Version 3 15th April 2021
What is the purpose of this document?
sportscotland is committed to protecting the privacy and security of your personal data. This privacy notice describes how we collect and use personal data about you, in accordance with Data Protection legislation. This Privacy Notice contains important information about how we collect, manage, use, and protect your personal data.
sportscotland Institute of Sport (SIS) provides high performance expertise to sportscotland Supported Athletes (athletes selected by Scottish Governing Bodies (SGBs) and nominated to sportscotland to receive support and assistance from SIS) across Scotland and internationally. As part of this support, sportscotland processes and shares “Athlete Performance Data”, including special categories of personal data, in relation to the medical health, wellbeing and performance of the sportscotland Supported Athlete.
The Scottish Sports Council, trading as ‘sportscotland’ of Doges, Templeton on the Green, 62 Templeton Street, Glasgow, G40 1DA is the “controller” of the personal information that you provide to us and is registered as a data controller with the Information Commissioner’s Office, registration number Z7177835.
This means that we are responsible for deciding how we hold and use personal information about you. We are required under Data Protection legislation to notify you of the information contained in this privacy notice.
We may change this Privacy Notice from time to time. Please check this policy frequently to ensure you are aware of the most recent version and the date that it was last updated.
Our contact details
sportscotland Institute of Sport
Airthrey Road | Stirling | FK9 5PH
Tel: 01786 460 100
Deaf/BSL users can contact us using the Contact Scotland service
Web: https://sportscotland.org.uk/performance/
Data Protection Officer Contact Details:
Information Governance and Data Protection Officer
Doges | Templeton on the Green | 62 Templeton Street | Glasgow | G40 1DA
Email: DPO@sportscotland.org.uk
What type of information we have
We collect and process the following information: -
- Personal identifiers including name, address, age, sex, email address, telephone number and date of birth;
- Assessment and consultation records;
- Photography;
- Athlete monitoring information;
- Performance training/assessment information;
- Correspondence with you, including communications via emails, voicemails, and any other documented method you choose to correspond with us e.g. social networking platforms such as WhatsApp;
- Motion analysis/Video analysis;
- Medical information;
- Information relating to additional support needs;
- Nutritional information;
- Photos and videos during events where such photos constitute personal data;
- Details of your visits to our website including, but not limited to, traffic data, location data, weblogs, other communication data and the resources that you access; and
- CCTV Footage;
How We Collate Information
We collect information provided by you directly.
We also collect information via Interdisciplinary Support Teams: -
Interdisciplinary Support Team means members of the sportscotland Supported Athletes’ support staff consisting of “Medical and Scientific Support Staff” and “Performance Management Staff”. The Inter-disciplinary Support Team is made up of sportscotland staff and non-sportscotland staff. This Privacy Notice applies to sportscotland staff and non-sportscotland staff, including: all permitted sportscotland contract service providers; SGBs; British Governing Bodies (NGBs); your personal coaches; and other permitted individuals involved in your medical care and support.
Our Purposes for Processing Personal Data
When you are nominated by your SGB and receive support from sportscotland as a sportscotland Supported Athlete, we will process your Athlete Performance Data during the course of your support to provide you with athlete support services as set out in the Athlete Agreement terms and conditions.
This information will be used by us for the purposes of managing and protecting your wellbeing and to increase the probability of improving your sporting performance.
We may also use your Athlete Performance Data in connection with sportscotland’s performance of its public tasks to:
- Promote and encourage participation in sport by sharing performance data to inspire others, which we use for promotional, education and development purposes;
- Invite you to participate in surveys for research, development, and knowledge management purposes to better understand the components for sporting success;
- Deliver research outputs; and
- Inform our general understanding of High-Performance service requirements.
We are under a legal obligation to process certain personal information relating to our sportscotland Supported Athletes for the purposes of complying with our obligations under: -
- Children and Young People’s Act 2014 to the extent data needs to be shared;
- Anti-Doping Rules UK, to the extent information is required to be transferred;
- The Equality Act 2010;
- Any common law medical duties applicable to our medical practitioners; and
- Any other applicable legal requirements which may become relevant to the work of sportscotland both now and in the future.
