How AYSO Protects Your Privacy
AYSO Privacy Principles
To provideyou (players, parents and executive members) with quality service, AYSO mustcollect, process and use some of your personal information. At the same time,we want to protect the personal information you provide to us. To underscoreAYSO's commitment to protecting your privacy and the value we place on yourrelationship with us, AYSO has adopted the following privacy principlesapplicable to our handling of your personal information:
- Recognition of Your Expectation of Privacy: We recognize and respect your expectation of privacy and security for your personal information. We understand the need to safeguard the sensitive information about you within AYSO.
- Use, Collection and Retention of Your Information: AYSO collects, uses and retains information about you to help in the development and enhancement of our services; to understand which services will best meet your needs; to provide you with product and service opportunities that we deem interesting or beneficial to you; and to help administer our core business and programs. In addition, certain laws and regulations require us to collect information about you.
- Our Maintenance of Accurate Information: Through our procedures and technology, we strive to maintain information about you that is accurate and complete. We will respond to your requests to correct inaccurate information in a timely manner should the need arise, but we reserve the right to ensure that the request to make changes is coming from you.
- Limiting Access to Information: We have procedures and security measures that limit access to and disclosure of personally identifiable information to those individuals in our organization with a business reason to know such information. We educate our employees and volunteers about the importance of the confidentiality and privacy of customer information.
- Security Procedures to Protect Information: We maintain security standards and procedures to deter unauthorized access to confidential information about you. We update and test our technology to continually improve the protection of our information about you and to assure the integrity of our information.
- Disclosing Information: We will share your information only (1) with reputable reporting agencies; (2) when necessary to administer our business; (3) when you request it; (4) when the disclosure is required, or allowed by law; or (5) to make available special offers of products and services through AYSO's sponsors and licensees as well as our relationship with other soccer organizations.
- Maintaining Your Privacy in Our Business Relationships with Outside Third Parties: It is sometimes necessary to provide personally identifiable information about you to a third party, such as to a vendor to prepare customer communications. All third parties must agree to hold confidential information at the same level of confidentiality maintained by our organization and to abide by applicable law. In efforts to ensure the safety and security of the AYSO players and volunteers, AYSO has developed the following privacy policies to define the methods by which personal information and information that is protected by independent agreements are protected and secure. It is understood that as technology advances, these policies will be updated accordingly.
- CHILD AND VOLUNTEER PROTECTION ADVOCATE (CVPA) PROTOCOLS
- AYSO Procedures for Protecting Volunteer Information
- The Regional Child and Volunteer Protection Advocate (CVPA), the Regional Registrar or an appropriate designee shall collect all completed volunteer application forms.
- Upon collection, the completed volunteer application forms shall be put in a large envelope and, if collected by an appropriate designee, promptly given to the CVPA.
- v3. Completed volunteer application forms shall never be left unattended and should always be kept under lock and key.
- Once the initial set of completed volunteer application forms have been collected and checked for completeness, the original signed copies shall be mailed to the AYSO National Support & Training Center (NSTC), Attention: Safe Haven. Thereafter, completed volunteer application forms can be mailed to the NSTC on a weekly basis as they come into the Region. It is recommended that all forms be sent to the NSTC through certified mail, UPS or overnight delivery service with a tracking number to ensure delivery.
- As indicated in the AYSO Screening Protocols, the Regional CVPA shall call the personal and professional references provided by the volunteer applicants and report to the Safe Haven office at the NSTC any irregularities discovered during that process.
- The Regional CVPA shall not discuss sensitive volunteer information among themselves or with others in the Region.
- Regional copies of completed volunteer application forms shall be accessible only to the Regional CVPA.
- The National Safe Haven office shall notify the Region if an applicant does not meet the eligibility requirements to be an AYSO volunteer.
- In the event confidential information other than the volunteer application form must be transmitted to the NSTC via FAX, such transmission is to be sent to the dedicated FAX machine located in the Safe Haven Department..
- Completed volunteer application forms are to be kept for a period of seven years, unless otherwise directed by the NSTC, after which the forms are shredded or incinerated.
- Mailing Process for CVPA
- Regional CVPA mails the original signed copies of the Volunteer Application form to AYSO (NSTC), c/o the Safe Haven Department. Those application forms that have "yes" checked in the disclosure box must be flagged and segregated.
