Legitimate Interests Assessment (LIA)

This covers our lawful basis for processing data. Our basis is "legitimate interests".

In this document, "we" or "our" refers to Athlete Manager, "you" refers to you and your account and "group" and "club" can be used interchangeably to mean any organisation or charitable cause that is associated with Special Olympics GB.

This document is based on the LIA template provided by the ICO.

Part 1: Purpose Test

  1. I want to process the data to allow groups to better use their data and improve data security by removing the data management burden from groups.
  2. As a result of processing, I expect groups to make better use of the data that they require. For example, by quickly being able to identify individuals who gave a specific form answer. Additionally, data points such as DBS checks can be carried through to other relevant tasks to aid safe guarding - for example, by highlighting DBS checks that are more than three years old or individuals with no DBS check.
  3. At present, no third parties will benefit from the processing of the data. There is scope to allow aggregated and anonymised information to be used in decision making and to aid meetings - for example, by identifying gender splits in certain sports or by automatically producing a list of all events in a particular region for the regional committee.
  4. There are no wider public benefits to the processing.
  5. The benefits from the system are incredibly important. The time savings to individuals will be immense; it also reduces the risk of oversight compared to manually checking forms. It also ensures that data is managed properly as the burden of data management is not left to individual groups for implementation.
  6. Without the processing, groups would have to continue as they do today with a fragmented approach. It is likely that the groups individually would be unlikely to reach the level of compliance that is required under the GDPR and DPA 2018. For example, when a phone number is changed and a spreadsheet is updated under the current system for most groups, the change is unlikely to be recorded in every version held by those that require and hold individual copies of the data.
  7. The system has been built with monitoring and security baked in, security was not an after thought. This makes detection of abuse possible along with the ability to identify any breaches.
  8. The data is not misused and the data that is provided is not sold on. I feel like there is little chance of someone being surprised with how their data is processed as it replicates what most groups currently do by hand.

Part 2: Necessity Test

  1. Processing will help achieve the purpose of making data management easier for groups and improving data compliance. For example, the data that is provided by users can be set to expire after a certain period. This data would require resubmission after checking the information in it is still correct. Without this, data may contain errors that go unnoticed.
  2. The processing that is done is not excessive. Some provided information can be queried but this is appropriate to the requirement of being able to identify those who provided specific information.
  3. The same result could not be achieved by less intrusive means. The data that is collected is the bare minimum required by groups, as outlined in the terms and conditions for using Athlete Manager groups cannot request excessive amounts of data. Athlete Manager will likely enable most groups to get more from their data than they currently do but this is down to having the data be searchable and stored properly rather than it being otherwise impossible for groups.

Part 3: Balancing Test

  1. Some of the information that groups will store is likely to be special category data.
  2. Some of the data that will be processed may be considered private. The specific questions will depend on the needs of the groups but the questions will be strictly related to the group or event that the individual will be attending. Whilst private, the data is important to hold so the best support can be provided for those that require it.
  3. Some of the data held on the system will relate to children under the age of thirteen and a reasonable proportion of the data will relate to people that could be considered vulnerable. This information will be provided by their guardians who will give consent.
  4. The data that is held will be relevant to those within sporting groups as well as those that support those groups.
  5. I have a personal link to the cause as I am involved in a Special Olympics group but I will not have an existing relationship with all the individuals that will use the system.
  6. My relationship with Special Olympics is as a volunteer - in the past data has been used to ensure that the correct medication can be given when required as well as to meet other safeguarding requirements, such as having emergency contact details.
  7. Any information that has been collected has come straight from the guardians of an athlete or, in some cases, the athlete themselves. Other information relating directly to volunteers came from the volunteers themselves. In some cases, support is given to help individuals enter the data online. Before being given credentials to the system, individuals are told that their data will be stored and processed online in a way that complies with GDPR and the DPA.
  8. By those that use the system, it is understood why the data is processed. Individuals are always given the chance to ask someone questions if they are unsure about something.
  9. The system is innovative in the sense that it is new for the organisation as a whole however the technology and principles behind it are mature and pose little risk.
  10. For the system, no evidence about expectations will be used.
  11. Those that use the system are likely to have previous exposure to the sort of data that is required by groups; therefore, the sort of data that is requested through Athlete Manager is unlikely to come as a surprise. The processing is transparent and the purpose would be clear. No data is sold on.
  12. The impacts on individuals as a result of processing their data would likely be minimal. It is data that is already held by most groups and there would be an expectation that the group is using that data.
  13. Individuals will be free to correct the information that is held about them. If the individual is also a guardian, they will have access to the information about their athletes on the system. The user will almost always be able to see all the information held about them or their athlete, making it transparent and keeping them in control.
  14. The likelihood of any impact is low and the severity would also likely be low. Whilst the data may puritan to health information, the questions are likely to be generic in nature.
  15. The chance of some people objecting is low. There is a demonstrable benefit to keeping the data stored online in Athlete Manager when compared to groups managing it themselves. For example, audit logs make it possible to attribute actions of individuals that would not otherwise be possible.
  16. I would be comfortable explaining the processing to individuals as it is a transparent process.
  17. Safeguards have been adopted to minimise impact. Access rights govern who can do what on the system. By default, any new accounts have the lowest rights. These can be increased as needed to ensure only those with a valid need to know can access the data.
  18. The individuals would not be able to opt-out as the processing is part of the system that their group would be using and it is this processing that ensures safeguarding requirements can be met.

Making The Decision

  1. Legitimate interests can be relied on as a justification for processing.
  2. The data that is held is for the general administration of the group and to enable safeguarding to be carried out effectively. The processing is transparent, the groups remain in control of what data they request and the individuals can control the answers that are provided. The data that is requested should be no more intrusive than what groups currently ask for but as it will be stored electronically, rather than on paper, it can be queried so the most useful information can be found quicker - this is all for the interest of the individual and to answer key questions such as "who has allergies?" which ultimately need an accurate and quick answer. Below every form is a sentence guiding individuals to report concerns about forms that do not seem appropriate.