This policy is effective as of 25th September 2018.
At parkrun we are committed to respecting and protecting your online privacy. This includes your right to know what we do with the personal information you share with us. It also guides our policies regarding the management of your data, including how the information is collected, how it is processed, and for what purposes.
It is important to us that we communicate our policies and procedures with you clearly and in a manner that provides clarity to you the parkrunner. As such, this policy covers the following key areas:
- Background Information
- Why we need your data
- Categories of Data
- What data we collect
- What data we share
- How we contact you
- How we protect your information
- Retention Periods
- Automated Decision Making
- Your rights to manage your data
1. Background Information
parkrun Global Limited (parkrun Global) is a UK-based charity (Charity Number: 1175062) that ultimately oversees the delivery of parkrun events across the world. Each parkrun country has a relationship with parkrun Global (typically through a licence agreement or subsidiary status) that grants it the right to manage local parkrun events. As part of that relationship, parkrun Global collects, manages, and processes all associated data and is therefore considered the data controller for all parkrun group companies and all parkrun events worldwide.
Our designated Data Protection Officer is Tom Williams (COO, parkrun Global).
FAO: Data Protection Officer
Unit 3, Lower Deck
2. Why We Need Your Data
In order to support our global network of parkrun events it is critical we understand who is participating. There are many reasons for this, from simple stuff like providing participants with information around how and when they have taken part, through to more complex challenges such as measuring the impact of our events on those communities most in need of increasing their physical activity levels and social engagement.
The General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) require that all information we collect must be done so under a specific lawful basis. There are six clearly-defined lawful bases for processing information, and we categorise the majority of our data processing under three of those: Contract, Legitimate Interests and Consent.
When you register for parkrun we need certain information about you to enable us to provide you with the service of walking, running, or volunteering at our events, and to ensure those events are delivered to an appropriate standard, and to allow us to provide you with accurate records of your participation.
If you do not provide the information required then we will not be able to provide you with records of your participation.
2.2. Legitimate Interests
Outside of your direct participation we also wish to develop the reach and impact of our events and as such have a legitimate interest to process certain information with this aim. This includes things like carrying-out research to further understand who is or isn’t participating in our events (in order to understand our ability to impact those most in need) or capturing and sharing images of our events taking place, helping us to inspire other people to engage in physical activity and redefine what it means to be active.
Above and beyond simple participation as a walker, runner, or volunteer, there are a number of ways you can help us to ensure our events positively impact the health and happiness of their local communities, and remain free to participate in.
One of the best ways to support us in this way is by consenting to receive emails regarding things like milestone t-shirts, event profiles, offers, competitions and emails from our partners, training tips, and more. We therefore provide the opportunity at registration, and via your profile, to opt in to these communications. You can opt out at any time.
Due to GDPR requirements for providing consent, we do not process any data on children under the age of 13 if it would require consent as the lawful reason for processing. For this reason, children under the age of 13 do not have the option to opt in to the above emails.
2.4. Other Bases
Although extremely rare, there can be occasions where we are required to process information under one of the other three lawful bases: Legal Obligation, Vital Interest, Public Task.
3. Categories of Data
We utilise the following definitions for the types of data we collect:
3.1. Profile & Identity
parkrun ID, password, participation instances (walking, running, volunteering), date of birth, gender, full name, images, postcode (not used for purposes of contact), marketing preferences, medical/health information, third party linking information.
Email address, mobile phone number (SMS results service).
IP address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, records of pages visited and other information about the devices you use to access the site.
As part of our continual review of incidents at parkrun events we maintain a record of relevant details.
Any data submitted to us as part of research activities.
3.6. Event Imagery
Filming and photography captured at our events.
4. What Data We Collect
There are a number of ways where either you are able to explicitly share data with us or we are able to collect it as a result of your actions:
4.1. At registration
We collect information about you that allows us to support your participation in our events. We use this information to create a profile for you on our database, to which we can connect walking, running, or volunteering instances that in turn track your progress toward various parkrun participation milestones. We also collect information around your activity levels and other relevant personal information that may help us support your participation more appropriately.