- NSTC Safe Haven staff handling the confidential information must pass a criminal history background check and must sign a confidentiality agreement.
- Completed volunteer application forms shall never be left unattended and should always be kept under double lock and key.
- Electronic Process using eAYSO (new volunteer)
- The volunteer logs in to eAYSO and completes the volunteer application form online. All required information must be provided (including social security number and a response to the disclosure statement). During submission and at all times thereafter, all such personal and private information is encrypted and obscured from view to all users except the National Safe Haven staff.
- The volunteer must print out two of the completed forms (three if he/she wishes to retain a copy) and sign and date each copy. When any electronic form is printed, the personal and private information will be obscured.
- The volunteer must submit the completed and signed volunteer application forms to the Regional CVPA and provide proof of identity (currently designated to be a state-issued driver's license or state ID incorporating a photograph or a U.S. passport).
- Following submission of the completed volunteer application forms, all Regional and NSTC staff shall follow the process described in Paragraph I A, steps 5-10.
- Pre-printed Forms for Returning Volunteers
- At the request of the Region, the NSTC will prepare a pre-printed volunteer form for each new season containing all the information previously provided by the volunteer, except for the personal and private information which shall be obscured on the form. The volunteer should review the pre-printed form to ensure that all the other information is correct, then complete the disclosure statement, sign and date the form. It is not necessary for The Regional CVPA and/or Regional Registrar to secure proof of identity for a returning volunteer using a pre-printed form.
- Following submission of the completed pre-printed volunteer application form, all Regional and NSTC staff shall follow the process described in Paragraph I A, steps 5-10.
- Electronic Process using eAYSO (returning volunteer)
- The volunteer logs in to eAYSO using the member name and password previously determined.
- The volunteer reviews the information contained in his/her record and makes any necessary changes online. All personal and private information is encrypted and obscured from view to all users except the national Safe Haven staff.
- The volunteer must complete the disclosure statement, print out two copies of the form (three if he/she wishes to retain a copy), and sign and date each copy. When printed by the volunteer, the personal and private information will be obscured.
- The volunteer must submit the completed and signed volunteer application forms to the Regional CVPA. It is not necessary for the Regional CVPA and/or Regional Registrar to secure proof of identity for a returning volunteer using an online form.
- Following submission of the completed pre-printed volunteer application forms, all regional and NSTC staff shall follow the process described in Paragraph I A, steps 5-10.
- For eSignature Regions, volunteers complete steps in Paragraph I E, 1-4. However, the Regional CVPA does not send copies of the originally signed volunteer forms to the National Safe Haven office and does not have to store copies of eSigned volunteer applications.
AYSOVolunteer Application Form
At The Regional Level
At The National Level
Volunteer Completes Application
CVPA Reviews Application
CVPA Checks Disclosure Statement
If 'Yes,' flag and send to NSTC
If 'Yes,' do not approve application
If 'No,' send to NSTC for random background checks
Safe Haven™ Staff Receives Applications
All 'Yes' responses to disclosure will be checked.
Position other applications for targeted checks
CVPA Checks References
If 'OK,' add volunteer to list for Board approval
If not 'OK,' inform applicant and NSTC Safe Haven™ Staff so they can pull application form
Perform Background Checks
If 'OK,' process forms at the NSTC
If not 'OK,' send applicant 'Notice of Duty to Review Criminal Record'
Inform CVPA and RC of status via email.
Other NSTC Departments
Safe Haven™ Department
Region Mails Forms to NSTC
Receptionist receives mail; if no name on package, he/she will open
Receptionist may give forms to:
o Safe Haven
Screens forms for completeness:
o Other authorized staff may help during the busy season
Safe Haven will do the following:
o Send to Registration Dept. to enter in database; or
o Call volunteers on incomplete forms; or
o Return incomplete forms back to the region; or
Give to coordinator for background checks
Safe Haven Gives Non-Flagged Complete Forms to
Supervisor creates batch to track forms
Registration staff enters forms and closes batch
Registration staff returns processed forms to Safe Haven
Safe Haven Receives Processed Forms From Registration Department
Files forms in locked file room
Access to locked forms is limited to Safe Haven department only
III. Securityof Information
Other NSTC Departments
Safe Haven™ Department
All the staff members who have access to forms have passed criminal history background checks.
