10+ Tips to avoiding a Data Breach in Sport

10+ Tips to avoiding a Data Breach in Sport

Community level sports clubs are run on a voluntary basis, where everyone has the member’s best interests at heart, and this includes sharing dates of birth, contact information, home addresses and medical backgrounds with team coaches. There’s no problem with that, right?

The EU General Data Protection Regulation (GDPR) came into effect on 25th May 2018 and requires that all organisations treat data with due respect and protection. This equally applies to Schools and Sports Clubs, with particular attention to information relating to juvenile members.

We explore the everyday habits and processes observed across multiple sports and how this generally sensitive information is managed and processed by volunteers representing the club.

How Data is Stored

While most clubs operate a registration system, generally using a secure software package or service, players registered for a team are typically managed on a spreadsheet sent to the lead mentor, and shared with other coaches when travelling to fixtures, especially when larger squads have matches in opposite directions.

Data Breach Vulnerability #1
Spreadsheets are generally not password protected and can easily be sent, mistakenly, to an unintended recipient by email

Risks Mitigation
Using SURPASSPORT, each coach is authorised to access team & athlete records, and can do so from their laptop or smart phone. Data is not duplicated and cannot be exported, and is only temporarily stored on their device. All pertinent contact details are always close to hand.

Data Breach Vulnerability #2
Printouts of such spreadsheets are equally commonplace and are at risk of being mislaid. This is especially prevalent for official fixtures where each player’s name, registration number and date of birth are printed, in triplicate, and handed to the referee and opposition coach.

Risks Mitigation
SURPASSPORT integrates with LeagueManager and uniquely offers validation against eligibility criteria to assure officials and opposition management of age-grade / standard compliance. Please contact us for more information on our league management capability, whether you’re responsible for a regional league or organising a club blitz.

Data Breach Vulnerability #3
As spreadsheets are stored on private devices, such devices are generally considered insecure, and should such a device be mislaid, a third-party can potentially access data, without any means of protecting or removing access the data remotely.

Risks Mitigation
All club, team & player data recorded on SURPASSPORT is securely stored on industry standard equipment located in state of the art facilities. Continuous investment in security infrastructure, technology and processes work hard to ensure that your data is protected. Should your device be compromised, you can remotely revoke access to your account, and then resume from a new device simply by reactivating your login.

Additional data, such as attendance records, incidents and performance notes form part of a coach’s file for a team.

Data Breach Vulnerability #4
How are they stored? Paper? Email? Are such files protected in a suitable manner?

Risks Mitigation
SURPASSPORT is secure, with shared access as appropriate. Sensitive data is encrypted, and can only be retrieved by authorised users and where communication is required, only the intended recipients are notified of such records. The records themselves are never circulated using email.

Access Control

Coaches need access to each player’s contact details, medical conditions and depending on the requirement, date of birth and home address. This is usually managed by the head coach, and the vast majority take their responsibility seriously, but not necessarily to data protection best practice.

Data Breach Vulnerability #5
How can the club assure members that a coach who is no longer associated with a team no longer has their contact details?

Risks Mitigation
Once the coach is removed from a team on SURPASSPORT, their access to team and athlete data is immediately revoked.

SURPASSPORT includes Vetting Status Tracking, where coaches without a current vetting status are automatically locked out from accessing underage team details, with suitable advance notice, of course.

Data Breach Vulnerability #6
A juvenile player supports another team for only one match. The receiving coach needs full information, but only for the duration of the game. How can they safely remove the information when no longer needed?

Risks Mitigation
Temporary assignment of players from one squad to another for the purposes of a single event, such as a match, is fully supported on SURPASSPORT. The receiving coach receives full access to the support player for the purposes of the event, the player’s parents are included in communications for that event, and once the event is completed.

Team Communication

Can you play?
Reminder to attend training.
Who needs a lift?

These are just some of the messages issued by every head coach to their team on a regular basis. Many teams have adopted social media messaging tools to send these messages.

Data Breach Vulnerability #7
Every member of the group can see every other member’s contact details. This is compounded for underage teams, where parents’ contact details are visible, and not all parents wish for their mobile phone number to be publicly available.

