sportscotland Supported Athlete Privacy Notice

Version 4, 04 February 2026

What is the purpose of this document?

sportscotland is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you, in accordance with UK Data Protection legislation. This Privacy Notice contains important information about how we collect, manage, use, and protect your personal information.

Please note that we have specific privacy notices for particular groups that engage with us.

sportscotland Institute of Sport (SIS) provides high performance expertise to sportscotland Supported Athletes (athletes selected by Scottish Governing Bodies (SGBs) and nominated to sportscotland to receive support and assistance from SIS) across Scotland and internationally. As part of this support, sportscotland processes and shares “Athlete Performance Data”, including special categories of personal data, in relation to the medical health, wellbeing and performance of the sportscotland Supported Athlete.

The Scottish Sports Council, trading as ‘sportscotland’ of Doges, Templeton on the Green, 62 Templeton Street, Glasgow, G40 1DA is the “controller” of the personal information that you provide to us and is registered as a data controller with the Information Commissioner’s Office, registration number Z7177835.

This means that we are responsible for deciding how we hold and use personal information about you. We are required under Data Protection legislation to notify you of the information contained in this privacy notice.

We may update this Privacy Notice from time to time. Please check this notice frequently to ensure you are aware of the most recent version and the date that it was last updated.

Our contact details

sportscotland Institute of Sport
Airthrey Road, Stirling, FK9 5PH
Tel: 01786 460 100

Deaf/BSL users can contact us using the Contact Scotland service

Web: sportscotland institute of sport 

Email: sportscotland.enquiries@sportscotland.org.uk

Data Protection Officer Contact Details:

Information Governance and Data Protection Officer
Doges,
Templeton on the Green,
62 Templeton Street
Glasgow,
G40 1DA
Email: DPO@sportscotland.org.uk

What type of information we have

We may collect and process the following information: -

• Personal identifiers including name, address, age, sex, email address, telephone number and date of birth;
• Assessment and consultation records;
• Athlete monitoring information;
• Performance information;
• Performance training/assessment information;
• Correspondence with you, including communications via emails, voicemails, and any other documented method you choose to correspond with us;
• Motion analysis/Video analysis data;
• Biomechanics measures such as coordination and force production measures related to distance, velocity and acceleration outputs during footfall and jump activities;
• Postural information such as joint range of motion and joint alignment measures;
• Recording of visual information including central vision measures;
• Medical information;
• Information relating to additional support needs;
• Nutritional information;
• Body composition, body weight and height data
• Photos and videos during events where such photos constitute personal data;
• Details of your visits to our websites including, but not limited to, traffic data, location data, weblogs, other communication data and the resources that you access (see the Cookies section below for more information on this); and
• CCTV: We use CCTV at some premises for safety and crime prevention. We do not record sound. Signage is displayed where CCTV operates. Images are retained for 30 days, unless a longer period is necessary for an incident investigation or legal proceedings, after which they are securely deleted. To exercise your data rights in relation to CCTV footage (including access), please use the contact details below; our Subject Access Request Policy.

Cookies

A “cookie” is a text file that is downloaded to the hard drive of your computer and is used to remember your preferences and sessions.

We use cookies on our websites to make our services work, improve their performance, and understand how people use them.

Some cookies are strictly necessary to provide a service you request (for example, to keep you signed in, remember your cookie choices, or maintain a shopping basket). These do not require your consent.

Other cookies are non-essential (for example, analytics and advertising). We will ask for your consent before setting these, unless a limited Data Usage and Access Act (DUAA) exemption applies. In line with the DUAA’s changes to Privacy and Electronic Communications Regulations (PECR), we may set certain low-risk statistical measurement cookies (used solely to produce aggregate statistics to improve our website) or appearance/preference cookies (e.g., language, theme) without consent, provided we give clear information and an easy way to object. Advertising/targeting and most analytics still require consent.

You can manage your choices at any time via our cookie banner, where you’ll find granular controls and the option to withdraw consent as easily as you gave it.

How We Collate Information

We collect information provided by you directly. 

We also collect information via Interdisciplinary Support Teams: -

Interdisciplinary support team means members of the sportscotland supported athletes’ support staff consisting of “Medical and Scientific Support Staff” and “Performance Management Staff”. The Inter-disciplinary Support Team is made up of sportscotland staff and non-sportscotland staff. This Privacy Notice applies to sportscotland staff and non-sportscotland staff, including all permitted sportscotland contract service providers; SGBs; National Governing Bodies (NGBs); your personal coaches; and other permitted individuals involved in your medical care and support.

