There are a lot of young people who prefer WhatsApp to communicate with their friends. As a sports club or individual sports coach, it is very convenient to use WhatsApp to communicate with members to organise sessions and for squad communication, but is this going to cause you problems?
In short, the answer is yes, and we will look at some of the reasons why.
Firstly, and most importantly, it is never appropriate and typically against club safeguarding policies to message or email in any way, a child under the age of 18 without the express consent of a parent or guardian. It is also usually a requirement for a parent or guardian to be copied in on every communication with the child, along with the club safeguarding officer, so that everything is transparent. If email is used to do this, there is an auditable trail that serves to protect the interests of the child, the staff member and the club. By using WhatsApp, this will disclose the child’s mobile telephone number to the staff member and there is no longer a single channel of communication between the parties. The use of a group chat for a team will reveal phone numbers to other group members. This may significantly increase the risk of bullying or abuse.
Data protection law
Lawful basis for processing
Clubs need to consider the implications of the GDPR and the Data Protection Act 2018. Much of the responsibility of the club as a data controller, is to limit the use of data for the purposes for which it has been provided. It will be usual for participants in a club activity to either have their personal data processed as part of their membership or under a specific legitimate interest of the club. Occasionally data may be used with the consent of the member or their guardian if they are under 13. Using contact information of a member for anything that is not set out in the membership information is not likely to have a lawful basis and this means you will not be complying with the requirements of the GDPR.
Unwarranted disclosure of personal data
If you club sets up a WhatsApp group for team or squad communication, this discloses the mobile numbers and profile pictures of each and every participant to all the other members of the group. It is important to remember that this may be the personal data of children. There is no reason for this, regarding club administration, and this will not be considered compliant with the principles of limitation of personal data and limiting the purposes of processing to those set out when the data was collected. This is especially true where coaches are allowed to set up groups for their own teams or squads.
Compliance with subject access requests
Data subjects, i.e. your club members and staff, have a right to receive a copy of their data along with other statutory information. The data controller, in this case your club, has one month to respond to any request for access to personal data. A lack of central auditability in WhatsApp makes it difficult for you to easily collate the information required. If staff of your club have been setting up WhatsApp groups to suit the convenience of individual teams, there may be many WhatsApp groups under the general control of your club but that are not known about centrally. Any message in a group chat can be forwarded to any group member’s other contacts. This makes tracing an individual’s data within any use of WhatsApp almost impossible.
Data breach potential
Imagine if a group participant has explained in a WhatsApp group chat, they are unable to make it to training and gives a very personal reason, it may be health related for example. This message could then be forwarded by anyone in the group chat to someone entirely outside the group – all without the knowledge of the club or the individual whose message was forwarded. This would be an awful thing for anyone to have to deal with, let alone a young or vulnerable person. This would also constitute a data breach in the eyes of the UK Information Commissioner and would pave the way for a substantial damages claim against the club – one that would be very difficult to defend.
Transparency & accountability
You are required, as a data controller, to be responsible in the way you are implementing and using technology that processes personal information. If you have allowed the use of WhatsApp by staff to set up team or squad groups, or even use it for staff communications, have you gone through all the steps needed to comply with data protection laws?
You will need to consider and document the following:
- Security of the information
- Undertake a Data Protection Impact Assessment (DPIA)
- Have considered the principle of privacy by design when you implement any WhatsApp group or system
- Retention of group chat data
- Ensure the appropriate level of access control to group personal data to ensure there is privacy by default if this is at all possible
- Create a privacy notice for all users of WhatsApp including staff, coaches and club members
- Create a policy or incorporate WhatsApp use into an existing policy
- Determine a lawful basis for using personal information in a WhatsApp implementation
- How you will delete personal information from any and all group chats if an individual requests deletion
This is not an exhaustive list of considerations but is certainly a minimum
WhatsApp under fire
WhatsApp have been the subject of a long inquiry by the Irish Data Protection Commission. A draft case against them is currently under consideration by various data protection authorities under the cross-border protocol within the regulation. WhatsApp are accused of flouting the GDPR in the information that it passes to its parent company Facebook. In effect it is alleged that they are using personal data unlawfully. There is no prospect of a quick conclusion in this case as WhatsApp will most likely appeal any decision that finally emerges from Europe.
Guest blog attribution:
Andrew Brenton LL.M. ACIArb, founder of IOLIS Mediation & Legal Services