4.2. Using your profile
You can update information such as emergency contact details, email address, home event and mobile number in order to receive participation notifications via SMS (in some countries).
4.3. By linking your parkrun account with a third-party account
Such as by connecting your parkrun profile with Strava you can connect services that you use.
4.4. Research Surveys
From time-to-time we send out research surveys that allow us to develop an understanding of parkrun and its participants.
4.5. Partner surveys
Sent out by us, help to support our sponsors and other stakeholders in understanding their level of connection with the parkrun communities they support.
4.6. Incident reports
Compiled by our local volunteer teams in the event of an incident. Relevant data is collected by the volunteers and uploaded directly or via email to our secure online incident reporting system. In some cases staff add to this data through the process of following-up on incidents.
When you visit our websites, cookies will be stored on your computer. Generally, cookies and similar technologies work by assigning to your browser or device a unique number that has no meaning outside of parkrun. We use these technologies to personalise your experience and to assist in delivering content specific to your interests. Additionally, after you’ve entered your parkrun ID and password we save that information so you don’t have to re-enter it repeatedly. Most browsers automatically accept cookies.
To manage the collection of information through cookies or other equivalent technology you can use the settings on your browser or mobile device.
4.8. Log Files
The collection of information: Every time you connect to parkrun websites your IP (Internet Protocol) address registers on our servers. Your IP address reveals no information other than the number assigned to you. We do not use this technology to obtain any personal data against your knowledge or free will (i.e. automatically recording email addresses of visitors). Nor do we use it for any purpose other than to help us monitor traffic on our website, or (in case of criminal activity or misuse of our information) to cooperate with law enforcement.
4.9. Web Beacons
These are small pieces of code that deliver a graphic image on a web page or in an email for the purpose of transferring data back to us. The information collected via this process will include information such as IP Address, as well as information about how you respond to an email campaign (e.g. at what time the email was opened, which links you click on in the email, etc.).
We may use web beacons on our websites or include them in e-mails that we send to you. We use this information for a variety of purposes, including but not limited to, site traffic reporting, unique visitor counts, advertising, email auditing and reporting, and personalisation.
In some cases we allow our partners to include web beacons in emails served by us on their behalf. In these instances they are only able to collect anonymous data and have no access to personal information.
4.10. Local Volunteer Event Teams
In order to support our local event teams’ requirement to manage their volunteers, process results, and record incidents, we created a dedicated online system, called WebFMS. This enables event teams to carry out their roles with regards the safe and appropriate management of their events, without the need for them to hold or have access to sensitive personal data of their participants. For example, they are able to email their volunteers through WebFMS without being able to see individual email addresses.
It is important to note however that due to the nature of our events, friendships form and as a result event teams are likely to also communicate directly with each other through platforms such as Facebook, WhatsApp, SMS or email.
4.11. Social Media
4.12. Event Photography and Filming
Photography or filming is likely to take place at our events, is common practice, and helps us to inspire other people to engage in physical activity and to redefine what it means to be active. It also provides a means for historical recording of our events over time. Furthermore, our use of images helps to demonstrate diverse groups of people engaging in and enjoying physical activity both during parkrun events but also as part of the wider community.
We ensure compliance with safeguarding laws and are supported both in-house through our Safeguarding Lead and externally with the support of other experts in the field of safeguarding. All volunteer photographers at parkrun events are registered with parkrun and required to wear a parkrun high-vis vest, further details of our Photography Policy are published here.
In line with the lawful basis of Legitimate Interest individuals have the right to object to this method of data processing by contacting the event team directly, or parkrun head office, and requesting deletion of relevant imagery. At event-level we will also seek, where the event is informed in on the day, not to photograph those individuals who have previously objected.
In exceptional circumstances, such as for our participants within the custodial system, we allow/require participants to register under a pseudonym. If you have any questions on this process please contact us via support.
5. What Data We Share
5.1. Publicly Available Information
We do not offer privacy settings in relation to your walking, running, or volunteering participation, and as such our websites display your name, age category, gender, age grade, participation locations, and finish times. We do, in some cases, share (under the lawful basis of legitimate interest) this publicly-visible data with third parties such as the UK-based Power of 10 website (who, for example, aggregate results from running events across the UK).
