The ESAA treats your privacy with the highest regard and are very concerned that other organisations do likewise.
Up to 2018, in accordance with the body and also the spirit
of the UK Data Protection Act 1998,
we guarantee that we
will only ask you or your school teachers to supply personal data which is actually needed
us to process your entry for the specific event you are involved with, and we guarantee that any data you
enter here will only be used for that purpose.
From 2018 onwards, we operate under the EU General Data Protection Regulation (GDPR) which tightens up
data protection regulation in several significant ways, with specific points relating to children.
Without explaining the entire GDPR, the statements on this page
briefly outline the legal terms under which we operate.
This guide explains what people can and can't do with other people's
personal data, and also explains why this is so.
is a legal term which we are obliged to publish. We collect and process data under two
as defined in the GDPR:
- Legitimate Interest
This allows us to collect and process data without permission, but only if the data is necessary in order
to provide a service or function. The definition of necessary is very specific in the GDPR, and
is clearly explained by asking the question 'can we provide the service or function
without having this data', if the answer is YES, the data is not necessary. In order to claim legitimate interest the data collected must also be
limited to only that which would normally be expected by people using our services or functions, and where the
use of such data has minimal impact on personal privacy.
Such data are things like name, team, PB, age group, school, school town, without which we'd not be able
to verify your eligibility to compete in a particular event. Data like this might be passed on to other
obvious third parties such as programme and results printers, teeshirt printers, event commentators, and
providers of accommodation where teams are competing away from home.
However, although we might collect this data, the way we use it, and the definition of necessary can change depending on the
context: for instance, whilst it is necessary for us to know what school you attend and where it is,
under some circumstances it
is NOT necessary for us to globally publish such data worldwide, so we won't. This context can vary, for
instance the Schools' Cup results need to publish your school and town because that is your team, but
County and National Championship results do not need to do so because your team is either a District or a County.
This allows us to collect and process data, but only if we have proof that we have your prior permission to do so.
This covers data which you might not expect us to ask for in order to provide a service or function, and data
which we might ask you to volunteer in order to enhance the services or functions we provide, for instance personal
information which you might like commentators to know about so they can have something to say about you.
consents can only be given by you freely and unconditionally, after you have been made fully aware of exactly what
the data is, who we might pass it on to, what it will be used for, and when it will be deleted. The GDPR explicitly outlaws
the introduction of any other data transfer or use after a specific consent has been given. Unspecified statements
like we will transfer your data to NNNN or others are not allowed, each statement must be explicitly defined.
A simple way to describe this is that we must specify who for, what, why, how long for.
Another requirement of GDPR (as lawfully amended by the UK Government) is that any statement requiring consent from children
must be capable of being fully understood by a 13 year old child. We recommend that any proposed statement requiring
consent should be put before a group of 13 year old children so that they can confirm that they fully understand
both the statement and the consequences of consenting to it,
and for them to ask sufficient questions to enable suitable modifications to be made to any statement.
Fortunately, within the ESAA we have very good access to groups of 13 year old children so we should take
maximum advantage of them to check that we always remain in compliance with the GDPR. As an aside to this,
we may well result in having statements with incorrect grammar and/or syntax, the perfection of which
is not within the skills of a 13 year old child. Therefore we may possibly end up with statements containing split infinitives,
and maybe even cases
where prepositions are used to end a sentence with! None of that matters, the essential requirement is that a 13 year old
child must fully understand any statements and the consequences of accepting them.
Your participation in a service or function we provide can never be conditional on you consenting to
giving such data, i.e. your refusal can not stop you taking part.
Consent is not for ever.
All consents must be time-limited, we must delete any data held after specified
time-limits unless we get a new consent to retain it. The saving and publishing of historical records are
excluded from this requirement, subject to your rights to request any record of you be deleted.
Under both the above lawful bases, your data won't be passed to anyone other than your County Association officials,
ESAA officials who
need to access information in order to run events, and obvious third-parties such as programme printers,
teeshirt printers, perhaps TV commentators, results processors, results publishers, and accommodation
providers where necessary. Only the data necessary
each third-party to perform their service or function will be transferred, and data transfers will
be made following their acceptance of our requirement that the data must be deleted after the
service or function has been completed.
We are duty bound to record all such
data transfers so that we can pass on any requests for corrections or deletions to be made.
You have a right to object
Even if we collect and process your data under the legitimate basis
you have the right to object to us
doing so, but only if you have grounds relating to your particular situation
You also have an absolute right to object to us using your data for direct marketing purposes, but the ESAA
doesn't do that anyway.
