Data Privacy Policy

Version 1 2019 – Updated 11th April 2019

IAFA Data Privacy Policy
This notice describes how the Irish American Football Association (IAFA) processes personal data. In particular, it describes the types of personal data collected, the purposes for which that personal data is collected, the limited contexts in which personal data may be shared with other parties, and the measures IAFA takes to protect the security of the data. It also outlines IAFA members’ rights and choices with respect to personal data, and how to contact IAFA to update your data or ask questions about IAFA data and privacy practices.

IAFA processes personal data to administer and conduct the playing of American Football and American Football related activities. Data used for this purpose includes membership and player registrations, official and coaching registrations, team sheets, disciplinary processes, communications and notifications of events, fundraising and promotional activities, coaching activities and compliance related requirements (i.e. vetting and insurance).

1. What data IAFA has about members

IAFA controls certain information about IAFA members, regardless of their registrations status (i.e. regardless of whether they are registered as coaches, officials, players, etc.) including:

  • Name
  • Email address
  • Home Address
  • Telephone contact details
  • Date of birth
  • Team (if relevant)
  • Coaching qualification details (if relevant)
  • Officiating Qualifications (if relevant)
 This information is in IAFA’s control. It is provided by members and is logged on a third party web service provider called Azolve, which members use to sign up at the beginning of a season. IAFA accesses this data for limited and defined purposes connected with its functions in administering the sport of American Football. The commissioner and one IAFA board member will have full admin rights to the Azolve system. IAFA is also required by its by-laws and by its status as the governing body for American Football in Ireland to process certain data regarding members, including:
 
  • personal data entered on team rosters
  • personal data entered on official’s game reports
  • records of disciplinary matters
  • Board meetings, AGMs, EGMs and SGMs and
  • (in certain circumstances and in line with IAFA data policy and Officiating Footage Policy) video footage of games. 
 IAFA’s policy is to minimise the amount of personal data it collects so that it only has what is needed to perform its role. IAFA’s policy is not to collect, maintain, or process data beyond those currently hosted by Azolve, and those necessary for complying with the IAFA By Laws and game rules (e.g. the processing of data on rosters, team sheets, referee’s game reports etc.). In the event that IAFA processes any data beyond this, it will communicate with the data subject to that effect, will deal with the data in accordance with IAFA’s data protection policy, and will ensure that appropriate data protection safeguards are in place.
 
IAFA’s policy is not to collect, process, or deal with members’ sensitive personal data, i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. In some cases, where it is absolutely necessary to do so, IAFA may collect and process such information where doing so is critical to the functioning of IAFA (e.g. IAFA may process data relating to someone’s health in relation to on-field injuries). In such a case, IAFA will ensure that the data subject is informed of such processing, and that such data is subject to all relevant data protection safeguards.
 
2. The grounds on which IAFA processes data
 
IAFA is the national governing body for American Football in Ireland, a status conferred on it in association with Sport Ireland under relevant legislation.
 
IAFA processes personal data in pursuit of its functions as the national governing body. It is necessary to process personal data in connection with many important functions IAFA exercises under its constitution and by-laws. For example:
  • Names and various other player details are required to be processed by IAFA, including by IAFA’s officiating department, in order to secure compliance with rules regarding player eligibility and suspensions,
  • Personal data such as date of birth is required to assess player eligibility, level of competitive football relevant to the player, and whether child protection policies apply in certain cases (e.g. re youth football),
  • video footage is required to be shared with and processed by IAFA for the purposes of resolving appeals relating to ejections.
 IAFA processes personal data on the basis that it is necessary to do so in order to comply with legal obligations set out in IAFA’s by-laws and constitution, and obligations on IAFA to regulate the sport of American Football in Ireland, and on the basis that IAFA carries out its functions in the public interest and in exercise of official authority as a national governing body. IAFA will, on occasion and where necessary, carry out processing for the purposes of pursuing its legitimate interests, such as the promotion of American football in Ireland. In all cases IAFA will have regard to the rights and interests of data subjects, and all processing by IAFA will take place in accordance with this policy.
 
 3. What IAFA does with your data
 
IAFA uses personal data to fulfil its duties to administer, regulate, promote, and facilitate the sport of American football in Ireland. The uses of personal data will include:
 
  • To communicate with data subjects regarding membership of IAFA or the status of a member in any respect,
  • To support or corroborate details provided on game day, via rosters provided to officials, game tape, or otherwise,
  • To consider disciplinary matters or appeals in accordance with the IAFA by laws and constitution,
  • For the purpose of proper, transparent, efficient, and lawful administration of the sport of American Football in Ireland,
  • To update records or to perform data analyses of membership statistics,
  • To ensure accuracy and quality of data retained, 
  • To comply with our legal obligations, including, without limitation, regulatory obligations, obligations under data protection law, and obligations arising as a member of Sport Ireland, or otherwise enforce or protect IAFA’s rights.
  • As otherwise permitted pursuant to this Privacy Policy or as otherwise authorized by members.
Your data will be processed only by people authorised to do so in relation to the specific processing in question. Such processing will be carried out in accordance with IAFA’s data policies. For example, hard copy rosters will be dealt with by referees on game day in accordance with IAFA By Laws as per Section 1.O.1. IAFA will ensure that such processing does not involve third parties and that; save as contemplated by this policy, personal data controlled by IAFA is not transferred to any third party.
 
4. Sharing Data
 
IAFA will not share personal data with third parties other than in accordance with this policy, and in pursuit of the basis for which the information was collected or processed. Any data shared with a third party shall be anonymised to the greatest practicable extent, and shall be shared in accordance with this policy. Unless sharing personal data with a third party is required by law, IAFA will seek consent of data subjects before sharing personal data.
 
