Information

Event Calendar
Privacy
Merchandise
County Websites

Frequent Questions

General FAQs
T&F FAQs
XC FAQs

Anti-Doping

Contact the ESAA

Contact Us

Copyright Information

Copyright Details

Data Protection

The ESAA treats your privacy with the highest regard and are very concerned that other organisations do likewise. Up to 2018, in accordance with the body and also the spirit of the UK Data Protection Act 1998, we guarantee that we will only ask you or your school teachers to supply personal data which is actually needed to enable us to process your entry for the specific event you are involved with, and we guarantee that any data you enter here will only be used for that purpose.

From 2018 onwards, we operate under the EU General Data Protection Regulation (GDPR) which tightens up data protection regulation in several significant ways, with specific points relating to children. Without explaining the entire GDPR, the statements on this page briefly outline the legal terms under which we operate.

You can find a useful and comprehensive guide to the GDPR which has been specifically written to help children, parents, those organising children's sports events in schools or clubs, and teachers teaching IT, on the ESAA website host's own website at www.sendentry.com/gdpr/gdpr.html. This guide explains what people can and can't do with other people's personal data, and also explains why this is so.

Lawful Basis

Lawful basis is a legal term which we are obliged to publish. We collect and process data under two lawful bases as defined in the GDPR:
  1. Legitimate Interest
    This allows us to collect and process data without permission, but only if the data is necessary in order to provide a service or function. The definition of necessary is very specific in the GDPR, and is clearly explained by asking the question 'can we provide the service or function without having this data', if the answer is YES, the data is not necessary. In order to claim legitimate interest the data collected must also be limited to only that which would normally be expected by people using our services or functions, and where the use of such data has minimal impact on personal privacy.

    Such data are things like name, team, PB, age group, school, school town, without which we'd not be able to verify your eligibility to compete in a particular event.

    However, although we might collect this data, the way we use it, and the definition of necessary can change depending on the context: for instance, whilst it is necessary for us to know what school you attend and where it is, under some circumstances it is NOT necessary for us to globally publish such data worldwide, so we won't. This context can vary, for instance the Schools' Cup results need to publish your school and town because that is your team, but County and National Championship results do not need to do so because your team is either a District or a County.

  2. Consent
    This allows us to collect and process data, but only if we have proof that we have your prior permission to do so. This covers data which you might not expect us to ask for in order to provide a service or function, and data which we might ask you to volunteer in order to enhance the services or functions we provide, for instance personal information which you might like commentators to know about so they can have something to say about you.

    All such consents can only be given by you freely and unconditionally, after you have been made fully aware of exactly what the data is, who we might pass it on to, what it will be used for, and when it will be deleted. The GDPR explicitly outlaws the introduction of any other data transfer or use after a specific consent has been given. Unspecified statements like we will transfer your data to NNNN or others are not allowed, each statement must be explicitly defined.

    A simple way to describe this is that we must specify who for, what, why, how long for.

    Another requirement of GDPR (as lawfully amended by the UK Government) is that any statement requiring consent from children must be capable of being fully understood by a 13 year old child. We recommend that any proposed statement requiring consent should be put before a group of 13 year old children so that they can confirm that they fully understand both the statement and the consequences of consenting to it, and for them to ask sufficient questions to enable suitable modifications to be made to any statement. Fortunately, within the ESAA we have very good access to groups of 13 year old children so we should take maximum advantage of them to check that we always remain in compliance with the GDPR. As an aside to this, we may well result in having statements with incorrect grammar and/or syntax, the perfection of which is not within the skills of a 13 year old child. Therefore we may possibly end up with statements containing split infinitives, and maybe even cases where prepositions are used to end a sentence with! None of that matters, the essential requirement is that a 13 year old child must fully understand any statements and the consequences of accepting them.

    Your participation in a service or function we provide can never be conditional on you consenting to giving such data, i.e. your refusal can not stop you taking part.

    Consent is not for ever.
    All consents must be time-limited, we must delete any data held after specified time-limits unless we get a new consent to retain it. The saving and publishing of historical records are excluded from this requirement, subject to your rights to request any record of you be deleted.

Under both the above lawful bases, your data won't be passed to anyone other than your County Association officials, ESAA officials who need to access information in order to run events, and obvious third-parties such as programme printers, teeshirt printers, perhaps TV commentators, results processors, and results publishers. Only the data necessary for each third-party to perform their service or function will be transferred, and data transfers will be made following their acceptance of our requirement that the data must be deleted after the service or function has been completed. We are duty bound to record all such data transfers so that we can pass on any requests for corrections or deletions to be made.

