General Data Protection Regulation (GDPR )

RunTogether take the protection of runner and run leader data seriously and want to ensure you are clear as to how the data we collect is processed. New data protection legislation has meant that we have had to make a few changes to the website and update our privacy notice.

At this point we felt it was important to remind you of the key benefits of RunTogether to ensure data that is collected is processed in the correct way and to remind you of some of the responsibilities as RunTogether leaders.

What is GDPR?

GDPR is an important change in government legislation regarding data protection and stands for the General Data Protection Regulation. It effectively provides an update to the Data Protection Act, bringing in new requirements. Any organisation that is required by law to comply with GDPR must do so by the 25th May 2018 at the latest.

Does this apply to our RunTogether group?

The GDPR applies to any “data controllers” or “data processors”. Those are technical terms but in essence if you collect any personal data in running your group (which you will do if you have any group members) then GDPR will apply to you.

I only use the RunTogether website to manage my group, is everything covered?

In short, yes- if you are using the full functionality of the website.

As a group leader/ run leader who has access to personal data you will need to be mindful of how you manage and process it as you will be responsible for protecting personal data.

The RunTogether programme was designed to help run leaders administer their running groups. A key part of the programme is to provide a facility for runners to register online and to remove any paper-based data collection and processing. This helps to reduce the risk of breaching any data protection regulations in addition to hopefully making your life easier as a volunteer.

Therefore, we recommend that:

1. All runners register for RunTogether and book any group runs online so they can:
   • Confirm that they have read a GDPR compliant privacy notice and therefore know how their data will be  used by RunTogether and Group LeadersR
   • RunTogether Privacy Notice (for runners and Run Leaders)
   • Provide additional consent for processing data where required e.g. to receive direct marketing emails
   • Access a MyRunTogether profile page where personal details and privacy preferences can be updated at any time.
2. All Group Leaders use the RunTogether system to manage their group activity. This allows you to:
   • Only collect data you need for the purposes of managing your group
   • Store runner data in one place
   • Send information to runners about your group runs e.g. welcome, confirmations, cancellations, congratulations etc
   • Use an application and administration portal to remove the need for paper-based data collection
   • Ensure that data is secure in a database supported by the Microsoft Azure platform
   • Only export data that is necessary and of only of users that have confirmed they have read a privacy notice
   • Remove people from the database if required

RunTogether Leader Terms and Conditions

The following terms apply for your use of access information (login details and passwords) and personal data:

• Keep access information secure and confidential. For example, do not share your login details with others, ensure you are logged out of the application when you are not using it etc
• Comply at all times with your obligations under data protection legislation and when required keep
• Don’t access or attempt to access any personal data on the RunTogether website except relevant personal data about members of your RunTogether group
• Only process your runner personal data via the RunTogether website or which has been exported from the RunTogether website solely for the purposes of providing your group runs:
  • only export data from the website for the purposes of running your group runs;
  • don’t retain any exported data longer than necessary for what you intended, and ensure any exported is kept accurate and up to date and deleted/ destroyed immediately after you have used it;
  • do not share any exported data with a third party.
• Don’t access the RunTogether website or process data from the website outside the European Economic Area.
• Inform RunTogether of any complaint or request received in relation to runner data and help in any response that may be required. It is worth noting that under the GDPR, individuals have a number of rights including request to access all data that is held about them, object to the processing and delete their data.

When setting up your group you have the option of including your own terms and conditions/ privacy notice and any additional marketing consents you have.

We have developed a template privacy notice that you may want to use as your terms and conditions

How to add terms and conditions

A Privacy Notice Template can be accessed via the Run Leader Support area of the website.

Depending on the type of marketing you do to your group (and you may not do any) we would suggest that you may choose to send promotions and offers by post, phone, or by email for similar activities, merchandise and services the runner has already bought. This is included in the privacy notice template.

If you do other marketing or campaigning such as provide information or offers from sponsors you should think about adding addition consents to your group website.

What else do I need to do?

You need to think about what other processes (if any) you undertake that involve processing personal data outside of the RunTogether system, make people aware via a privacy notice and consent (if required)

• Only export data that is necessary and of only of users that have confirmed they have read a privacy notice
• Remove people from the database if required
• Benefit from automatic data cleansing processes so that you are not keeping data when it is no longer required for the purposes it was collected.

The fundamental principle of GDPR is that when collecting data, the individual understands how and what you do with their data at the point it is collected.