Volunteer forms accompanying Information forms are kept under lock and key and entered into the system. After they are entered, they are returned to the Safe Haven Department for background checks and filed under lock and key. Forms are kept for a minimum of seven years.
Preprinted forms show only last four digits of the Social Security number and last four digits of the driver's license. These forms are sent to regions via regular mail. CVPA volunteers are to keep forms secure.
V. Securityof Information
o All the staff members who haveaccess to forms have passed criminal history background checks.
o Volunteer forms accompanyingInformation forms are kept under lock and key and entered into the system.After they are entered, they are returned to the Safe Haven Department forbackground checks and filed under lock and key. Forms are kept for a minimum ofseven years.
o Preprinted forms show only last fourdigits of the Social Security number and last four digits of the driver'slicense. These forms are sent to regions via regular mail. Regional Registrars/CVPAvolunteers are to keep forms secure.
Use of Photographs
0. Theuse of photographs:
The permission to use photographs of AYSO players and volunteers is covered byauthorization on the AYSO registration forms. Therefore, release forms are notrequired.
1. Theuse of photographs for sponsor programs:
Even though the registration form covers the use of photos of AYSO players andvolunteers by sponsors or commercial entities, AYSO does not give player orvolunteer photos to sponsors for commercial use unless authorized to do so bythe individual (or parent in the case of a minor child). AYSO suggests thatsponsors acquire the photos on their own and have release forms signed by thephoto subject.
Theuse of photographs on the website:
If the photographs were taken at a game or practice that took place on publicproperty, photographs may be used without consent.
Registration - Registration Forms
0. TheAYSO Registration Department is dedicated to protecting personal informationand will make every reasonable effort to handle collected informationappropriately. All information collected, as well as related requests, will behandled as carefully and efficiently as possible in accordance with AYSOstandards for integrity and objectivity.
Registration - Player Forms
0. Atthe end of the AYSO year, Regional copies of the player forms are maintainedfor a period of seven years, after which they are disposed of, consistent withthe established procedures and guidelines outlined herein.
1. Copiesof completed player registration forms are forwarded to the NSTC, where theyare archived as outlined herein. The physical copies of the player forms aredisposed of, consistent with the established procedures and guidelines outlinedherein.
2. During the playing season, coaches mustcarry original, signed player forms. At the end of the Region's year, these forms must be returned to theRegional Registrar and then sent to the NSTC to be stored, consistent with theestablished procedures.
Registration - Volunteer Forms
0. Evaluationof protection practices - An internal audit is performed annually.
Employee Access, Training and Expectations
0. Weare committed to the protection of customer information. Business practices arein place that limit access to confidential information to key authorizedpersonnel and limit use and disclosure of such information.
1. EmployeeScreening - Employees required to handle sensitive information are screenedthrough an independent contractor.
0. Allconfidential documents at the NSTC are stored in a secure area for seven years,after which they are shredded or incinerated.
0. Playerand volunteer forms: Forms are retained for seven years. This is a requirementof NSTC. Note: Volunteer forms held at the NSTC may not be destroyed, under anycircumstances, until approved by the director of operations.
Non financial Records - As needed.
Information Forms (IF)
0. IFforms are updated on the computer system through the Member ServicesDepartment. Registration may input information only on new members listed onthe IF form. If the member has been a Board member previously, updating takesplace in the Member Services Department.
Events Forms (Section Meetings and NAGM)
0. Eventsregistration forms are sent to the Events Department, where the information isput into the system. The forms are then placed in a binder that will travel tothe event via an events coordinator. The forms are used to verify registration.Forms are available at Section Meetings and are kept at the registration tableto allow for quick checking. The forms are stored in the Events Departmentuntil December of each year, when they are shredded.
AYSO Supply Center
0. TheAYSO Supply Center receives checks and credit card information. Thisinformation is kept in a double-lock file in the AYSO Supply Center for aperiod of five years. The AYSO bank does not have a holding requirement forcredit card slips or a requirement for single- or double-lock security. Creditcard slips are retained for five years. Every year, one year's worth of creditcard paperwork is to be destroyed via incineration or shredding.
