This covers how your data is used along with what we will, and what we wont, do with it.
In this document, "we" or "our" refers to Athlete Manager, "you" refers to you and your account and "group" and "club" can be used interchangeably to mean any organisation or charitable cause that is associated with Special Olympics GB.
Interactions with Athlete Manager
- Upon Login or Failed Login
- Your IP address will be recorded.
- A fingerprint of your browser will be taken.
- Interacting with the API
- Each interaction with the API is logged.
- The date, time, origin IP, endpoint, result (success, fail, other) will be recorded.
- We may will store a finger print of your device.
- We reserve the right to publicly share details of any misuse that we identify that does not comply with the white hat policy - this includs IP addresses, geolocation, time stamp and any other relevant details.
- All logs may be kept for up to one year with the exception of API logs which may be kept for up to five years.
- Upon Login
- Cookies will be set for the duration of the session.
- An additional cookie will be set if you select 'Remember Me'.
- Upon returning to the website, you will be logged back in automatically so long has the cookie has not expired or been remotely frozen or deleted.
- If you select to logout when you have previously selected 'Remember Me', you will be logged out but will only be required to enter your password when you return. This will also display the first letter of your email and the domain.
- Social Cookies
- No social cookies or social media plugins will be used.
Information and Data
- Sensitive data on the system is encrypted.
- Sensitive data is defined is defined by us as any data that would lead to distress or discomfort to an individual if disclosed.
- Sensitive data may fall under Special Category Data under GDPR; in the case of Athlete Manager this is because some data is likely to be relevant to health.
- Our condition for processing special category data is legitimate interest.
- The legitimate interest of processing it to enable the day to day functioning of clubs whilst ensuring that the relevant information to protect individuals can be collected, stored and used appropriately.
- Some information, such as information relating to disabilities, is required so groups can be sure they have the complete picture when it comes to those involved in their group.
- Some medical questions are required, this ensures that the individual can be protected and that the most up to date information is held.
- For example, information about allergies would need to be collected so mitigations can be put in place for the individual.
- Under our terms and conditions, groups cannot create forms that are excessive. It is unlikely a group would collect excessive data as it would not benefit the group in any way.
- You will not try to access the data of others except for Whitehat testing. Even so, explicit access to sensitive data is forbidden
- Your information can be accessed by groups you are part of as long as they have a reasonable need to access the information. For example, if you are a volunteer at a club they will be able to see your contact details**.
- You can read our Data Protection Impact Assessment.
- We don't share data with other companies with the exception of Twilio for SMS purposes and Stripe for payment purposes.
- We don't allow social plugins on Athlete Manager.
- You accept that aggregated data about regions is available to regional level volunteers and national level volunteers.
- You accept that aggregated data about groups may be made available to regional and national level volunteers.
- Personal contact details will never be shared widely unless an individual is the public point of contact for a group or region and has chosen to share that information.
- We will never share your email address or phone number. If this changes, it will be an explicit opt-in process for others to view your contact details.
- Your data is automatically deleted when your account with a club is closed.
- Deleted files may take 24 hours to be removed from the system.
- Athlete Manager does not take responsibility for the content of external sites.
- All communication with Athlete Manager will use HTTPS.
- Individuals are responsible for ensuring that their devices are virus free.
- Individuals should use the Two Factor Authentication feature that is provided.
- We will retain logs of interactions with the API as well as with connections made to the servers.
- This information will be analysed to identify suspicious activity.
- 'Machine Learning' may be used to identify trends in the data.
- We will use access rights in order to protect access to the more sensitive functions and data on Athlete Manager.
Athlete Manager Data Access
- Athlete Manager reserves the right to access the data of clubs in order to provide support.
- Athlete Manager reserves the right to access the data of individuals in order to provide support.
- Groups can create their own forms for use within the group or for events.
- The forms must be marked sensitive if they are sensitive.
- Volunteers, and those with access to the forms, must not disclose the data within the forms to those without a valid 'need-to-know'.
- The data within forms can be queried to return only those who gave a specific answer to a question.
- The data from any forms that were filled out is deleted if that individual is removed from the group.
- If you feel like a form is too broad or not appropriate, you can report it - you'll be kept anonymous.
System Location, Backups & Breaches
- We will use computers hosted in Europe.
- Backups will be taken at least once a day.
- Backups may be encrypted and uploaded to the cloud.
- Backups may be kept on a USB so long as the USB is encrypted.
- Data breach
- We will restore from a known clean backup.
- We will never pay a ransom.
- We may contact government agencies, such as the NCSC and ICO, for assistance.
- You will be notified as soon as possible about a breach.