The EU’s new data protection regulations, the General Data Protection Regulation (GDPR), come into effect on the 25th of May 2018. The new regulations set higher standards on personal data protection and the IOF manages several information systems and databases containing personal data. The work on setting the appropriate privacy protection has been done in several steps:
- GDPR training and information collection– What is it and what does it mean for IOF?
- Make an inventory of databases and systems, defining critical, essential and standard personal information that is managed
- Prioritize improvements and create on a work list
- Implement the actions on the work list
The process of adapting to the new regulations will continue during the remainder of 2018, to secure that the personal data we manage is for a purpose, and to remove unnecessary data (restrict access; de-personalise or delete). The definitions of personal data and data of public interest are also defined and managing the definition of data will be a continuous process. The table below shows the largest and most important information-systems where the IOF handle personal data and the processes we are working with to improve them. If you have any questions about data privacy and data protection, please contact david.wastlund@orienteering.org or the dedicated contact route for the system/data of interest. Some of the listed improvements have already been made, others are planned. If you find areas of improvement, please contact us.
IOF Eventor
Together with the service provider, the Swedish Orienteering Federation, we have identified several areas of improvements:
- better information on how personal data will be used
- restrict access; de-personalise, or delete data (for example: display of full date-of-birth)
- open request-channels for removal of personal data
- define what information (use and purpose) that may be shared between IOF and other organisations (IT systems) through data share protocols (API). Define and write contracts of shared information between (IOF) IOF Eventor and other IT systems.
World Ranking System
- remove display of full date-of-birth
- define data retrieval contract between Eventor and WRS
IOF LIVE Orienteering
- better information on how personal data will be used
- open channels for removal of personal data
- define data retrieval contract between Eventor and LIVE Orienteering
World Orienteering Day website
- open channels for removal of personal data
- better information on how personal data will be used
Orienteering.org
- develop personal data management statement in “Working within the IOF”-document.
- adress data protection in training to new IOF staff
Anti-Doping management and Paralympic eligibility applications management
- Access to information within IOF Office further restricted
Global Orienteering Volunteer Platform
- Better data privacy management declaration on the register page
Other
Oversee and improve processes as
- how to find the balance between easy sharing of information within modern cloud-based information management systems vs more traditional ‘inhouse’ managed and closed systems in a global arena
- how to manage that appropriate data privacy standards are followed by the IOF Office; IOF Council and Commissions; IOF Event Advisers and Contractors; IOF System administrators and data management service providers
- communication – how to send emails to multiple recipients with strictly confidential; confidential and non-confidential material (including personal data)
- communication – how to manage shared email accounts vs personal email accounts
- communication – how to share information that has been shared to IOF without clear mutual understanding and purpose