Risks Mitigation
SURPASSPORT is a secure and appropriate Communications platform, only ever notifying those intended. Contact details are never made visible, even to authorised persons, although a phone number will remain in the call history if a call was made.

Such social messaging groups are often left uncontrolled, where any member can send a message to the group, and such messages are delivered to every other member.

Data Breach Vulnerability #8
Responses to ‘Can you play?’, it is generally inappropriate to know when an individual is sick; working; at the dentist; away on holidays; studying for exams; etc. While this information is given freely, it is really intended for the coaches, and not the team, and yet everyone receives it.

Risks Mitigation
Each notification between coach and athlete (or their parent) is on a dedicated channel. Where responses are requested, they are ONLY visible to the coaches, and are never shared with team mates. SURPASSPORT, however, offers substantial usability where a single message can be broadcast to the team, to those selected for a match or to an athletes parents using a single action.

Data Breach Vulnerability #9
Due to the nature of such groups, and the general ‘free’ conversations that flow on social media, having a conversation on a team communications channel about any individual player and their performance or behaviour is a significant breach of privacy and places the club at risk of complaint and possible retribution.

Risks Mitigation
There are no such general conversations on SURPASSPORT, and SURPASSPORT is not a social media channel. It provides a robust, compliant and user friendly means of managing the information that needs to be shared between a player and their coach, including communications.

Keeping Records Up-to-date

Oops, my number changed.
Here’s my new email address.
My child’s name has a typo …

Data changes happen. How easily can your club update or correct all copies of the data, including those pesky spreadsheets, even though that’s one of the key responsibilities under Data Protection.

Data Breach Vulnerability #10
Continuing to send notifications to an out-of-date email address or phone can easily result in an unwanted and undetected data breach, as well as not being delivered in a timely manner to the intended recipient.

Risks Mitigation
The User is in control and must be registered on the platform to receive team notifications. If they change jobs and use a new email address – they simply edit their profile and email communications will automatically be sent to the new address. Likewise for their mobile phone number, should that change. And only athletes (or their parents) can modify core athlete data, specifically, name, date of birth, gender, medical note and In Loco Parentis authorisation. Club manages their NGB registration number.

Right to be Forgotten

Members leave clubs
Players leave teams
Juvenile players graduate to Senior

Much as Registrars and Treasurers would like it not to be so, members come and go. What happens when they leave? Even when it’s not leaving the club entirely, but graduating from a juvenile section to senior? Or no longer a full-time member of a team?

Data Breach Vulnerability #11
Where a player is no longer connected with a team, are contact and personal details automatically removed?

Risks Mitigation
Simply remove the athlete from the team, and they will no longer receive future communications, are removed from planned activities. Historical records are retained (retention period is set by the club, as Data Controller), but ‘current’ information is unavailable, including their workload, medical notes and contact information.

SURPASSPORT and Data Protection

SURPASSPORT security and data access model is specifically and uniquely designed for sports organisations and their members and fully supports player-coach relationships as they happen in the “real world”.

SURPASSPORT operates as Data Processor to your Club’s Data Controller, who hold athlete and mentor data on a legitimate interest basis by extension of their club membership or student registration. SURPASSPORT provides robust, role-based access management, ultimately controlled by the Children’s Officer or Club Registrar.

Team communications are secure and direct, with Team and Match messages are broadcast to applicable members only, with responses, where applicable, returned only to the coaches.

Your data is secured to best practice. Sensitive data is encrypted at rest. All communications between your device and the application data stores uses encrypted communications. Hardware running the application servers is hosted in a world-class ISO 27001 certified data centre, with extensive access control measures, and the hosting service providers are subject to access control and Data Processor agreements. Even our staff cannot access your data through the application, unless specifically granted access for support purposes.

Access to non-core personal information, specifically date of birth, home address, can be controlled by the athlete (or their parent), and such access is clearly visible when the team info is selected on their profile, including the individuals who have direct access to this data.

Finally, the SURPASSPORT business model relies on direct income from clubs and athletes, and commits to providing the service free from advertising, product placement or any sharing of your data for marketing purposes. We take Data Protection seriously too.

Contact us

Our Helpdesk is monitored 8am to 8pm, Monday - Friday