How do we look after your data?
The data the ESAA collects from you, or via your School teachers, or via County Team managers, is transmitted
from their computers using SSL encryption and is stored securely in encrypted form on the ESAA webservers which
are operated by one of the largest web hosting companies in Europe (www.1and1.co.uk). We rely on their guarantee for the security
of data held in their systems.
Your data is processed on the ESAA webserver and stored in an encrypted format so that it is not accessible
except by using our own programs and systems.
Your data will be backed up onto CD disks, DVD ROMs, memory sticks, external hard drives, or other such
equivalent means as and when they are developed, which may be held at a trusted ESAA official's premises.
These backups will be used only to restore damaged data files.
Details of results of events which might be published on the internet could remain in
the public domain for as long as it is historically valid and useful. Such details will be restricted to
name, sex, age group, team or school, County, and actual performances at each event.
We will NEVER disclose personal information such as Dates of Birth,
Personal Best Performances, your address, or phone numbers.
Cookies, tracking your usage, and data retention times
Data which is entered by teachers or pupils via this website are recorded on the ESAA website in encrypted
files stored behind firewalls which are only accessible by the website administrator.
County team managers have access to the previous year's team entries which they or their colleagues previously entered.
For the Schools Cup Competitions,
we ask teachers to create squads of pupils. These contain the names and dates of birth
of pupils and the data is stored for the full duration of a pupil's time at school, up to the time
when they are too old to participate in the Cup Competitions. The data is used only to enable teachers
to quickly select their teams without having to re-enter pupils' details each year. Dates of birth are only visible to pupils' teachers and the website administrators.
For the Awards Schemes, teachers can create class lists of their pupils with just their name and class year.
They can roll-on each class each year until that class is too old for the awards scheme, at which point the
class data is deleted.
In 2011, a facility was introduced to enable pupils to register themselves online to become available for County Team
selection. The data submitted in this registration includes all the following data types, but exists only for
the year in which the registration is made. All pupil self-registered data will be deleted at the end of July each year.
If pupils wish to continue to be available for County and National Team selection they will need to re-register
each year - this is the way we will ensure that data is kept up to date at all times.
Data entered by team managers declaring County Teams is retained for just over one year, in case we need to
resolve any complaints or disputes, and so that we can make athletes' details available to team managers
so that they
can enter their team declarations the following year without having to re-type the same data.
What do we do with your data?
The data we ask teachers and pupils to give will only be used as follows:
- Your Name and Sex
These might be published in an event programme, on tee-shirts, and will appear in the results of events,
both in printed form
and online. Results may be sent to newspapers or magazines for wider distribution, or published in a brochure
printed on behalf of the event organisers which may be mailed to each participant in any event. This data may
also appear on TV where events are televised. This will also be passed to hotels or other providers of accommodation
where teams need to stay away from home.
- Your Address
This will only be used by County, Regional, and National Team Managers to send you the details necessary
to enable you to participate in the event you are selected for, and to receive any subsequent post-event
certificates, results, or other 'goodies' provided by the event organisation or sponsors of each event.
While any such mailing might contain sponsor's advertising material, this will be controlled by the event
Your address will NOT be made available to sponsors, unless you specifically give us your permission.
If sponsors wish to communicate with you, this will be controlled by the ESAA.
Your town, school, and County, might be published in event programmes and results and might be shared with your
local newspapers so that they can feature specific pupils in specific events. Any disclosure to the press is
accompanied by the requirement that they use this information only in order to report on the activities of
school pupils in their area relating to ESAA events and that they will not use the information for any other
Your town, County, or Postcode might be used to provide sponsors with aggregate data about how many entries
come from different regions. This information will not contain any specific data about you or any other
- Your age
The ESAA needs to know your date of birth in order to verify which age group you belong to. We consider
this to be sensitive personal information and this information will not be disclosed to anyone other
than Team Managers and the organisers of each event. The ESAA will never publish dates of birth online or in
any other form. In cases where your age needs to be visible, for instance on printed copies of
entry forms, dates of birth are anonymised to show only month/year, with the day being set to zero.
Age data will be used and published in the results of events at the most general level possible - eg.
age group not actual age.
We may also use your date of birth year and month to create aggregate views of the age distribution of
athletes in each competitive age group. The information gained from
these views will only be used by the ESAA to help us to check whether there is any particular bias towards
older children so that we can take any necessary steps to make competitions fairer.
- Your team or school
For many events this information is required to determine team competition prizes. This data will
appear in published event programmes, tee-shirts, results, and perhaps on TV at televised events.