0. AlarmCodes: Alarm codes are given to staff based upon need and security level. TheNational Executive Director, Chief Operations Officer and the AYSO facilitiesmanager have the highest level of authorization. Executive-level management isgiven the next level of authorization and is allowed access to all buildingswith the exception of the MIS office, CVPA Department and other directors'offices. Staff members have access to the building where they conduct business.
1. TelephoneCodes: Upon hire, each employee is authorized to use a telephone code formaking long-distance calls. This code includes the last four digits of theemployee's Social Security number for tracking of telephone billing charges.The employee is able to change his/her pass code to enter the voicemail systemby going through the Administration Department.
2. ComputerCode Authorization: There are two staff members who are authorized to accessthe main system network. The technical support administrator (TSA) and the MISmanager have the authority to check the individual staff accounts. TheExecutive Director and executive management may request permission to do acheck or a file search. The request is made to the TSA or MIS manager. If adirector requests information, the TSA or MIS manager will seek approval fromthe Executive Director prior to running the search if the search is to beconducted on confidential files or files of another employee. The managementlevel must seek approval from the respective director prior to requesting adocument or file search.
3. ComputerAccess: System wide access to the computing systems is limited to employees andcontract firms, which are required to manage and monitor access and requests toaccess the data held in our computer systems. Should other staff membersrequest access to and reports from the data, appropriate approval fromexecutive management or the Executive Director must be obtained.
4. Leavingthe Organization: When an employee leaves the organization, the employee incharge of security or the manager of that employee immediately removes theability of the person to access the system. The same is done with the alarmcodes and the telephone codes. Each department head signs off on any otherequipment or systems via an employee exit checklist.
TheMIS Department does not handle information gathered from children. It does,however, prepare databases for the Marketing Department upon request. Theinformation prepared is then given to the Marketing Department, which in turnsends the disc to a bonded mailing house selected by the sponsor. A letteraccompanies the disc with instructions stating that the disc is authorized fora "one-time use." The disc is then returned to AYSO after it has beenused for the purpose intended.
Onoccasion, the Marketing Department will request that labels be printed at theNSTC. The labels are then provided to the sponsor. The sponsor must adhere thelabels to the mailing pieces at the NSTC or bring the mailing to the NSTC andthe AYSO staff will place the labels on the mailing item.
AYSOhas excellent software and hardware for firewall's and utilizesencryption/security software to safeguard the confidentiality of personalinformation. AYSO reviews the systems for security compliance with a contractMIS company and will perform an internal audit of the corporate practices and policiesannually.
AYSOis committed to the protection of customer information. Our business practiceslimit access to confidential information and limit use and disclosure of suchinformation to authorized personnel. Employees who handle confidential informationare screened through an independent contractor.
Currently,there is no universal safety policy regarding the security of the computerhardware. AYSO has established that the "main" computer system willremain behind double-locked doors when MIS personnel are not present.
The Accounting Department handles all funds, including checks and credit cards.Once the accounts are credited, the documents are stored in locked containers.These documents are destroyed on a rotating basis, once every five years.
AYSOgenerates four final original copies of sponsorship agreements and sends themto the prospective sponsor for signature. The sponsor signs the agreement andreturns all four copies for the AYSO National Executive Director to sign. Twooriginals are returned to the sponsor. AYSO places an original copy in thesponsor file and sends the other original copy to the Finance Department. Acopy of the signed agreement is sent to Operations and to legal counsel.Additional copies are sent to the department that is involved in fulfilling theagreement points. Each department receiving a copy of the agreement must keepinformation regarding the agreement confidential. The sponsorship filingcabinet in the Marketing Department will be kept locked. Access to the filingcabinet is available to all marketing staff on a daily basis but will be keptlocked each evening. The chief marketing officer and administration managerwill have keys to the filing cabinet. Accounting will keep the agreements in alocked file.
Thechief marketing officer will keep copies of the original agreements in a binderin his/her office, which shall be locked each evening.
Allcorrespondence between legal counsel and the Marketing Department will beplaced in a manila folder marked, "Attorney/Client Privilege." Thisfolder will be placed in the sponsor agreement file cabinet, which will belocked each evening.
Allemail correspondence regarding a sponsor shall be placed in the sponsor's file.
Afterthe term of the sponsorship, all documents concerning the sponsor will beplaced in archive for a period of three years.
