to ensure that groups can run safely by having the most up to date and relevant information.

The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

Legitimate Interests | ICO

  1. The required information has to be processed for safeguarding purposes.
  2. The information that is collected by groups will be proportionate to its use. For example, to ensure that you have catered for everyone with an allergie, you must process information relating to allergies.
  3. There is no way of achieving the same result without the processing.

You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

Legitimate Interests | ICO

  1. By using the service, groups accept to only create forms that are relevant to ensuring the smooth running of the group and that they will not ask questions that are not needed.
  2. The information that will be collected is information that could be reasonably expected in the course of running a group.

It [legitimate interests] may be the most appropriate basis when:

When can we rely on legitimate interests? | ICO

  1. The processing of data on Athlete Manager is not required by law.
  2. As touched on previously, the processing on the system can be reasonably expected.
  3. It would be inappropriate to seek consent for every form or point of data that is kept. Data points may include, but are not limited to, DBS check information, but not any information relating to convinctions, additional qualifications, gender, sex and date of birth.

The GDPR highlights certain purposes that either ‘constitute’ a legitimate interest or ‘should be regarded as’ a legitimate interest. These are: ...

When can we rely on legitimate interests? | ICO

  1. This justifies the collection of user actions along with associated IP addresses on the system.
  2. The login page, that an individual would land on, does not collect any information until a the login button is pressed. This page also clearly states that logs will be kept.

The GDPR does not ban you from relying on legitimate interests as your lawful basis if you are processing children’s personal data.

When can we rely on legitimate interests? | ICO

  1. GDPR does not allow children under the age of 13 to sign up to systems. However, they can so long as they have consent from their guardian.
  2. The guardian of the child must provide consent before they are added to the system.
  3. Information is locked down based on access rights and restricted to the group the individual is part of, this limits its exposure.

You can still consider legitimate interests as your lawful basis for processing special category data, but even if it applies you also need a special category condition under Article 9.

When can we rely on legitimate interests? | ICO

  1. Whilst many things constitute special category data, health data is the special category that is relevant to Athlete Manager.
  2. For this, explicit consent and vital interests form the legal basis.
    1. For volunteers, guardians and more capable athletes, they will fill the forms out themselves for the administration of the group or for a specific event.
    2. For some athletes, their guardians can fill the forms out on their behalf on the basis of vital interest; not having information relating to certain conditions could, in itself, be dangerous.