5.2. Third-Party Connections
Across parkrun territories we offer a number of opportunities for our members to connect their parkrun accounts with other accounts in their name. This could be for the purposes of linking to activity tracking platforms, or sending activity data to incentivised wellness programmes. This can only happen at the request of the user, the specific data shared is clearly defined, and the integration can be stopped at any time by the user simply opting out.
5.3. Anonymised Participant Data
Our mission statement is to create a healthier and happier planet and, as a result, much of our internal work centres around understanding the health and wellbeing of our communities. As part of this we have an exclusive global research partnership with the Advanced Wellbeing Research Centre (AWRC), a Department of Health and Social Care funded research centre based in Sheffield, England. Under the lawful basis of Legitimate Interest, we pass anonymised & published participant data to the AWRC who are then able to support health-focused research utilising this data, out of which research articles may be published containing anonymised data. All research on the anonymised data, that is approved by the parkrun Research Board, will have achieved ethical approval through an independent research ethics board.
5.4. Personal Contact Details
We do not share our users’ personal contact details with any third parties. All communications sent to our database on behalf of our partners are sent directly by us and only where you have consented for us to do so.
6. How We Contact You
The large majority of our outgoing communication, to the parkrun community, is via email. Sending an email to you is a form of data processing, and as such may only be carried out under a specific lawful basis.
6.1. Under the Lawful Basis of Fulfilling a Contract
In order to fulfil our obligation to you as a parkrunner, to ensure our events are delivered in a safe and appropriate manner, and to ensure the parkrun organisation is managed appropriately, there are some communications we send to everyone. The following communications fall into this category:
- Confirmation you have registered with us.
- Confirmation that your participation (walking, running, or volunteering) has been recorded by the local event team.
- Notification that you have joined a parkrun milestone club and are eligible to claim any associated items such as t-shirts, wristbands, or certificates.
- For those who have volunteered at a parkrun event, a regular national volunteer update.
- For those who have signed up to volunteer at a specific parkrun event, emails from that event team relating to that volunteering situation.
6.2. Under the Lawful Basis of Legitimate Interest
There are some occasions where we may contact you as part of our mission to make the world healthier and happier. For example, where we write to people who’ve registered but not participated, with the aim of understanding why and then being able to create a more supportive environment. The following types of communications fall into this category:
- Questionnaires aimed at developing our understanding of who is participating.
- Emails sign-posting participants to peer-support groups we feel may be suitable based on information you have provided.
- Questionnaires for research aimed at understanding the effect of parkrun on global health and wellbeing.
- Local event teams directly contacting specific parkrunners using the WebFMS platform.
You have a right to object to receiving these emails, to do that please contact us directly.
6.3. Under the Lawful Basis of Consent
Not only is our mission statement focussed on improving the health and happiness of our communities, but we have also made a commitment that participation in parkrun will be free, forever, for everyone. There are ways in which we rely on parkrunners to achieve both of those ambitions, some of which require us to be able to send certain communications. We therefore offer all parkrunners the chance to opt-in (at registration or via their profile) to receive regular updates from us and our partners.
Consent can be withdrawn at any time but does not apply to processing that happened before the consent was withdrawn.
Individual parkrunners can also opt in to receive local volunteer appeals from the events of their choice. This can be amended at any time.
7. How We Protect Your Information
We work extremely hard to apply appropriate security measures in order to protect your data from being accessed or disclosed without your permission, or lost. We have a relatively small staff team, who are regularly updated on good practice in data handling, all personal data is password protected and only available to those with a specific need for access.
In the event of a data breach we will notify you and any applicable regulator, where legally required to do so.
At local event level we ask our teams to support all participants (walkers, runners, and volunteers) using our secure online platform (WebFMS) and their official email account (which we also maintain control of centrally). As such, the only personal information event teams hold on their participants is an email address if an email has previously been sent to the event email account. All event-team email accounts are password protected.