Examples of cases in which IAFA may share personal data with third parties include:
 
  • Communicating with event providers or hosts, sports agencies, entertainment representatives, tour operators or other persons involved in facilitating, hosting, organising, or liaising with IAFA-related or IAFA-sanctioned football,
  • Communicating re data hosted by service providers (e.g. Azolve),
  • Communicating relevant information to any external third party who has a legitimate and lawful interest in receiving the personal data from IAFA, e.g. auditors, officials of Sport Ireland, or members of a disciplinary committee.
  • If IAFA is required to disclose personal data by law or as part of a legal process, in response to a request from a court, law enforcement authorities, or public/government officials,
  • When sharing personal data is necessary or appropriate to prevent physical harm or financial loss,
  • In connection with an investigation of suspected or actual fraudulent or illegal activity,
  • As otherwise permitted pursuant to this Policy.
5Security
 
 IAFA will review, monitor, and evaluate its privacy practices and protection systems on a regular basis. The policies and procedures relevant to the protection and management of personal data are the responsibility of the IAFA management board and the administration of IAFA, and IAFA’s policies are consistently reviewed by the Board.
 
IAFA will take measures to delete personal data (or to keep it in a form that does not permit identification of an individual) when data is no longer necessary for the purposes for which it is processed, unless required by law to keep this information for a longer period. When determining the retention period for personal data, IAFA takes into account various criteria, such as the nature of the data, potential risks arising to IAFA and/or to the data subject and/or to any other person from the deletion of the data, the likelihood of the data being relevant to the purpose for which it is processed in future, the impact on IAFA’s functioning if the data is deleted, and mandatory retention periods provided by law and the statute of limitations.
 
As a 32 county organisation and as an organisation promoting and sanctioning international sporting competition, IAFA will sometimes be required to transfer personal data between legal jurisdictions. IAFA is occasionally required to transfer such data for the purposes of processing player transfers. If data is transferred to a jurisdiction in which data protection standards differ to those applicable in the EU, we will take steps to ensure that as little data as possible is so transferred, that data is anonymised as far as possible, and that data subjects are informed of such a data transfer and of the relevant safeguards applicable to it. When IAFA transfer your personal data to other countries, IAFA will protect that information as described in this document or as disclosed to you at the time of the collection.
 
IAFA’s policy is not to deal with the personal data of anyone under the age of 16.
 
6. Your data and your rights
 
Subject to applicable legal obligations, data subjects whose data is controlled or processed by IAFA may have the right to:
 
  • Enquire whether their personal data is being processed, and on what basis such processing takes place, and details about that data such as any recipient(s) of the personal data to whom the personal data has or will be disclosed, and the retention period for the relevant data,
  • To request copies of certain personal data regarding them,
  • Opt out of collection and processing of their personal data in certain respects,
  • Request access to and receive information about the personal data kept by IAFA about them,
  • Update and correct inaccuracies in that personal data without undue delay – if a person’s personal data is incomplete, they have the right to have that data completed, including by means of providing supplementary information,
  • Restrict or object to the processing of personal data,
  • Have data anonymized or deleted, as appropriate,
  • Exercise rights to data portability to easily transfer information to another entity,
  • Lodge a complaint with an appropriate supervisory authority, including The Data Protection Commissioner. 
  • Withdraw any consent previously provided regarding the processing of personal data, at any time and free of charge. IAFA will apply such preferences going forward and this will not affect the lawfulness of the processing before the withdrawal of consent.
Those rights may be limited in some circumstances by legal requirements. Note that, depending on the extent of the requested data deletion or opt-out, it may not be possible for a member to participate in football if certain essential information is not available to IAFA for processing. If a data subject would like to exercise their rights described above, please see the “Contact and Support” section below.
 
7. Updates
 
IAFA’s data policy may be updated from time to time to reflect changes in IAFA’s data practices. IAFA will indicate at the top of the notice the date on which it was most recently updated. If IAFA update their data policy and/or privacy notice IAFA may seek your consent.
 
8. Process for dealing with a Data Access Request
 
Definitions:
Data Controller – IAFA Board
Data Subject – The person(s) requesting a Data Access Request
A Data Access Request can be received from any current member of IAFA. Proof of registration may be requested.
 
Once a Data Access Request has been received it will be acknowledged the Data Controller officially. This will be completed within one (1) month of receipt of the request. The Data Controller can extend the time to respond by a further two (2) months if the request is complex or they have received a number of requests from the Data Subject. The Data Controller will respond within one (1) month to notify of the extension period.
 
The Data Controller will deal with requests free of charge. However, where requests from a Data Subject are considered ‘manifestly unfounded or excessive’ (for example where an individual continues to make unnecessary repeat requests or the problems associated with identifying one individual from a collection of data are too great) the Data Controller may:
 
  1. Charge a reasonable fee, taking into account the administrative costs of providing the information/ taking the action requested; or
  2. Refuse to act on your request.
9. Contact and support
 
Anyone can contact IAFA regarding personal data, or generally regarding IAFA’s data policies and practices, at enquiries@americanfootball.ie
 
This point of contact can be used for all data-related purposes, including:
 
Queries seeking confirmation of whether a data subject’s personal data is being processed,
Data access requests,
Complaints about data or privacy
Erasure requests
Queries on whether personal data is accurate and up-to-date.
 
IAFA members may also wish to view the Data Protection policies and procedures put in place by Azolve, which can be viewed here: www.azolve.com/media/131087/Azolve-Data-Protection-Dec2015-.pdf