Our Purposes for Processing Personal Data

When you are nominated by your SGB and receive support from sportscotland as a sportscotland Supported Athlete, we will process your Athlete Performance Data during the course of your support to provide you with athlete support services as set out in the Athlete Agreement terms and conditions. 

This information will be used by us for the purposes of managing and protecting your wellbeing and to increase the probability of improving your sporting performance.

We may also use your Athlete Performance Data in connection with sportscotland’s performance of its public tasks to:

• Promote and encourage participation in sport by sharing performance data to inspire others, which we use for promotional, education and development purposes;
• Invite you to participate in surveys for research, development, and knowledge management purposes to better understand the components for sporting success;
• Deliver research outputs; and
• Inform our general understanding of High-Performance service requirements.

We are under a legal obligation to process certain personal information relating to our sportscotland Supported Athletes for the purposes of complying with our obligations under: -

• Children and Young People’s Act 2014 to the extent data needs to be shared;
• Anti-Doping Rules UK, to the extent information is required to be transferred;
• The Equality Act 2010;
• Any common law medical duties applicable to our medical practitioners; and
• Any other applicable legal requirements which may become relevant to the work of sportscotland both now and in the future.

Scientific research

We may use personal information for scientific research (including commercial research) where the law allows. In some cases, individuals can give broad consent to an area of research. Where providing individual privacy notices would involve a disproportionate effort, we may publish the relevant privacy information on our website and implement additional safeguards (e.g., pseudonymisation, strict access controls, ethics review, DPIAs) to protect individuals’ rights.

We may ask you if we can process your personal information for additional purposes. Where we do so, we will provide you with an additional privacy notice with information on how we will use your information for these additional purposes.

Who we may share your information with

Athlete Performance Data is shared across Inter-disciplinary Support Teams. Inter-disciplinary Support Teams must make sure that anyone they disclose personal information to understands that they are giving it to them in confidence, which they must respect. Anyone receiving personal information in order to provide medical care or support is bound by a legal duty of confidence and Data Protection legislation whether or not they have contractual or professional obligations to protect confidentiality.

Medical and scientific support means members of the sportscotland supported athletes’ support staff who are bound by Data Protections Laws and professional codes of conduct with regard to confidentiality including: Sports Doctors; Physiotherapists; Performance Physiologists; Performance Nutritionists; Performance Lifestyle practitioners; Physical Preparation practitioners; Performance Psychologists; Clinical Psychologists; Skill Acquisition practitioners; Performance Analysts; Counsellors; and Massage Therapists. 

Please note that this is not an exhaustive list and therefore other staff could fall within this category.

Performance Management staff means members of the sportscotland supported athlete’s support staff who are bound by Data Protections Law, but not professional codes of conduct with regard to confidentiality. These include the Performance Director; Coaches; High Performance Managers; Regional Performance Managers and sportscotland administrative staff responsible for processing sportscotland supported athlete data e.g. input of athlete data into sportscotland databases.

We may also share your information with: -

Sport’s Governing Bodies (SGBs); National Governing Bodies (NGBs); British Olympic Association (BOA); British Paralympic Association (BPA), Commonwealth Games Scotland (CGS), UK Sport and the home country Institutes of Sport (EIS, WIS, SINI). 

We may also share your information with our British and Scottish partners including Local Authorities, and Higher & Further Education as the sportscotland Institute of Sport strives to build a world class high-performance system within Scotland.

All individuals and organisations must adhere to Data Protection legislation when processing any and all personal identifiable information.

We are required to share personal information with statutory or regulatory authorities and organisations to comply with statutory obligations including compliance with certain conditions imposed by the Scottish Government. Such organisations include HMRC, the Health & Safety Executive, Equalities and Human Rights Commission (for purposes of equality monitoring if requested, such information being provided in an anonymised form) and Police Scotland for any statutory purposes.

We are also required to share personal information relating to athletes' health in order to undertake activities to eliminate doping, at a sporting event, within your sport generally, or to provide information about doping, or suspected doping, to UK Anti-Doping or another body with responsibility for eliminating doping in sport.