All Group Leaders and Run Leaders need to be aware of the following:

• If you have a new runner turn up to your group who isn’t already registered on the RunTogether website you will need to collect personal information from them via the RunTogether App. At this point you are required to inform the runner that you will be sharing their data with RunTogether, a programme facilitated by England Athletics.
• Similarly, if you have taken personal details from a runner and you intend to add them to your group via the administration area then you need to let the runner know that you will be sharing their data with RunTogether, a programme facilitated by England Athletics.
• In both these instances we keep the initial data we collect to a minimum and the runner will be invited to join RunTogether and go through the full registration process at which point they will accept the terms and conditions and read the privacy notice.
• Until the runner has accepted the invitation, registered and activated their account their contact details will not be available, and their data cannot be exported.
• Only once the runner is fully registered with RunTogether will the group leader be able to fully process their data.
• You can’t keep data for longer than is necessary for the purpose for which it was collected. You also need to inform people how long you will keep their personal data for and you can’t keep it indefinitely.

For example, a runner may not have been on a run for four years - how likely is it that they will return? If the answer, is ‘unlikely’ then their core data should be deleted, or their record anonymised after that time so the person can’t be identified. There will be a full data cleansing process put in place on the RunTogether database to ensure we are compliant with data retention so you only need to worry about this if you are storing data outside of the RunTogether website. This applies to hard copy and electronic data.

To ensure data is only kept for as long as necessary the following data retention rules will apply automatically:

• If a runner is added on the day of a run or by the Group Leader and an invitation is not accepted within two months, the data will be deleted from the system.
• Once a runner has registered but has not booked on a group run and the account has been inactive for 12 months their records will be anonymised (name and contact details deleted)
• Once a runner has registered and has booked on a group run and the account has been inactive for four years their records will be anonymised (name and contact details deleted)
• Any data that is exported from the system e.g. registers, will be deleted/ destroyed immediately after it has been used for the purpose it was exported.

At the time of becoming a Group Leader, Run Leader or group administrator of the group you would have agreed to the following terms that include specifics in relation to data protection. (Note these have recently been updated) and that you have procedures in place to make sure you are processing data how you have told people you will:

• Inform people of who you are (as data controller)
• What data do you collect?
• Why do you collect it?
• What is your legal basis for processing it?
• Is the data transferred or shared?
• How long do you keep it for?
• Have you informed people of their rights?
• Have you given people an option of contacting you and complaining?

What happens if I think there has been a breach?

You will only have 72 hours from being aware of a breach to report it to the ICO. Under the Data Protection Act there are no obligations to report breaches. For example, if a group leader holds group data on their laptop outside of the RunTogether website and it is not encrypted and gets stolen - the data is now at risk and a breach would have to be reported. You need to make sure that personal data is held securely, i.e. that electronic documents are encrypted, and password protected and that they are backed up on a regular basis. You also need to make sure that your volunteers can identify when a breach has happened and that they know what they should do and who they should talk to. To try and avoid any such breaches we would recommend that you use the RunTogether website to administer and manage all of your group member’s personal data.

Does all this only apply to data that is held digitally, e.g. on a computer, or does it cover paper records?

This may be a good opportunity to review filing systems and to limit the amount of paperwork you have to manage. Personal data collected manually and stored in files as a hard copy still has to be managed in accordance with the data protection regulations. As you can imagine, some of the legislation is more difficult to implement in relation to paper copies. For example, Privacy of data is key to the GDPR. Paper documents can get into the wrong hands easily and this could easily become a data breach. Transportation of data in any format (including paper) should be seen as a threat to information security. One small slip and it’s too late – an individual leaves sensitive paperwork on a train, a courier loses an archive box full of payment records, a member of committee has files stolen from their car. These are all real-world situations where paper documents can get into the wrong hands. To minimise the risk we suggest that you use the RunTogether website to administer and manage all of your group’s personal data.

My group keeps a record of its members “in the Cloud” (e.g. via shared files on DropBox or Google Drive, or via a bespoke or commercially available membership system): what should I do about that data?

Data security is key and when storing anything online you need to ensure that you protect yourself by ensuring you keep passwords safe and ensure that files that contain personal data are encrypted. The likes of Dropbox, OneDrive and Google Drive have built in security measures for the protection of files whilst in storage or in the process of being shared. When using third party software you need to ask for assurances over the security of the system. For example, ask the provider for an explanation of how data security is managed or ask if a Privacy Impact Assessment has been undertaken.

ICO guidance – take a look at the 12 steps to take now and the Getting ready for the GDPR self-assessment tools.  The ICO also now offer a helpline. Representatives of small organisations should dial 0303 123 1113 and select option 4 to be diverted to staff who can offer support.

Sport and recreation alliance – Further guidance is available on the SRA website

For any further enquires, as usual please contact support@runtogether.co.uk

The guidance given here is aimed at assisting RunTogether groups with identifying the key areas that they should be addressing as a result of the additional requirements arising from the upcoming introduction of GDPR. RunTogether groups may have already considered these requirements - and where appropriate have taken specialist advice – regarding the impact of existing UK Data Protection legislation insofar as that may impact their activities.