We may ask you if we can process your personal information for additional purposes. Where we do so, we will provide you with an additional privacy notice with information on how we will use your information for these additional purposes.
Who we may share your information with
Athlete Performance Data is shared across Inter-disciplinary Support Teams. Inter-disciplinary Support Teams must make sure that anyone they disclose personal information to understands that they are giving it to them in confidence, which they must respect. Anyone receiving personal information in order to provide medical care or support is bound by a legal duty of confidence and Data Protection legislation whether or not they have contractual or professional obligations to protect confidentiality.
Medical and Scientific Support Staff means members of the sportscotland Supported Athletes’ support staff who are bound by Data Protections Laws and professional codes of conduct with regard to confidentiality including: Sports Doctors; Physiotherapists; Performance Physiologists; Performance Nutritionists; Performance Lifestyle practitioners; Physical Preparation practitioners; Performance Psychologists; Clinical Psychologists; Skill Acquisition practitioners; Performance Analysts; Counsellors; and Massage Therapists.
Please note that this is not an exhaustive list and therefore other staff could fall within this category.
Performance Management Staff means members of the sportscotland Supported Athlete’s support staff who are bound by Data Protections Law but not professional codes of conduct with regard to confidentiality. These include: Performance Director; Coaches; High Performance Managers; Regional Performance Managers and sportscotland administrative staff responsible for processing sportscotland Supported Athlete data for example, input of athlete data into sportscotland databases.
We may also share your information with: -
Sport’s Governing Bodies (SGBs); National Governing Bodies (NGBs); British Olympic Association (BOA); British Paralympic Association (BPA), Commonwealth Games Scotland (CGS), UK Sport and the home country Institutes of Sport (EIS, WIS, SINI).
Please note that this is not an exhaustive list and other staff could fall within this category.
All individuals and organisations must adhere to Data Protection legislation when processing any and all personal identifiable information.
We are required to share personal information with statutory or regulatory authorities and organisations to comply with statutory obligations including compliance with certain conditions imposed by the Scottish Government. Such organisations include HMRC, the Health & Safety Executive, Equalities and Human Rights Commission (for purposes of equality monitoring if requested, such information being provided in an anonymised form) and Police Scotland for any statutory purposes.
We are also required to share personal information relating to athletes' health in order to undertake activities to eliminate doping, at a sporting event, within your sport generally, or to provide information about doping, or suspected doping, to UK Anti-Doping or another body with responsibility for eliminating doping in sport.
We may also share personal information with our professional and legal advisors for the purposes of taking advice and to establish, defend or exercise legal claims.
If your personal information is included in any images or videos taken by us at our competitions, events, or training sessions, we may share this with your SGB, Team Scotland or Team GB / Paralympics GB. In addition, we will use this content across sportscotland owned channels and outputs, such as social media and publications.
sportscotland employs third party suppliers to provide services, including IT, third party software suppliers for managing athlete data, SGBs, contractors for training or specific pieces of work, university students and staff assisting with studies in respect of athlete performance through related data enquiry etc. These suppliers may process personal information on our behalf as “processors” and are subject to written contractual conditions to only process that personal information under our instructions and protect it.
In the event that we do share personal information with external third parties, we will only share such minimum personal information strictly required for the specific purposes and take reasonable steps to ensure that recipients shall only process the disclosed personal information in accordance with those purposes.
We will also share your information with the Emergency Services in the event of an injury or incident.
How we store and protect your information
Where sportscotland retains your personal information in one of our own data centres, all data will be stored on UK based servers. Where sportscotland utilises cloud-based storage, your personal information may be stored out with the UK within European Union country data centres, in which case sportscotland will ensure adequate security measures are in place to protect your personal information.
Your personal information may also be stored on third party, cloud-based solutions. Where this is the case, sportscotland will ensure that that third party complies with the Data Protection legislation when processing your personal information.
Core systems are only accessible by sportscotland staff, non-sportscotland staff who are responsible for processing and accessing Athlete Performance Data and a small number of contracts for service practitioners.
Security measures in place within sportscotland’s data centres include physical security measures; strong passwords; password lock out policy; managed permissions; two factor authentications; encryption; antivirus software; anti-malware software; data loss prevention software; secure email gateway; software patch management and appropriate data backup arrangements.