Regional, Area and Section files are kept in the Administration Building. Thesefile cabinets are not locked because staff utilizes the information containedin the files on a daily basis. The information is saved for perpetuity, thusgiving a running history of the region, area or section. These files containthe Information Form (IF), budget forms and correspondence. Information is sentfrom the Member Services Department to the administration office "incomingfile" basket. The receptionist files the information in the filingcabinet. The building is locked and alarmed each evening. All visitors mustenter through a locked front door and receive a guest pass before beingescorted by a staff member to their destination on campus.
0. Mailis delivered to the administration office daily.
1. Mailis date-stamped and sorted by department and delivered as indicated.
2. Mailis then sorted by each department and given to recipient.
3. FedExand Airborne parcels are delivered to the recipient immediately upon arrival.
No personal information regarding staff or membership, including personaltelephone numbers, addresses, e-mails, or work schedules, is given out over thetelephone with the exception of region locator calls. In this case the RegionalCommissioner's phone number as listed in the Executive Member Directory (EMD)is given to the caller.
The Executive Director, Chief Operations Officer, administration manager anddirectors are able to change voice-mail passwords from a dedicated computer.
Faxes are received electronically through the administration officereceptionist. One receptionist is assigned the responsibility of disseminatingthe faxes hourly during the workday. Faxes are directed to the individualaddressed on the fax. The following confidentiality statement is printed on alloutgoing faxes:
AMERICAN YOUTH SOCCER ORGANIZATION
FAX CONFIDENTIALITY NOTICE
This transmission may be: (1) subject to the Attorney/Client Privilege, (2) anattorney work product or (3) strictly confidential. If you are not the intendedrecipient of this message, you may not disclose, print, copy or disseminatethis information. If you have received this in error, please reply and notifythe sender (only) and delete the message. Unauthorized interception of this faxor facsimile is a violation of federal criminal law.
. TheMIS Administrator initially generates user passwords when creating userprofiles for new employees. The director of operations and the MISadministrator have access into the e-mail system. Staff members are shown howto change their passwords. For security purposes, the MIS administrator doesnot keep a record of passwords.
a. Alle-mails shall be proofed and spell-checked before sending. It is imperativethat prior to sending, e-mails are checked to ensure they are addressed toappropriate individuals. All external broadcast e-mails need to be approved bythe department manager, respective Director and Executive Director prior tosending. All employee computers are to be set up for auto-spell check. Thefollowing confidentiality statement must be attached to all outgoing e-mails:
AMERICAN YOUTH SOCCER ORGANIZATION FAX CONFIDENTIALITY NOTICE
This transmission may be: (1) subject to the Attorney/Client Privilege, (2) anattorney work product,or (3) strictly confidential. If you are not the intendedrecipient of this message, you may not disclose, print, copy or disseminatethis information. If you have received this in error, please reply and notifythe sender (only) and delete the message. Unauthorized interception of thise-mail is a violation of federal criminal law.
AYSOWEB SITE - www.ayso.org
American Youth Soccer Organization
12501 South Isis, Hawthorne, CA 90250 USA
Overview of Policy
TheAmerican Youth Soccer Organization is very concerned about the privacy of ourkids and members and this concern extends to our web site. Our goal is toalways protect the personal identity of all users who interact with our website, children and adults. This policy outlines how we collect and use the datacollected. It also provides a current listing of all third parties AYSO ispartnering with concerning online activities.
Westrongly encourage parents or guardians to go online with their children andparticipate with them in their online activities. For guidelines on how toprotect children's privacy online, please review the U.S. Federal TradeCommission's (FTC) How to Protect Kids' Privacy Online
TheChildren's Online Privacy Protection Act (COPPA; effective date 21 April 2000)establishes mandated disclosures, parental notifications and options for allonline activities where information is requested from a child under 13 years ofage. Currently, the Act establishes that web site producers who collectpersonally identifiable data from children under 13 years of age are requiredto obtain verifiable parental consent in advance unless the data collected isan e-mail address for a one-time request, such as a contest entry, electronicpostcard, etc.
Thispolicy covers the following topics pertaining to AYSO's online interactivitywith visitors:
Personally Identifiable Data: Refers to any information which could be readily associatedwith the individual to whom it pertains, e.g. addresses, phone numbers, e-mailaddresses, etc. Personally identifiable information, under this definition,does not include information that is collected solely in the aggregate (such asIP Addresses, browser versions, etc.) nor does it include information that anindividual publicly releases or intends for public dissemination. Domain names,for instance, are not included as personally identifiable information; howevere-mail addresses are. This definition also includes other types of informationthat are related to the person specifically, such as hobbies, interests, etc.
