FAI / DDSL: STOP collecting + retaining sensitive children's data– let them play football!
FAI / DDSL: STOP collecting + retaining sensitive children's data– let them play football!
The Issue
Attention of: FAI (Football Association of Ireland) and DDSL (Dublin & District Schoolboys/-girls League)
We as concerned parents are calling on the FAI and DDSL to stop demanding, collecting and retaining sensitive children's data in order to allow them to play football in the DDSL league.
This data includes parent/ child’s name, child’s home address, DOB, a picture of their passport or birth certificate, headshot photos of children of all ages, signatures of parents and children - right down to 7 year olds. This is a massive accumulation of data in one single place, which raises major concerns about data protection and the potential invitation for cybercrime. They really only stop short of asking for fingerprints or an eye scan.
The rationale for this ‘data grab’ as explained to us parents is to verify a child’s age so they play in their appropriate team/ league and not downwards to create an unfair advantage. No parent would argue against this at the outset.
But we highly disagree with the level of information obtained in one place and the unclear storing/ deletion processes in place. eg If these details were to be leaked or hacked, every company's and bank’s security questions could easily be answered by an individual in possession of this data.
Principles of GDPR clearly state: Lawfulness, fairness, and transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and confidentiality; and Accountability. (Source: Data Protection Commission Ireland)
We feel that under no circumstances should all this information be collected together in one place as proposed by the FAI/ DDSL and SportLomo.
As of today, Tuesday 12 September 2023, the DDSL have deflected questions asked and instead chosen to defer to FAI policy, and to blame parents who haven’t signed up their children due to valid security concerns for matches being cancelled this weekend.
We, as concerned parents from football clubs in the Dublin District, are therefore calling for ALL below issues to be taken seriously, addressed appropriately, clarified and acted upon without delay by the FAI and DDSL.
· Please give details on:
o WHY the FAI/ DDSL need all of this information in the first place (GDPR issue: Purpose Limitation)
o How long will our children’s passports/ birth certificates be stored on the system and when deleted (GDPR issue: Storage Limitation)
o Who will access the users data (GDPR issue: Integrity & Confidentiality)
· Any birth certificate shows the Mother’s maiden name which is regularly a security question for calls with banks etc. (extremely sensitive information!)
· If parents who have registered their children are now feeling uneasy about having all this information online, please give a thorough explanation on how to go about removing this and who to contact (GDPR issue: Transparency)
· If passport details are needed online, they need to be deleted after verification is complete, and this needs to be done in a timely manner and confirmed to the parents via email once deletion is finished. (GDPR issue: Data Minimisation, Storage Limitation)
· Any leagues for children under 11 years of age are non-competitive, no referee is present to verify ages - so why are they included in this ‘blanket data grab’? (GDPR issue: Purpose Limitation)
· The system the DDSL are using is run by a third party software called SportsLomo. These also run data solutions for many other sports companies and our children’s data is not being kept separate to these. What can the DDSL tell us is being done to keep our data safe? (GDPR issue: Accountability)
· How much access to the sensitive information of our children do the administrators of the clubs have - how much should they have? It has come to our attention that administrators can see all children in their own club – is that necessary? (GDPR issues: Data minimisation & Confidentiality)
· Are all club administrators garda-vetted who are dealing with this sensitive information? Will there be training provided by DDSL to clubs on GDPR and data protection? (GDPR issues: Integrity & Confidentiality)
· The DDSL in an email sent to clubs on Friday 8 Sep 2023 mention a “private section” and a “public section” in their system – can they please clarify where those sections are and who can access them / when/ why and what children’s data is accessible in both. (GDPR issues: Transparency, Integrity & Confidentiality)
· How safe is the system that referees are using in every single match of the DDSL league which gives the child’s name, DOB and headshot – can we revert to their name being ticked off once for verification? (GDPR issues: Data Minimisation, Transparency & Confidentiality)
We all know that the HSE (Health Service Executive Ireland) and the PSNI (Police Service Northern Ireland) did not think they were ever going to be hacked, and also had structures in place to prevent such an attack, nevertheless they were. In terms of storing data, it is a question of WHEN, not IF this data is potentially stolen. Just today, 12 Sep 2023, in Dutch news it was reported that the Dutch Football Association KNVB was hacked, footballer’s names, addresses, passport details, payslips, salaries and medical history was taken to then blackmail the KNVB into paying a €1m fine in an attempt to keep the data from being publicised (!)
If stolen or accessed, our children’s data could possibly be used for creating fake identities, opening fake bank accounts, money laundering, child trafficking, etc., there really are no limits for individuals with malicious intent.
All above questions and issues show clearly that what the FAI and DDSL are asking of parents is very unsafe. Therefore we are asking them to stop this collection of vast amounts of personal data, remove any passport/ birth cert details already collected, and overhaul the registration process on SportLomo to allow for far less information to be collected. If this means age has to be verified manually again – so be it – we are willing to sit down and discuss options. But we are NOT willing to upload all our children’s and our own personal information into an online system where it is only a matter of time until a data breach occurs.
In the meantime, let matches play out as usual and stop cancelling them. We do not take the blame for cancelled matches this weekend - that responsibility lies squarely at the feet of the DDSL for not addressing above issues. We all want our children to be able to start playing football again as soon as possible. Please finally start engaging with parents and change your system now.