We may also share personal information with our professional and legal advisors for the purposes of taking advice and to establish, defend or exercise legal claims.

If your personal information is included in any images or videos taken by us at our competitions, events, or training sessions, we may share this with your SGB, Team Scotland or Team GB / Paralympics GB. In addition, we will use this content across sportscotland owned channels and outputs, such as social media and publications. 

sportscotland employs third party suppliers to provide services, including IT, third party software suppliers for managing athlete data, SGBs, contractors for training or specific pieces of work, university students and staff assisting with studies in respect of athlete performance through related data enquiry etc. These suppliers may process personal information on our behalf as “processors” and are subject to written contractual conditions to only process that personal information under our instructions and protect it.

In the event that we do share personal information with external third parties, we will only share such minimum personal information strictly required for the specific purposes and take reasonable steps to ensure that recipients shall only process the disclosed personal information in accordance with those purposes.

We will also share your information with the Emergency Services in the event of an injury or incident.

How we store and protect your information

Security measures in place within sportscotland include physical security measures; strong passwords; password lock out policy; managed permissions; two factor authentication; encryption; antivirus software; anti-malware software; data loss prevention software; secure email gateway; software patch management and appropriate data backup arrangements.

Core systems are only accessible by sportscotland staff and a small number of contracts for service practitioners.

Where sportscotland retains your personal information in one of our own data centres, all data will be stored on UK based servers. Where sportscotland utilises cloud-based storage, your personal information may be stored out with the UK within European Union country data centres, in which case sportscotland will ensure adequate security measures are in place to protect your personal information.

International Data Transfers:

In certain circumstances we may be required to transfer Athlete Performance Data out with the UK and/or the EU for the purposes of entering athletes into competitions, booking travel arrangements for training camps, and other related activities.

If we transfer personal information outside the UK, we do so in line with the UK General Data Protection Regulations, Data Protection Act 2018 and the Data Usage and Access Act. This means we only transfer data to countries or organisations where the level of protection for personal information is not materially lower than that required under UK law.

Your personal information may also be stored on third party, cloud-based solutions. Where this is the case, sportscotland will ensure that that third party complies with data protection legislation when processing your personal information.

Use of AI Tools: We use certain AI-enabled tools to support administration (e.g., drafting and summarising) and do not use AI to make decisions about individuals. Where AI tools may process personal information, we complete Data Protection Impact Assessments (DPIAs), apply appropriate safeguards, and follow our AI Policy. We will be transparent where AI is used and ensure human oversight.

Retention Periods

We retain personal information only for as long as necessary for the purposes described above, and in line with the sportscotland retention and destruction policy contained within the sportscotland Records Management Plan, which is a legal requirement under the Public Records Scotland Act (2011) You can download this at: sportscotland Records Management Plan

Where athletes continue to receive SIS support post contract, the retention period of information processed will initiate when the post support has ended. 

Legal Basis for processing your personal data

We will only collect and process personal information where we have a legal basis for doing so under Data Protection legislation. The legal basis may differ depending on the purpose for processing your data.

Data Type: Name, address, email, phone
Purpose of Processing: Account creation, service provision
Lawful Basis (GDPR/DUAA): Contract (Art. 6(1)(b))

Data Type: Date of birth, gender, age
Purpose of Processing: Eligibility checks, reporting, equality monitoring
Lawful Basis (GDPR/DUAA): Legal obligation (Art. 6(1)(c)); Public interest (Art. 6(1)(e))

Data Type: Payment details (bank, NI number)
Purpose of Processing: Payment for services, payroll
Lawful Basis (GDPR/DUAA): Contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c))

Data Type: Medical & accessibility info
Purpose of Processing: Course provision, accommodation, health & safety
Lawful Basis (GDPR/DUAA): Consent (Art. 6(1)(a), Art. 9(2)(a)); Public interest (Art. 9(2)(g))

Data Type: Photos/videos (events)
Purpose of Processing: Promotion, media, publications
Lawful Basis (GDPR/DUAA): Consent (Art. 6(1)(a))

Data Type: Website usage data (cookies)
Purpose of Processing: Analytics (audience measurement), site improvement, preferences, advertising
Lawful Basis (GDPR/DUAA): Strictly necessary cookies: not consented; necessary for a service you request. Statistical measurement / appearance cookies: in limited cases may be set without consent under DUAA’s PECR exemptions, with clear info and an easy opt-out. Advertising/targeting cookies: Consent (Art. 6(1)(a))