You have a right to object

Even if we collect and process your data under the legitimate basis claim, you have the right to object to us doing so, but only if you have grounds relating to your particular situation.

You also have an absolute right to object to us using your data for direct marketing purposes, but the ESAA doesn't do that anyway.

How do we look after your data?

The data the ESAA collects from you, or via your School teachers, or via County Team managers, is transmitted from their computers using SSL encryption and is stored securely in encrypted form on the ESAA webservers which are operated by one of the largest web hosting companies in Europe (www.1and1.co.uk). We rely on their guarantee for the security of data held in their systems.

Your data is processed on the ESAA webserver and stored in an encrypted format so that it is not accessible except by using our own programs and systems.

Your data will be backed up onto CD disks, DVD ROMs, memory sticks, external hard drives, or other such equivalent means as and when they are developed, which may be held at a trusted ESAA official's premises. These backups will be used only to restore damaged data files.

Details of results of events which might be published on the internet could remain in the public domain for as long as it is historically valid and useful. Such details will be restricted to name, sex, age group, team or school, County, and actual performances at each event. We will NEVER disclose personal information such as Dates of Birth, Personal Best Performances, your address, or phone numbers.

Cookies, tracking your usage, and data retention times

The ESAA does not use cookies in any data transfer on the internet.

Data which is entered by teachers or pupils via this website are recorded on the ESAA website in encrypted files stored behind firewalls which are only accessible by the website administrator. County team managers have access to the previous year's team entries which they or their colleagues previously entered.

For the Schools Cup Competitions, we ask teachers to create squads of pupils. These contain the names and dates of birth of pupils and the data is stored for the full duration of a pupil's time at school, up to the time when they are too old to participate in the Cup Competitions. The data is used only to enable teachers to quickly select their teams without having to re-enter pupils' details each year. Dates of birth are only visible to pupils' teachers and the website administrators.

For the Awards Schemes, teachers can create class lists of their pupils with just their name and class year. They can roll-on each class each year until that class is too old for the awards scheme, at which point the class data is deleted.

In 2011, a facility was introduced to enable pupils to register themselves online to become available for County Team selection. The data submitted in this registration includes all the following data types, but exists only for the year in which the registration is made. All pupil self-registered data will be deleted at the end of July each year. If pupils wish to continue to be available for County and National Team selection they will need to re-register each year - this is the way we will ensure that data is kept up to date at all times.

Data entered by team managers declaring County Teams is retained for just over one year, in case we need to resolve any complaints or disputes, and so that we can make athletes' details available to team managers so that they can enter their team declarations the following year without having to re-type the same data.

What do we do with your data?

The data we ask teachers and pupils to give will only be used as follows:
  • Your Name and Sex
    These might be published in an event programme, on tee-shirts, and will appear in the results of events, both in printed form and online. Results may be sent to newspapers or magazines for wider distribution, or published in a brochure printed on behalf of the event organisers which may be mailed to each participant in any event. This data may also appear on TV where events are televised.

  • Your Address
    This will only be used by County, Regional, and National Team Managers to send you the details necessary to enable you to participate in the event you are selected for, and to receive any subsequent post-event certificates, results, or other 'goodies' provided by the event organisation or sponsors of each event. While any such mailing might contain sponsor's advertising material, this will be controlled by the event organisers.

    Your address will NOT be made available to sponsors, unless you specifically give us your permission. If sponsors wish to communicate with you, this will be controlled by the ESAA.

    Your town, school, and County, might be published in event programmes and results and might be shared with your local newspapers so that they can feature specific pupils in specific events. Any disclosure to the press is accompanied by the requirement that they use this information only in order to report on the activities of school pupils in their area relating to ESAA events and that they will not use the information for any other purpose.

    Your town, County, or Postcode might be used to provide sponsors with aggregate data about how many entries come from different regions. This information will not contain any specific data about you or any other identifiable person.

  • Your age
    The ESAA needs to know your date of birth in order to verify which age group you belong to. We consider this to be sensitive personal information and this information will not be disclosed to anyone other than Team Managers and the organisers of each event. The ESAA will never publish dates of birth online or in any other form. In cases where your age needs to be visible, for instance on printed copies of entry forms, dates of birth are anonymised to show only month/year, with the day being set to zero.

    Age data will be used and published in the results of events at the most general level possible - eg. age group not actual age.

    We may also use your date of birth year and month to create aggregate views of the age distribution of athletes in each competitive age group. The information gained from these views will only be used by the ESAA to help us to check whether there is any particular bias towards older children so that we can take any necessary steps to make competitions fairer.