With you in sport,
Eliane Polek, Yuliia Buryk, Ciara McGee, Siobhan Odumosu, Gillian Howell and concerned parents from South Dublin District football clubs
The Issue
Attention of: FAI (Football Association of Ireland) and DDSL (Dublin & District Schoolboys/-girls League)
We as concerned parents are calling on the FAI and DDSL to stop demanding, collecting and retaining sensitive children's data in order to allow them to play football in the DDSL league.
This data includes parent/ child’s name, child’s home address, DOB, a picture of their passport or birth certificate, headshot photos of children of all ages, signatures of parents and children - right down to 7 year olds. This is a massive accumulation of data in one single place, which raises major concerns about data protection and the potential invitation for cybercrime. They really only stop short of asking for fingerprints or an eye scan.
The rationale for this ‘data grab’ as explained to us parents is to verify a child’s age so they play in their appropriate team/ league and not downwards to create an unfair advantage. No parent would argue against this at the outset.
But we highly disagree with the level of information obtained in one place and the unclear storing/ deletion processes in place. eg If these details were to be leaked or hacked, every company's and bank’s security questions could easily be answered by an individual in possession of this data.
Principles of GDPR clearly state: Lawfulness, fairness, and transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and confidentiality; and Accountability. (Source: Data Protection Commission Ireland)
We feel that under no circumstances should all this information be collected together in one place as proposed by the FAI/ DDSL and SportLomo.
As of today, Tuesday 12 September 2023, the DDSL have deflected questions asked and instead chosen to defer to FAI policy, and to blame parents who haven’t signed up their children due to valid security concerns for matches being cancelled this weekend.
We, as concerned parents from football clubs in the Dublin District, are therefore calling for ALL below issues to be taken seriously, addressed appropriately, clarified and acted upon without delay by the FAI and DDSL.
· Please give details on:
o WHY the FAI/ DDSL need all of this information in the first place (GDPR issue: Purpose Limitation)
o How long will our children’s passports/ birth certificates be stored on the system and when deleted (GDPR issue: Storage Limitation)
o Who will access the users data (GDPR issue: Integrity & Confidentiality)
· Any birth certificate shows the Mother’s maiden name which is regularly a security question for calls with banks etc. (extremely sensitive information!)
· If parents who have registered their children are now feeling uneasy about having all this information online, please give a thorough explanation on how to go about removing this and who to contact (GDPR issue: Transparency)
· If passport details are needed online, they need to be deleted after verification is complete, and this needs to be done in a timely manner and confirmed to the parents via email once deletion is finished. (GDPR issue: Data Minimisation, Storage Limitation)
· Any leagues for children under 11 years of age are non-competitive, no referee is present to verify ages - so why are they included in this ‘blanket data grab’? (GDPR issue: Purpose Limitation)
· The system the DDSL are using is run by a third party software called SportsLomo. These also run data solutions for many other sports companies and our children’s data is not being kept separate to these. What can the DDSL tell us is being done to keep our data safe? (GDPR issue: Accountability)
· How much access to the sensitive information of our children do the administrators of the clubs have - how much should they have? It has come to our attention that administrators can see all children in their own club – is that necessary? (GDPR issues: Data minimisation & Confidentiality)
· Are all club administrators garda-vetted who are dealing with this sensitive information? Will there be training provided by DDSL to clubs on GDPR and data protection? (GDPR issues: Integrity & Confidentiality)
· The DDSL in an email sent to clubs on Friday 8 Sep 2023 mention a “private section” and a “public section” in their system – can they please clarify where those sections are and who can access them / when/ why and what children’s data is accessible in both. (GDPR issues: Transparency, Integrity & Confidentiality)
· How safe is the system that referees are using in every single match of the DDSL league which gives the child’s name, DOB and headshot – can we revert to their name being ticked off once for verification? (GDPR issues: Data Minimisation, Transparency & Confidentiality)
We all know that the HSE (Health Service Executive Ireland) and the PSNI (Police Service Northern Ireland) did not think they were ever going to be hacked, and also had structures in place to prevent such an attack, nevertheless they were. In terms of storing data, it is a question of WHEN, not IF this data is potentially stolen. Just today, 12 Sep 2023, in Dutch news it was reported that the Dutch Football Association KNVB was hacked, footballer’s names, addresses, passport details, payslips, salaries and medical history was taken to then blackmail the KNVB into paying a €1m fine in an attempt to keep the data from being publicised (!)
If stolen or accessed, our children’s data could possibly be used for creating fake identities, opening fake bank accounts, money laundering, child trafficking, etc., there really are no limits for individuals with malicious intent.
All above questions and issues show clearly that what the FAI and DDSL are asking of parents is very unsafe. Therefore we are asking them to stop this collection of vast amounts of personal data, remove any passport/ birth cert details already collected, and overhaul the registration process on SportLomo to allow for far less information to be collected. If this means age has to be verified manually again – so be it – we are willing to sit down and discuss options. But we are NOT willing to upload all our children’s and our own personal information into an online system where it is only a matter of time until a data breach occurs.
In the meantime, let matches play out as usual and stop cancelling them. We do not take the blame for cancelled matches this weekend - that responsibility lies squarely at the feet of the DDSL for not addressing above issues. We all want our children to be able to start playing football again as soon as possible. Please finally start engaging with parents and change your system now.
With you in sport,
Eliane Polek, Yuliia Buryk, Ciara McGee, Siobhan Odumosu, Gillian Howell and concerned parents from South Dublin District football clubs
Petition Closed
Share this petition
Petition created on 13 September 2023