This will also be passed to hotels or other providers of accommodation
where teams need to stay away from home.
If this causes a problem for you, you are advised to notify your team manager and appropriate steps
will be taken to anonymise such information.
- Phone numbers
We might ask you to disclose one or more phone numbers for you and the people in parental control over you.
They will only be used by team managers and
event organisers to contact you in case of difficulty processing your details, or if the organiser needs to
inform you of any last-minute change to arrangements already sent to you by mail, or in emergencies.
Your phone numbers
will never be sent to anyone other than team managers and event organisers without your explicit
permission, and under no circumstances will they be used for tele-marketing or any other purpose not
directly connected to the event you are involved with.
- Email address
You may be asked to give us your email address. This might be used to send you confirmation of team selection
and might also be used by the event organiser to inform you about any last-minute changes to the event.
Event organisers might wish to email you next year to inform you of details of events.
These are the only times your email address will be used without your explicit permission.
However, event organisers may also wish to be able to offer you further information, including that
from their sponsors, and might also have a regular news-letter they would like to send you from time to time.
In these cases, you will be offered the option to include yourself in these mailing activities, and each
mailing from them will include instructions on how to remove your address from their mailing list.
You will never automatically be included in any mailing list.
- Other data
Event organisers may request that you supply other non-sensitive data such as tee-shirt size, shoe size etc.
You may also wish to request details of other facilities they may be providing for you. Such data will fall
under the Consent legal basis and you are free to withhold any data you do not wish to give.
Your responses will be treated as if they were sensitive data and will be given the same level of
protection as defined (above) for your phone numbers and email address.
Building profiles of children - changes in the GDPR
The GDPR introduces much more strict rules relating to profiling children. From 25th May 2018 nobody
can build or maintain a profile of any child
without having the child's fully informed consent. This means that each child needs to be told what
people are doing
with their data, and ask them to consent to that being done.
The ESAA does not compile profiles of children. We do not do anything to keep track of children's
progress through their athletics careers. We only publish stand-alone results of each competition and we do not
process those results any further.
Other bodies DO compile profiles of athletes' performances in ESAA competitions,
for instance UKA's Power of 10. Frequently, children have consented to them doing that by registering
themselves on their website. However, Power of 10 also builds profiles of athletes in ESAA events without
gaining consent and many athletes are entirely unaware of this. Power of 10
also publishes online the names of unregistered children in their National rankings lists. From 25th May 2018, any such
profiling is not allowed under the GDPR - people may only build profiles of children, and publish names,
where children have registered themselves and given their explicit consent.
Including the names of children in rankings lists is a form of profiling which is not allowed without
the child's consent. This change means that from 25th May 2018, all ranking lists should only contain the names
of children who have consented for their name to be used in this way, any other positions in ranking lists should
be left blank.
The GDPR outlaws presumed consent which means that consent can only be given by people specifically
opting-in to anything. This has implications for children in athletics clubs, where their details have previously
been forwarded to UKA and then on to Power of 10 as an automatic part of them joining a club.
Under the new rules relating to
profiling of children, a new opt-in consent should be gained from each child if they wish to continue being
profiled. Being profiled by Power of 10 is not a necessary part of athletics and
nobody has to agree to that. Anyone not consenting to being profiled should have their current profile deleted.
Likewise, anyone who has never given their explicit consent should have their profile deleted - this includes many
thousands of children who have already been profiled by Power of 10 by virtue of them extracting childrens' data from published
ESAA competition results.
Changing your data
You have a right to ask for any data to be corrected or deleted, any such modification must be done by us
in a short time scale, and we are required to ensure as far as possible that any data which has been passed
on to others is also corrected or deleted. Children have extra special rights which we must observe, the
rights of children carry over into their adulthood, to the extent that an adult can demand that any
consent they gave as a child be revoked, that is, if a child originally said yes, when they are adult (or any
they can change their mind and say no.
Once your details have been entered into an event by yourself or by a teacher or team manager, any
changes to your details must be notified to the person responsible for entering your details into the ESAA
website systems. In the case where you register yourself online into the ESAA website systems, it is your
responsibility to keep the information you register up to date. The ESAA cannot accept any responsibility for
any failure in communicating with you if you fail to update your registered details correctly.
The Data Controller for ESAA data is Joe Lee, registered number Z2405585 who operates under the terms of
this registration as a consultant providing services to the ESAA.
You can find further information about the UK Data Protection Act, the EU General Data Protection Regulation,
and find contact details for registered data
Their website also has the complete text of the GDPR, together with many pages explaining it in great detail.