Motorsport UK Privacy Policy

Introduction
This Privacy Notice applies to all activities, services, products and platforms operated and controlled by Motorsport UK.

Motorsport UK takes its responsibility to protect personal data seriously. Respecting privacy is embedded within our governance, commercial activities, regulatory functions and operational delivery.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Notice explains how we collect, use, store and protect personal data.

Personal data means any information relating to an identified or identifiable individual.

1. Our Approach to Data Protection

Motorsport UK has implemented robust organisational and technical measures to ensure compliance with data protection law, including:

• A Data Protection Policy and File Retention Schedule
• A ‘Privacy by Design and Default’ approach across all systems and projects
• Data Protection Impact Assessments (DPIAs) where required
• Role-based access controls and confidentiality obligations
• Regular staff training on data protection and information governance

We have appointed a Data Protection Officer (DPO), who can be contacted at: [email protected]

2. Data Protection Principles

We process personal data in accordance with the UK GDPR principles:
A. Lawfulness, fairness and transparency
B. Purpose limitation (used only for specified, legitimate purposes)
C. Data minimisation (only what is necessary is collected)
D. Accuracy (kept up to date where necessary)
E. Storage limitation (retained only as long as required)
F. Integrity and confidentiality (appropriate security applied)

3. Lawful Bases for Processing

We process personal data under one or more of the following lawful bases:

• Consent. For example, for marketing communications.
• Contract. For example, licence applications, Championship and Event registrations.
• Legal obligation. For example, for regulatory and legislative compliance and reporting.
• Vital interests. For safety and emergency situations.
• Public function. For example, governance of motorsport and regulatory oversight.
• Legitimate interests. For example, administration, complaints handling, safeguarding, management of the sport in the UK and sport development (balanced against your rights).

The lawful basis or bases we rely on depends upon the specific purpose of processing.

Where special category data (including medical data) is processed, we rely on additional lawful conditions under UK GDPR. These include conditions such as substantial public interest, medical purposes and safeguarding.

4. Why We Collect Data

We collect and use personal data to:

• Administer licences, registrations and participation in motorsport.
• Assess medical fitness and ensure participant safety.
• Deliver Events and regulatory oversight.
• Manage disciplinary, safeguarding and compliance matters.
• Manage safety and insurance related matters.
• Communicate with members, participants and stakeholders.
• Deliver training, funding and development initiatives.
• Promote motorsport activities and projects to current and prospective members.
• Comply with legal, regulatory and insurance obligations.

5. Categories of Personal Data

We may process:

• Financial data, including bank account and/or payment card details.
• Identity and contact details, including Licence identification images.
• IT technical data (e.g. website usage, cookies). Further information regarding Motorsport UK’s use of cookies is detailed in our Cookie Policy.
• Licensing and competition records.
• Marketing and communications preferences.
• Medical and safety-related information.
• Motorsport technical data.
• Participation and membership data.
• Photographs and media content.
• Safeguarding and disciplinary information, including investigations by relevant authorities and involvement in the Motorsport UK National Court.

We only process special category data where necessary and proportionate, particularly for safety, medical eligibility, safeguarding and regulatory purposes.

6. Children’s Data

We take particular care when processing personal data relating to children.

Where individuals under 18 apply for licences or participate in Motorsport UK activities:

• Applications must be authorised by a parent or guardian.
• Only necessary data is collected.
• Additional safeguards are applied, particularly in relation to medical and safeguarding information.

7. Medical Information

Medical data is processed strictly where necessary for:

• Determining fitness to participate.
• Ensuring safety at events.
• Meeting regulatory and safeguarding obligations.

We apply principles aligned with Caldicott standards, including:

• Use only where necessary.
• Minimum data required.
• Strict need-to-know access.
• Secure handling and controlled sharing with appropriate medical professionals.

8. How We Share Personal Data

We may share personal data with:

• Motorsport UK staff and Officials (where necessary).
• Event Organisers and Clubs.
• Medical professionals and safeguarding bodies.
• Regulators, governing bodies and insurers.
• Legal advisors and auditors.
• Law enforcement or authorities where required.

We do not sell personal data. We do not use personal data for third-party marketing, without explicit consent to do so.

International Data Transfers

Motorsport UK may, in limited circumstances, use processors or service providers located outside the UK or EEA.

Where this occurs, we ensure appropriate safeguards are in place, including:

• Use of International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs).
• Assessment of the recipient country’s legal framework.
• Contractual obligations requiring equivalent or higher standards of protection to UK/EU data protection law.
• Ongoing due diligence and monitoring of processors.

