Data Protection Act requirements: Quick Guide
Each Country has different laws regarding where you can store your data and how you handle your athlete's and coach's personal information. At all times you need to be mindful of complying with ALL data protection laws in your country. The following is a quick guide to some of the steps you can take to ensure you comply with these.
1. Firstly look at whether your country has data protection laws
The Following are just some of the different legislation designed to protect your and your athletes/users' data:
UK- Data Protection Act 1998
The EU has the Data Protection Derivative
While Switzerland is not a member of the European Union (EU) or of the European Economic Area, it has partially implemented the EU Directive on the protection of personal data in 2006 by acceding to the STE 108 agreement of the Council of Europe and a corresponding amendment of the Federal Data Protection Act.
There are some general legislative policies for the following types of information, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Children's Online Privacy Protection Act of 1998 (COPPA), and the Fair and Accurate Credit Transactions Act of 2003 (FACTA). However, there is no governing data protection legislation as in the UK. Instead the United States Department of Commerce created the International Safe Harbor Privacy Principles certification program in response to the 1995 Directive on Data Protection (Directive 95/46/EC) of the European Commission. Directive 95/46/EC declares in Chapter IV Article 25 that personal data may only be transferred from the countries in the European Economic Area to countries which provide adequate privacy protection.
2. Check where you can and cannot store your data, e.g in the UK, US, or Asia?
Depending on the location of your organisation, we can store your data in the UK, US or Asia:
-If you are in the UK, you can only store your data in the UK
-If you are in the US, you can store your data anywhere as long as it is safe
-If you are in Canada, you cannot store your data in the US (UK is the best option)
3. Do you need to register as a Data Controller?
In the UK, you may need to register as a Data Controller or a Data Processor.
4. Ensure all of the people in your organisation understand the importance they need to place on complying with data protection requirements. These are some of the policies we recommend you employ
Data Protection Act components that you should be aware of
Ensure that you Process the Data only to the extent reasonably necessary and for the purposes of providing the system;
Take reasonable steps to ensure the reliability of your employees, agents and consultants in relation to the handling of Data;
Take Appropriate Technical and Organisational Measures to protect the Data against accidental loss, destruction or damage, theft, use and/or disclosure;
Not cause or permit such Data to be transferred to or be accessible by any third party (other than employees, agents and consultants appointed and acting in accordance with this clause) without you prior written consent (which may be given or withheld in its absolute discretion).
Use the Data for the specific purposes for which it was collected.
Not disclose Data to other parties without the consent of the individual whom it is about, unless authorised by the Data Controller, and/or there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime).
Provide Users with the right to access the information held about them, subject to certain exceptions (for example, information deemed as classified by the Data Controller).
Keep Personal Data for no longer than is necessary.
Not transmit Personal information outside the Area in which your data protection act stimulates unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
Provide Users with the right to make changes to wrong information.
Agree that each User has the right to:
View the data that is held about them. Request that incorrect information be corrected.
Require that data is NOT used in a way which causes damage or distress.
Require that their data is NOT used for direct marketing.
For a number of different data protection acts the individual employee needs to be aware they could be personally liable for mishandling personal data.
5. Ensure all of your users are aware of the following points. This can be sent out with the users welcome e-mail and login details.
A user needs to know:
1. What data they have access to and why (e.g. the purpose of the system and how they need to use the data)
2. If data is being captured about an individual, do you have their consent?
3. Never to mishandle personal data
4. That if they have access to personal data/information they are not supposed to they need to inform their administrator so that it is removed immediately
5. To never share their password and username
6. If they think their username and password has been breached, then contact their administrator immediately for a password reset
7. That they should always logoff the system when they have finished using it
8. To never leave their computer screen unattended while they are logged in and viewing someone's data
9. If they download data from the site (e.g. a pdf report or an excel file) they store it in a password protected file.
10. If they stop working for the organisation, they should no longer have access to any personal data and their login should be removed.
11. The type of information, data and templates used in the Software are often unique to each organisation, and Users need to be ensure they do not disclose information which could breach their organisation's confidentiality requirements.
6. On your login page, you can set up a special Terms and Conditions that a user needs to accept to ensure they are aware of and that they accept responsibility for handling the athlete's data
In addition to specifying important information pertaining to data protection, you can also add in your own special terms and conditions that a user needs to accept each time they login to the site. The example here shows that your terms and Conditions for a user can also be posted on the login page of your site. This is set up in the Builder, on the "Edit Application Details" Module.
7. Below is an example of a Generic Terms and Conditions that you can change to fit your specific needs
THE ORGANISATION’s Terms and Conditions
1.1 “Administrator” means the User who has been given the capability to manage the Users for THE ORGANISATION.
1.2 “Licence” means access is given to the THE ORGANISATION’S Software Site to a User for a period of 12 months.
1.3 "Personal Data" means any Templates (specific types of data), data, Personal Data or Information inputted into your Software Site about a User.
1.4 “Role” means to give access to specific types of Personal Data based on the access that is required to perform your Work Duties for THE ORGANISATION who purchased/obtained your Licence.
1.5 “Software Site” means the centralised data management website and the installed software, created to capture, store, track and make the ORGANISATION’s Data available to User’s to perform their Work Duties.
