I like watching football, but any real interest I had in following a club waned around the time David Hirst stopped scoring for fun for Sheffield Wednesday. I also came to be disillusioned by the advent of big money, with clubs run more and more as business concerns aimed at boosting the investments of shareholders.
So I hadn’t appreciated that convicted rapist Owen Oyston was still listed as Director of Blackpool F.C. Nor that his son Karl Oyston is Chairman. Nor that Karl’s son Sam runs the club’s hotel. It appears that at least some fans are highly critical of the Oyston dynasty, and this manifested itself in a rather puerile twitter exchange which was drawn to my attention this morning
To explain what’s going on here, a fan replies to a news item about the club’s manager, and calls the Oyston family “wankers”. Sam Oyston responds by identifying the seat the fan – presumably a season-ticket holder – occupies, and implies that if he continues to be rude the ticket will be withdrawn.
This is all very unsavoury, but it also raises concerns about the club’s handling of its fans’ personal data. The publishing of the seat number is not particularly worrying in itself: it refers to the fan’s physical place in a very public arena, and I doubt he would be bothered about it being publicised (he might even be proud, as it implies he is a dedicated fan). However, one must ask how, and why, the manager of a hotel run by the club has such ready access to customer details.
The first data protection principle of the Data Protection Act 1998 (DPA) requires that personal data be processed fairly (and lawfully) and the second principle requires that personal data “shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes”. If fans’ details are being accessed by the club’s hotel manager, in order to implicitly threaten them with removal of their right to attend matches, it would be difficult to see how this would be compatible with purposes for which they were obtained by the club, as data controller. I suppose it is just possible that the terms of the tickets explain that, say, abusive behaviour could lead to cancellation, but even so, it would be unlikely that this would cover what happened in the twitter exchange. One might also question whether, if someone apparently unconnected with the running of the club membership can access ticket data, the club has – in accordance with the seventh data protection principle – appropriate organisational measures in place to safeguard against unauthorised processing of personal data.
A data controller has a statutory obligation to comply with the data protection principles – a failure to do so opens it up to the possibility of civil claims being made against it, and civil enforcement action being taken by the Information Commissioner’s Office.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.