Whilst we understand that event teams will also hold files that include parkrun ID barcode numbers of specific participants, this is publicly available information. Should a parkrunner request that their data be deleted from our servers, these barcode numbers will no longer be able to identify specific individuals.
Some event teams also use Facebook to communicate with participants, in these cases we retain admin control centrally and are able to control/remove access when required.
7.1. Third Country Data Transfers
On occasion we may use third parties for the purposes of data processing, and these may reside outside of the European Economic Area (EEA). These third parties are selected only if they exist in a territory deemed compliant with relevant legislation (read more) or with regards to third parties based in the US they must be part of the Privacy Shield (read more).
8. Retention Periods
In order to present our data retention periods as simply as possible we have chosen to do so
using our definitions of categories of data defined in section 3 above.
8.1. Profile & Identity Data – In perpetuity
This is in order to create our results tables, maintain historic records of participation, to allow participants to access their participation records, and to allow anyone who is registered with us to participate at any future parkrun event without the requirement to re-register.
8.2. Contact Data – Ten years from most recent participation instance
It is common for people to leave significant time periods between walking, running, or volunteering at our events. It is also common for people to enjoy receiving our communications without participating at our events themselves.
8.3. Technical Data – Three years from point of data collection
In order to provide the best possible service to our users, to support the administration of our systems and processes, and to comply with legal obligations.
8.4. Incident Data – In perpetuity
We retain this data in order to keep a historical record of our incident profile, from which we are able to continually review our operating policies in order to enable the safe and appropriate delivery of our events.
8.5. Survey Data – In perpetuity
This data is used for the purposes of understanding our community in greater detail. Changes over time are of particular interest where comparison of current versus historical data allows us to assess the impact of our events and associated interventions.
8.6. Event Imagery – In perpetuity
Event imagery is predominantly processed under the lawful basis of Legitimate Interest, and may be stored securely by event teams in perpetuity as it represents a historical record of that event. Although extremely rare, there can be occasions where we are required to process information conveyed in photographs under another of the lawful bases, such as Legal Obligation, Vital Interest, Public Task.
9. Automated Decision Making and Profiling
In some situations we make automated decisions based on various types of data that we hold, this also also known as profiling. Examples of where we use this might be to send research surveys to people who have only ever participated once or to market products to specific demographics of people, such as advertising a local running event to parkrunners in that area.
Whilst our automated decision making processes do not have a legal or similarly significant effect on the individuals concerned, you do have the right to object to us applying these processes to your data.
To understand more about automated decision making and profiling please see this section of the ICO website.
10. Your Rights
You have the right to:
10.1. Be informed if your personal data is being used
10.2. Get copies of your data
You are also free, at any time, to request a downloadable copy of all the data we hold on you. This would include details of all your walking, running, and volunteering instances and as such is something we particularly recommend prior to any request for us to delete your data. To do this please contact us via support.
10.3. Have your data corrected
If at any time you feel the data we hold on you is incorrect, and you are unable to change it via your profile, please contact us via support.
10.4. Have your data deleted
Should you wish, at any time, for us to delete your data then please contact us via support and we can enable this process. Please note that this is not something that can be undone and as such we would recommend downloading your historical results (see next section) before doing so.
Although we approach every request for deletion on a case-by-case basis, we do not as a rule remove volunteer data simply on request. This is in order support potential future challenges, enquiries, or investigations where this information may be critical.
10.5. Limit how we use your data
If you are concerned about the accuracy of the data or how it is being used please contact us via support. Where you have previously provided us with consent to use your personal data in a specific way, you can remove your consent at any time (or opt-out) via your parkrun profile page.
10.6. Data portability
Following from point 10.2 (above) we will provide copies of your data in standard machine-readable formats. In such cases, please contact us via support.
10.7. Object to the use of your data
Where we are processing your data under the lawful basis of Legitimate Interest you have the right to raise an objection to that processing. This is not an absolute right to object and we will carry out a balancing test where we assess the reasons for your objection in the context of our legitimate interests.
10.8. Raise a concern
If, at any time, you have a concern as to how we are handling your information then please contact us via support. If you feel that we have not addressed your concerns appropriately you have the right to raise them directly with the ICO (read more).