Data Type: Coaching app data
Purpose of Processing: Tailored notifications, programme administration
Lawful Basis (GDPR/DUAA): Consent (Art. 6(1)(a)); Contract (Art. 6(1)(b))

Data Type: CCTV images
Purpose of Processing: Security, crime prevention
Lawful Basis (GDPR/DUAA): Public interest (Art. 6(1)(e)); Legitimate interests (Art. 6(1)(f))

Data Type: Correspondence (email, social)
Purpose of Processing: Responding to queries, customer service
Lawful Basis (GDPR/DUAA): Legitimate interests (Art. 6(1)(f)); Consent (Art. 6(1)(a))

Data Type: eLearning data
Purpose of Processing: Certification, progress tracking
Lawful Basis (GDPR/DUAA): Contract (Art. 6(1)(b)); Consent (Art. 6(1)(a))

Data Type: Scientific research data
Purpose of Processing: Research, statistical analysis
Lawful Basis (GDPR/DUAA): Public interest (Art. 6(1)(e)); Research exemption (DUAA)

When relying on GDPR Article 9 (g) above we need to also rely on conditions within DPA 2018. The conditions sportscotland rely upon are: - Part 2, 27 and 28: -

• 27. Anti-doping in sport

This condition is met if the processing is necessary—for the purposes of measures designed to eliminate doping which are undertaken by or under the responsibility of a body or association that is responsible for eliminating doping in a sport, at a sporting event or in sport generally, or for the purposes of providing information about doping, or suspected doping, to such a body or association.

The reference in sub-paragraph (1)(a) to measures designed to eliminate doping includes measures designed to identify or prevent doping.

If the processing consists of the disclosure of personal data to a body or association described in sub-paragraph (1)(a), or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).

• 28. Standards of behaviour in sport

(1) This condition is met if the processing—

(a) is necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event,

(b) must be carried out without the consent of the data subject so as not to prejudice those purposes, and

(c) is necessary for reasons of substantial public interest.

(2) In sub-paragraph (1)(a), the reference to measures designed to protect the integrity of a sport or a sporting event is a reference to measures designed to protect a sport or a sporting event against—

(a)dishonesty, malpractice, or other seriously improper conduct, or

(b)failure by a person participating in the sport or event in any capacity to comply with standards of behaviour set by a body or association with responsibility for the sport or event.

Your data protection rights

Under data protection law, you have rights including:

Your right of access: You have the right to ask us for copies of your personal information.

Your right to rectification: You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing: You have the right to object to the processing of your personal data in certain circumstances.

Your right to data portability: You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.

Automated Decision Making: sportscotland does not use automated decision-making processes to make decisions about individuals. All decisions involving your personal information are made by our staff.

Your right to withdraw consent: If we process your personal information based on your consent, you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing carried out before your withdrawal.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please note the lawful basis used for processing your personal information can also affect which rights are available to you as there may be exemptions. Our Data Protection Officer will advise on any exemptions on request.

How to make a request

You can exercise your data protection rights using the Data Protection Officer contact details below. Further information can be found in our Subject Access Request Policy. We may ask you to confirm your identity or clarify your request. Where clarification or ID is reasonably required, we will pause (“stop the clock”) until the information is provided. We will conduct reasonable and proportionate searches across our systems when responding.

How to complain

If you have any concerns or complaints about this privacy notice or how we handle your personal data, please contact our Data Protection Officer (DPO) in the first instance:

Information Governance and Data Protection Officer

sportscotland, Doges
Templeton on the Green
62 Templeton Street
Glasgow
G401DA
Email: DPO@sportscotland.org.uk

We will aim to acknowledge your complaint within five working days of receiving it. 

We will investigate your complaint thoroughly and may contact you for further information or clarification if needed. We aim to provide a full response within one month. If your complaint is complex or requires more time, we will keep you informed of progress and let you know if we need additional time.

If you are not satisfied with our response, you have the right to contact the Information Commissioner’s Office (ICO) to raise your concerns. Their contact details are noted below:

The Information Commissioner’s Office – Scotland
Queen Elizabeth House
Sibbald Walk
Edinburgh
EH8 8FT

Telephone: 0303 123 1115 Email: Scotland@ico.org.uk