We only transfer personal data internationally where we are satisfied that it remains adequately protected.

Use of Artificial Intelligence (AI)

Motorsport UK may use Artificial Intelligence (AI), including generative AI tools, to support its activities, services and operational delivery.

AI is used as an assistive tool only and does not replace human judgement. Motorsport UK does not rely on solely automated profiling or decision-making where decisions would have legal or similarly significant effects on individuals.

We apply a risk-based, human-led approach to AI use, ensuring that all outputs are subject to appropriate human review and oversight.

As a general principle, personal data will not be used in AI systems unless appropriate safeguards are in place. Where such systems are used, Motorsport UK ensures that equivalent standards of data protection and security to those required under UK data protection law are maintained.

Further detail on how Motorsport UK uses AI, including governance, safeguards and controls, is set out in Schedule One – Use of Artificial Intelligence (AI).

Data Security

We implement appropriate technical and organisational measures, including:

• Secure IT infrastructure and hosting environments.
• Encryption and access controls.
• Audit and monitoring processes.
• Incident response and breach management procedures.

Retention of Personal Data

We will only retain your personal data for as long as is necessary for the purposes for which it was collected, including to provide our services, administer memberships and licences, comply with our legal and regulatory obligations, resolve disputes, protect the safety and integrity of the sport, and establish, exercise or defend legal claims.

The length of time we retain information will depend on the nature of the information and the purpose for which it is processed. In determining appropriate retention periods, we consider factors including legal requirements, regulatory obligations, insurance requirements, safeguarding responsibilities, the potential for future claims or investigations, and the ongoing needs of the sport.

For example:

• Membership, licence and customer service records will generally be retained only for as long as is reasonably necessary to administer your relationship with Motorsport UK and for an appropriate period thereafter.
• Safety, incident, medical, safeguarding, disciplinary and regulatory records may be retained for significantly longer periods, including indefinitely where necessary, due to the nature of the information, the potential for future claims, investigations, safeguarding concerns, insurance requirements or Motorsport UK’s ongoing regulatory responsibilities.

Personal data is retained in accordance with our File Retention Schedule, which is based on:

• Legal and regulatory requirements.
• Insurance obligations.
• Operational necessity.
• Safeguarding and participant welfare considerations.
• The need to establish, exercise or defend legal claims.

Where personal data is no longer required, we will securely delete, anonymise or otherwise dispose of it in accordance with our retention policies.

Your Rights

Under UK GDPR, you have the right to:

• Access your personal data (Schedule Two – Data Subject Access Requests).
• Request rectification of inaccurate data.
• Request erasure (in certain circumstances).
• Restrict or object to processing.
• Withdraw consent (where applicable).
• Data portability (where applicable).

Requests can be made via: [email protected]

You may withdraw your consent to receive marketing communications from us at any time by clicking the unsubscribe link included in our marketing emails or by contacting us directly.

Please note that opting out of marketing communications will not prevent us from sending you service, operational or administrative communications where these are necessary for the administration of your membership, licence, participation in our activities, fulfilment of our contractual obligations, compliance with our regulatory responsibilities, or to otherwise provide services you have requested. These communications are not marketing in nature and you cannot opt out of receiving them whilst you remain a member, licence holder or customer.

Complaints

If you are dissatisfied with how we handle your data, you may contact us in the first instance.

You also have the right to complain to:

Information Commissioner’s Office (ICO) Wycliffe House, Water Lane Wilmslow, Cheshire, SK9 5AF https://ico.org.uk/

Updates to this Notice

We keep this Privacy Notice under regular review and may update it from time to time. The latest version will always be available on our website.

Schedule One – Use of Artificial Intelligence (AI)

Overview

Motorsport UK may use Artificial Intelligence (AI), including generative AI systems, to support its activities, services and operational delivery.

AI is used to enhance efficiency, improve accessibility, and assist with administrative and analytical tasks. It is not used as a substitute for human decision-making.

Motorsport UK adopts a risk-based, human-led approach to AI use, aligned with UK data protection law and applicable regulatory guidance.

How We Use AI

AI tools may be used to:

• Assist with drafting, summarising and analysing information
• Support internal administrative and operational processes
• Generate ideas, templates or alternative formulations of content
• Improve accessibility and usability of information

All AI-generated outputs are subject to human review and validation prior to use.