1.6 "User" means a person who has been granted a non-transferable Licence by the Administrator to facilitate access to the Software Site.
1.7 “Work Duties” means the duties that you have been assigned as part of your contractual obligations with the Organisation.
2.0 The Software Site
The ORGANISATION’s Software Site was created to allow Users to access important Personal Data about Organisation athletes to enable optimal athlete management and treatment by the THE ORGANISATION’s Medical, Strength and Conditioning and/or Performance Management Staff. The Software Site has been created by Organisation to enable Users to track important injury, illness, medical and lifestyle injury information for the athletes who Users treat, have contact with and/or manage. The Software Site is set up uniquely for each User to ensure he/she can only access the athletes and specific types of Data and or Personal Data that he/she should have access to as part of their Work Duties for THE ORGANISATION.
As a User, you should only have access to the athletes and groups of athletes that you manage and/or treat, and you should only have access to the specific types of Data that you need to fulfill your Work Duties for Organisation. Because you will be accessing Personal Data, you need to handle this data according to any and all data protection laws in your country, for example the UK Data Protection Act (1998). You are expected to familiarise yourself with the latest Data Protection policies and procedures, to observe their requirements and to comply with the following User Obligations whenever you access and use the ORGANISATION’s Software Site.
3.0 You agree to the following User Obligations:
-To keep your password secure. This includes not writing it down or permitting its use to any other individual at any time, and immediately notifying your Administrator if you think it has been breached.
-To ONLY access, use, and process the Personal Data in the Software for the specific purpose for which you have been granted access (e.g. your Role) and for no other purpose.
-To notify your Administrator immediately if you have access to any Personal Data that you do not require to perform you Work Duties at your Organisation.
-To always log off the Software System when you leave your computer unattended, and/or when you are away from your desk by clicking on the logout button, or by closing the installed version of the software.
-To never disclose or permit access to any Personal Data on the Software Site unless you have been authorised to make the disclosure.
-To securely store hard copy Personal Data in a locked drawer/cupboard when it is not being used, and/or when you are away from your desk.
-If you use a public computer, to delete any downloads generated from your use of the Software from the Downloads directly and the Trash (see section 4.0 below for more details).
-To encrypt and/or use a password to protect all Personal Data that is transferred onto a different storage device, that would cause damage or distress if lost or stolen.
-To position computer screens away from windows or others to prevent accidental disclosures of Personal Data.
-To dispose of any documents, resources or printed material securely by shredding them.
-To use appropriate measures to protect all Personal Data against accidental loss, destruction or damage, theft, use and/or disclosure.
-To not transmit Personal Data outside the Area in which your Data Protection law/s stipulate unless the individual whom it is about has consented or adequate protection is in place.
-To provide Users with the right to access the information held about them, subject to certain exceptions (for example, information deemed as classified by the Data Controller).
-To keep Personal Data for no longer than is necessary, but in line with the expectations of THE ORGANISATION.
-To correct any incorrect Personal Data on the Software site.
-To never use Personal Data in a way which may cause damage or distress.
-To return any documents, files, copies and all other items containing any Data obtained through use of the Software Site, back to THE ORGANISATION if/when you are no longer a licenced User of the Software, because your Licence has expired, or is terminated.
-To make no further use or disclosure of any Data at any time once your Licence expires or is terminated.
-To acknowledge and accept that in some circumstances, the unauthorised use or disclosure of personal data may result in a criminal offence for which you may be personally liable and may also result in claims for compensation from affected individuals.
-To acknowledge and accept that your use of the Software Site may be monitored and your access may be suspended if you do not comply with the above Obligations.
4.0 Additional obligations when accessing the software from a public computer or from a computer that is not password protected.
All Medical data can be securely entered, accessed and viewed when you use the software online or offline. However, each time you create a pdf or csv report in the system or generate a report that exports data out of the system and this is saved in your internet browsers DOWNLOADS. It is not protected so it can be opened from the downloads directory by ANYONE with access to the computer.
You generate a Download that is stored in the computer’s downloads directory each time you:
1: Open an attachment that is part of any document, or open or edit an attachment that is attached to a document (e.g the Attachments section of a form),
2: Run an Excel Report on the Excel Reports Module,
3: Generate a “pdf report”, “pdf form report”, “excel report” or run any other type of pdf report from the Reports Page, Athlete History Page, Print Page, Summary Reports Page, Resources or Group Summary Report.
You agree that if you are accessing the software from a public computer or from a computer that you do not own and that is not password protected, you will:
4.1 Not open any attachments, or generate any pdf or csv reports. If you do, the data will be stored in the downloads and it will be accessible to anyone with access to the computer
4.2 If you have to run a report that creates a download, you MUST go to the downloads history for the internet browser, Delete the report once you have created it and then you MUST also empty the Trash as well.
5.0 Acceptance of Your Obligations
By clicking on the "Login and Accept Terms and Conditions" button on the Login page of the Software Site, you agree to comply with the User Obligations whenever you access and/or use the ORGANISATION’s Software Site, or any Personal Data generated from use of the ORGANISATION’s Software Site including but not limited to reports, downloads, and/or Resources, and you agree to comply with all of the relevant Data Protection policies, procedures and protocols of your Country, and any regulations that apply to you by any/all Professional Bodies that you may be registered with.