Privacy by design: what GDPR means for your open opportunity data

Most opportunity data isn’t personal data, but GDPR principles apply when it is. A privacy-by-design approach to publishing systems will help data publishers ensure that personal data isn’t shared without consent while respecting user needs

Opportunity data describes when and where sports and physical activities take place. This might include class descriptions, sports halls and pitch availability, and courses and ticketing information.

However, opportunity data shouldn’t include personal data: information about the people who take part in those activities.

The descriptions of sessions held in booking systems often includes information about the people leading those sessions, for example information about a coach or personal trainer. This information can be useful for attendees as they may want to train with a specific person, contact the session leader, or understand more about who is leading an activity.

Similarly, activity providers often publish photographs of previous events, to help potential participants get an idea about what participating in an event will involve.

We know from our user research that this type of information can help people make a decision about whether to take part in an activity. But the information about people leading or coaching sessions — and photos of previous participants — are all personal data.

As we have said before in our guidance for booking systems and highlighted in our open standards, opportunity data should not include any personal data unless you are certain the people it is about are happy with that. You can ask them for their consent explicitly, or in some cases you might assess that sharing some personal data is in the interests of people considering taking part.

Activity providers, booking systems and data users across OpenActive should already be thinking about their new responsibilities under the General Data Protection Regulation (GDPR) and the opportunities it brings for innovation and building trust with customers.

We want help clarify our responsibilities to build trust in how this data is used and shared and in the services everyone is providing.

What should data providers do?

Booking systems and other developers implementing the OpenActive data standards should design their applications so that personal data is not included in data feeds by default. This includes all the information described above: details about the organisers and leaders of an event, personal contact information, photographs and other personal data.

Some coaches or session leaders may wish to publish and share information about themselves, but we think this should only be done if they have given consent. People should be able to advertise their sessions without providing details about themselves.

Designing data publishing systems using a privacy-by-design approach will help to ensure that personal data is not shared without appropriate consent and with proper attention to user needs.

Using photographs — from Sport England’s image library or through a search for openly licensed pictures, for example — might be an alternative option if the consent to use photographs is unclear.

What should data reusers do?

While an open licence gives permission for data to be accessed, used and shared for any purpose, its users must still respect relevant laws and regulations, such as the new GDPR legislation.

As a consumer of open opportunity data you should be clear on your responsibilities under the new GDPR legislation, including allowing users to exercise their rights over data about them.

For example, a coach might reasonably request that you delete or stop processing data about them. This might happen for a number of reasons:

• they may have withdrawn consent
• there may have been a minor breach due to a user mistakenly including contact details or personal data in the wrong field in a booking system
• or a user may just be uncertain about how you have obtained and are using data about them

Intermediaries and other consumers of open opportunity data should:

• be transparent about their data sources, by clearly and visibly attributing their sources
• ensure they are providing clear contact details to allow people to exercise their rights under GDPR
• only store data they need and ensure that they regularly delete older data that may include personal information
• report potential data errors or breaches back to publishers, to enable them to correct the data at source
• ensure they are correctly processing feeds to delete or remove data, to allow publishers to correct errors

These requirements should all naturally be fulfilled as part of implementing the GDPR, conforming to the terms of the Creative Commons Attribution Licence which all publishers are currently using, and correctly implementing the Realtime Paged Data Exchange specification which clearly identifies updated and deleted records.

What more can everyone do?

Having good data security and complying with GDPR is a minimum standard for building trust about how data is collected, used and shared.

We also recommend that all organisations participating in OpenActive should meet the Open Data Institute’s principles for handling personal data. Being open and transparent about how data is being used helps to build trust.

We’d also recommend that all organisation consider using the Data Ethics Canvas to help explore the ethical issues around use of data.

If you have any questions about publishing and using open opportunity data, then please get in touch.