Aggregate Data:Refers to any data that is not personally identifiable. This data would includeIP addresses, browser versions, etc. as well as quantifying data such as totalnumber of entrants, age group disbursement, etc.
Publicly Available:Refers to information maintained as a public record, or that an individualpublicly releases, intends for public dissemination, or should reasonablyunderstand should become public.
Verifiable Parental Consent: Refers to substantiated assent from a child's parent orguardian for the child's data to be accepted by AYSO for the specific reasonsfor which it is collected. The veracity of the confirmation must be fromreliable sources and may include postal mail, facsimile, e-mail with digitalsignature, etc.
Third Parties:Refers to a person, group, organization, company or authorized agent (or morethan one of these) whom AYSO deems should receive data obtained via the website for marketing or other purposes.
Whendata is collected from children under 18 years of age, AYSO will require atminimum the e-mail address of the parent or guardian for that child. Atminimum, an e-mail will be sent to the parent or guardian announcing to themthat their child has supplied AYSO with personally identifiable data, what thatdata is, and will point them to this section of the web site for furtherdetails.
Exception to this policy:A one-time use of the data for such events as contests, e-postcards, etc.,however, the exception will cover only the requirement of parent or guardiane-mail addresses prior to inclusion in the event.
(Example: A child enters a contest to win a soccer ball and is asked for afirst name; age; and an e-mail contact address. If the child is chosen as awinner, verifiable parent or guardian consent will be required before thephysical address is obtained and the premium is sent to the child.)
Up to 18 years of age
Our organizational policy is to NEVER supply any third party with anypersonally identifiable information when that data is associated with childrenup to the age of 18. When warranted, we may supply third parties with aggregate data collected. All third parties with whom AYSO partners forweb site events will be listed below in Current Web Marketing Partners and Details.
18 years of age and older
AYSO may provide personally identifiable information to third parties collectedfrom those 18 years of age and older. Any data sharing will be announced at thecollection point on the web site with all details in the section Current WebMarketing Partners and Details.
Atany time, a parent or guardian may request a Parental Consent Verification formin order to receive any information AYSO has obtained concerning their childvia the national web site Upon completion and return of this form, you mayreceive all personally identifiable information AYSO has obtained concerningyour child through online means from the national web site, if such exists.This form will ask for information from you that will identify you as theparent or guardian of the child. You may request the Parental ConsentVerification form by mail only. Send your request to: 12501 South Isis Avenue, Hawthorne,California 90250.
Please be aware that all the types of information that arecollected for an event will be itemized in the section Current Web Marketing Partners and Details.
Youroptions as a parent or guardian in reference to collection of your child'spersonally identifiable information are as follows:
o You may refuse consent or revoke anyprevious consent
o Refuse any further collection ofdata from your child
o Ask for deletion of your child'sdata either totally or in part
Anyalterations to or deletions of the personally identifiable information AYSO hasobtained concerning your child via the national web site must be accompanied bya Parental Consent Verification form (see details at the beginning of thissection).
AYSO, may, if it deems necessary, terminate any service provided to the childif the information at issue is reasonably necessary for the child toparticipate in the event.
(Example:if you request deletion of the child's address, but that information isnecessary for delivery of a prize or newsletter, etc., then AYSO may refuse toallow the child to participate in that activity, however, other activities thatdo not require this information would remain available to the child)
Partner Descriptions of Involvement Details
o Shared data type or specify no datasharing
o Description of specific involvement
o "Duration of Event"
o "Event" What AYSO is doingfor parents and/or as an organization
o "PII" Details of allpersonally identifiable information AYSO is obtaining in event
o "Other Information Requested:"What other information that is not PII are we asking for the viewer tosend to us.
Usedfor internal web site purposes only.
Currently,all online forms are sent via an e-mail server-side mail to script offering nosecurity. Only information that would be reasonably sent via e-mail is askedfor via any form on the site currently. Information such as credit cardnumbers, etc. will not be requested via any online form on the site untilsecure means of transmission are obtained.