Are volunteer coaches for a rugby club who share personal data of other coaches on Whatsapp and in Facebook groups (without the knowledge of the rugby club) in any way liable for failures to comply with data protection laws?
The question here is who is the data controller. A data controller is somebody who decides what to do with the personal data that it holds about certain individuals. In this instance, it is questionable as to whether the rugby club is the data controller as it is unaware that the volunteer coaches are swapping their own personal data and it has no control over the platforms on which they are sharing the data i.e. WhatsApp and Facebook.
What seems more likely is that the volunteer coaches are joint controllers of the personal data and hence each have responsibilities under the GDPR. As such, they should agree between them who would deal with things like data subject requests, such as where a coach may contact another coach and request that all of his data is deleted from a Facebook group. The person with agreed responsibility should actually action that request. However, even if one person has taken responsibility for dealing with data subject requests, all of the joint controllers would be potentially liable for compliance with this.
However, it's important to note that being joint controllers doesn't necessarily mean that the liability is shared equally. The GDPR allows for the possibility that one controller might be more responsible than the other, depending on the circumstances.
As to whether the rugby club would have vicarious liability for the actions of the volunteers, this is not clear cut. There have been cases where organisations have been held to have vicarious liability for independent contractors. However, the application of vicarious liability to volunteers is less clear and will depend on the specifics of each case.
The courts will evaluate:
- The extent to which the role is similar to employment and crucial to the operations of the organisation;
- The degree of control the organisation has over the actions of the individual in question (although not necessarily the methods they use to carry out those actions), and whether the organisation has the authority to intervene if tasks are not carried out correctly;
- Whether the individual is fully incorporated into the organisation's structure or operates more independently, like a solo entrepreneur or sole trader;
- If it would be fair and reasonable to hold the organisation vicariously liable for the actions of the individual.
© Suzanne Dibble 2013-2023
The information contained above is provided for information purposes only. The contents of this article are not intended to amount to advice and you should not rely on any of the contents of this article. Professional advice should be obtained before taking or refraining from taking any action as a result of the contents of this article. We disclaim all liability and responsibility arising from any reliance placed on any of the contents of this article.