Motorsport UK does not rely on automated decision-making where decisions would have legal or similarly significant effects on individuals. AI is used only to support human decision-making, not to replace it.

Use of Personal Data in AI Systems

Motorsport UK applies strict controls to the use of personal data in AI systems.

• As a general principle, personal data will not be input into AI tools unless appropriate safeguards are in place
• Where personal data is used in connection with AI systems, Motorsport UK will ensure that:
  • The system has been risk assessed and approved
  • Appropriate data processing agreements are in place
  • There are restrictions on data use, including limitations on training or reuse of data where required
  • The system provides equivalent or higher standards of protection to those required under UK GDPR
  • Data is minimised, anonymised or pseudonymised wherever possible

Motorsport UK may utilise enterprise-grade AI solutions which provide enhanced data protection, security and governance controls.

Fairness, Transparency and Risk Management

Motorsport UK is committed to ensuring AI is used responsibly and ethically.

We take reasonable steps to:

• Mitigate risks of bias, discrimination or unfair outcomes
• Identify and address inaccuracies or misleading outputs
• Ensure appropriate transparency where AI use materially affects individuals

AI outputs are treated as assistive and non-authoritative, and are subject to critical human assessment.

Prohibited Uses

Motorsport UK will not use AI:

• To make fully automated decisions with legal or similarly significant effects
• In a manner that is deceptive, harmful or misleading
• To generate content that infringes intellectual property rights
• Without appropriate safeguards where personal data is involved

Governance and Accountability

Motorsport UK maintains oversight of AI use through internal governance processes, including:

• Approval processes for AI tools and systems
• Defined acceptable use standards for staff
• Ongoing monitoring of legal, regulatory and ethical developments

Motorsport UK remains fully accountable for all processing activities involving AI, including where third-party systems are used.

Updates to this Schedule

This Schedule will be reviewed and updated as necessary to reflect:

• Changes in law or regulatory guidance
• Advances in technology
• Changes to Motorsport UK’s use of AI

Schedule Two – Data Subject Access Requests (DSARs)

Overview

A Data Subject Access Request is a request made by an individual to obtain confirmation as to whether their personal data is being processed by Motorsport UK and, where that is the case, to access that personal data together with certain supplementary information regarding its processing.

Motorsport UK will handle all Data Subject Access Requests in accordance with applicable data protection legislation and ICO Guidance, subject to any relevant exemptions and limitations.

Submission of Requests

A DSAR can be submitted either in writing or verbally; however, Motorsport UK may request that a verbal request is confirmed in writing for clarity and to better understand the scope of the request.

Verification of Identity

Motorsport UK will take reasonable steps to verify the identity of the requester prior to processing any request.

Where a request is made on behalf of another individual, evidence of authority must be provided.

Motorsport UK reserves the right to pause the statutory timeframe until satisfactory verification has been obtained.

Requests Relating to Children

Where a request relates to the personal data of a child, Motorsport UK will assess the request in accordance with applicable data protection legislation and relevant guidance issued by the Information Commissioner’s Office (ICO).

Motorsport UK recognises that the right of access is the right of the child. A person with parental responsibility does not have an automatic right to access a child’s personal data.

In determining whether to disclose personal data in response to a request made on behalf of a child, Motorsport UK will consider, on a case-by-case basis:

• the child’s age and level of maturity;
• the child’s ability to understand the nature of the request (i.e. whether they have sufficient capacity to exercise their own data protection rights);
• whether the child has provided consent for the disclosure, where appropriate; and
• whether disclosure would be in the best interests of the child.

Where Motorsport UK considers that a child has sufficient understanding and capacity, it will ordinarily expect the request to be made by the child directly, or that the child provides clear authorisation for the request.

Motorsport UK may request reasonable information to:

• verify the identity of the child;
• verify the identity of the requester; and
• establish the requester’s authority to act on behalf of the child.

Motorsport UK may refuse or limit disclosure where it is not satisfied that:

• the requester is authorised to act on behalf of the child; or
• disclosure is appropriate having regard to the child’s rights and interests.

Redaction and Third-Party Data

Motorsport UK will review all information prior to disclosure and may redact or withhold information where necessary to:

• protect the rights and freedoms of third parties; or
• comply with legal and regulatory obligations.

Where appropriate, information may be anonymised or summarised.

Complaints

If a requester is dissatisfied with the handling of their request, they may lodge a complaint with the Information Commissioner’s Office.