In certain circumstances we may be required to transfer Athlete Performance Data out with the UK and/or the EU for the purposes of entering athletes into competitions, booking travel arrangements for training camps, and other related activities.
Where your personal information is transferred out with the UK, we will provide you with information regarding the safeguards that we have put in place with the recipient country to protect your personal information.
Please be aware that data transmission received by service users over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.
We retain all personal information in line with the sportscotland retention and destruction policy contained within the sportscotland Records management Plan which is a legal requirement under the Public Records Scotland Act (2011) You can access this at: -sportscotland Records Management Plan
Legal Basis for processing
We will only collect and process personal information where we have a legal basis for doing so under Data Protection legislation.
The legal basis may differ depending on the purpose for processing your data.
The legal basis used by sportscotland for the processing of supported athlete personal information are:
GDPR Article 6 (1)
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes; or
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Legal Basis for processing Special Category Personal Data
The processing of Special Category Data is prohibited under Article 9 (1) of the General Data Protection Regulation.
Special Categories of Personal data is information that contains any of the following: -
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- data concerning health (e.g. physical or mental health);
- sex life or sexual orientation;
- genetic data;
This means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained, and;
- biometric data.
This means personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (fingerprints).
However, there are exceptions to this general prohibition, usually referred to as ‘conditions for processing special category data’. The condition used by sportscotland to process athlete special category information is: -
Article 9 (g) - processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safe guard the fundamental rights and the interests of the data subject.
When relying on GDPR Article 9 (g) above we need to also rely on conditions within DPA 2018. The conditions sportscotland rely upon are: - Part 2, 27 and 28: -
- Anti-doping in sport
This condition is met if the processing is necessary—
for the purposes of measures designed to eliminate doping which are undertaken by or under the responsibility of a body or association that is responsible for eliminating doping in a sport, at a sporting event or in sport generally, or
for the purposes of providing information about doping, or suspected doping, to such a body or association.
The reference in sub-paragraph (1)(a) to measures designed to eliminate doping includes measures designed to identify or prevent doping.
If the processing consists of the disclosure of personal data to a body or association described in sub-paragraph (1)(a), or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).
- Standards of behaviour in sport
(1) This condition is met if the processing—
(a) is necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event,
(b) must be carried out without the consent of the data subject so as not to prejudice those purposes, and
(c) is necessary for reasons of substantial public interest.
(2) In sub-paragraph (1)(a), the reference to measures designed to protect the integrity of a sport or a sporting event is a reference to measures designed to protect a sport or a sporting event against—
(a)dishonesty, malpractice, or other seriously improper conduct, or
(b)failure by a person participating in the sport or event in any capacity to comply with standards of behaviour set by a body or association with responsibility for the sport or event.
We may also rely on Article 9 (h): -
processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
Consent
In circumstances where you have given us consent to process your information, such as consenting to us using your images on our websites, you have the right to withdraw this consent at any time.
You can do this by contacting our Data Protection Officer via the contact details above.
Your data protection rights
Under data protection law, you have rights including:
Your right of access - You have the right to ask us for copies of your personal information.
Your right to rectification - You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing - You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing - You have the right to object to the processing of your personal data in certain circumstances.
Your right to data portability - You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please note the lawful basis used for processing your personal information can also affect which rights are available to you as there may be exemptions. Our Data Protection Officer will advise on any exemptions on request.
Please contact us at DPO@sportscotland.org.uk, sportscotland, Doges, Templeton on the Green, 62 Templeton Street, Glasgow, G40 1DA if you wish to make a request.
How to complain
If you have any queries or concerns regarding this Privacy Notice or how your personal information is processed, please contact the sportscotland Data Protection Officer in the first instance:
Information Governance and Data Protection Officer
sportscotland, Doges
Templeton on the Green
62 Templeton Street
Glasgow
G401DA
Email: DPO@sportscotland.org.uk
Please note you have the right to contact the Information Commissioner’s Office if you are unhappy with how your enquiry has been dealt with. Their contact details are noted below:
The Information Commissioner’s Office – Scotland
Queen Elizabeth House
Sibbald Walk
Edinburgh
EH8 8FT
Telephone: 0303 123 1115
Email: Scotland@ico.org.uk