  • Your team or school
    For many events this information is required to determine team competition prizes. This data will appear in published event programmes, tee-shirts, results, and perhaps on TV at televised events. If this causes a problem for you, you are advised to notify your team manager and appropriate steps will be taken to anonymise such information.

  • Phone numbers
    We might ask you to disclose one or more phone numbers for you and the people in parental control over you. They will only be used by team managers and event organisers to contact you in case of difficulty processing your details, or if the organiser needs to inform you of any last-minute change to arrangements already sent to you by mail, or in emergencies. Your phone numbers will never be sent to anyone other than team managers and event organisers without your explicit permission, and under no circumstances will they be used for tele-marketing or any other purpose not directly connected to the event you are involved with.

  • Email address
    You may be asked to give us your email address. This might be used to send you confirmation of team selection and might also be used by the event organiser to inform you about any last-minute changes to the event. Event organisers might wish to email you next year to inform you of details of events. These are the only times your email address will be used without your explicit permission. However, event organisers may also wish to be able to offer you further information, including that from their sponsors, and might also have a regular news-letter they would like to send you from time to time. In these cases, you will be offered the option to include yourself in these mailing activities, and each mailing from them will include instructions on how to remove your address from their mailing list.

    You will never automatically be included in any mailing list.

  • Other data
    Event organisers may request that you supply other non-sensitive data such as tee-shirt size, shoe size etc. You may also wish to request details of other facilities they may be providing for you. Such data will fall under the Consent legal basis and you are free to withhold any data you do not wish to give. Your responses will be treated as if they were sensitive data and will be given the same level of protection as defined (above) for your phone numbers and email address.

Building profiles of children - changes in the GDPR

The GDPR introduces much more strict rules relating to profiling children. From 25th May 2018 nobody can build or maintain a profile of any child without having the child's fully informed consent. This means that each child needs to be told what people are doing with their data, and ask them to consent to that being done.

The ESAA does not compile profiles of children. We do not do anything to keep track of children's progress through their athletics careers. We only publish stand-alone results of each competition and we do not process those results any further.

Other bodies DO compile profiles of athletes' performances in ESAA competitions, for instance UKA's Power of 10. Frequently, children have consented to them doing that by registering themselves on their website. However, Power of 10 also builds profiles of athletes in ESAA events without gaining consent and many athletes are entirely unaware of this. Power of 10 also publishes online the names of unregistered children in their National rankings lists. From 25th May 2018, any such profiling is not allowed under the GDPR - people may only build profiles of children, and publish names, where children have registered themselves and given their explicit consent.

Including the names of children in rankings lists is a form of profiling which is not allowed without the child's consent. This change means that from 25th May 2018, all ranking lists should only contain the names of children who have consented for their name to be used in this way, any other positions in ranking lists should be left blank.

The GDPR outlaws presumed consent which means that consent can only be given by people specifically opting-in to anything. This has implications for children in athletics clubs, where their details have previously been forwarded to UKA and then on to Power of 10 as an automatic part of them joining a club. Under the new rules relating to profiling of children, a new opt-in consent should be gained from each child if they wish to continue being profiled. Being profiled by Power of 10 is not a necessary part of athletics and nobody has to agree to that. Anyone not consenting to being profiled should have their current profile deleted. Likewise, anyone who has never given their explicit consent should have their profile deleted - this includes many thousands of children who have already been profiled by Power of 10 by virtue of them extracting childrens' data from published ESAA competition results.

Changing your data

You have a right to ask for any data to be corrected or deleted, any such modification must be done by us in a short time scale, and we are required to ensure as far as possible that any data which has been passed on to others is also corrected or deleted. Children have extra special rights which we must observe, the rights of children carry over into their adulthood, to the extent that an adult can demand that any consent they gave as a child be revoked, that is, if a child originally said yes, when they are adult (or any time earlier) they can change their mind and say no.

Once your details have been entered into an event by yourself or by a teacher or team manager, any changes to your details must be notified to the person responsible for entering your details into the ESAA website systems. In the case where you register yourself online into the ESAA website systems, it is your responsibility to keep the information you register up to date. The ESAA cannot accept any responsibility for any failure in communicating with you if you fail to update your registered details correctly.

Data Controller

The Data Controller for ESAA data is Joe Lee, registered number Z2405585 who operates under the terms of this registration as a consultant providing services to the ESAA. You can find further information about the UK Data Protection Act, the EU General Data Protection Regulation, and find contact details for registered data controllers at www.ico.org.uk.

Their website also has the complete text of the GDPR, together with many pages explaining it in great detail.