Search

RFU

2 Sep 2024 | 10 min

RFU Regulatory and Governance Privacy Notice

1. Content Of This Privacy Notice

2. Background

2.1 The purpose of this Privacy Notice is to give you a better understanding of:

  • what information we collect;
  • how we use that information;
  • how this information is shared;
  • your data protection rights;
  • how to contact us; and
  • other useful privacy and security related matters;

in relation to the regulatory and governance functionality of the England Rugby Football Union (‘RFU’) in its capacity as the national governing body for Rugby Union in England.

2.2 This Privacy Notice applies to you if you are participant in rugby in England, including players, coaches, agents, referees, representatives of clubs/schools,/colleges/universities/constituent bodies representative bodies (including members, officials and owners), spectators, parents, volunteers and/or such other individuals who may be under the jurisdiction of the RFU or those whose details we require to perform regulatory functions (“Participant”).

2.3 The Game Management System (“GMS”) is provided by the RFU to enable players, player parents or guardians, clubs, educational institutions, constituent bodies, referee societies and the RFU to input, store and process certain information about you pertaining to your GMS registration and the regulatory and governance functionality of the RFU. This notice sets out how the RFU processes your GMS information but your club, educational institution, constituent body, or referee society may also be data controllers in respect of data inputted by you (or on your behalf) onto GMS and each of those entities will have specific data protection privacy notices in place which explain in more detail how they process your GMS information.

2.4 The England Rugby Privacy Notice (available to view here) will also apply if you are a fan or supporter of England Rugby who has visited Allianz Stadium or other locations at which we operate, you have contacted us to purchase something from us and/or signed up to receive updates about upcoming events, offers and ways to get involved further with England Rugby or we have contacted you for these reasons.

2.5 You can find additional information about privacy and your rights on the Information Commissioner's website.

2.6 References to we, our, us, or RFU in this privacy notice are to the RFU.

2.7 References to we, our or us in this privacy notice are to the RFU, a co-operative society registered under the Co-operative and Community Benefit Societies Act 2014 with Register No. 2798IR and whose registered office is at Rugby House, 200 Whitton Road, Twickenham, TW2 7BA, and other companies and entities in the RFU’s group.

2.8 References to ‘you’ or ‘your’ in this privacy notice are to you in your personal capacity as an individual and/or in your capacity as a representative for a third party (such as a club/school/college/university representative).

2.9 We have appointed a Data Protection Officer to oversee our compliance with data protection laws.

2.10 This privacy notice was drafted with brevity and clarity in mind. We are happy to provide any additional information or explanation needed.

2.11 should you wish to contact us in relation to this Privacy Notice, our contact details are set out in the "How do you get in touch with us?" section at the end of this Privacy Notice.

3. What Personal Information Do We Collect About You?

3.1 We may collect, store and process the following personal information about you, whether you are an adult or a child:

  • your name, username and password;
  • your gender;
  • your age/date of birth;
  • marital status and dependents;
  • your home address, email address and phone number;
  • your club/school/college/university address, email address and phone number;
  • your membership and registrations details (including players, agents, coaches and referees);
  • details of any next of kin, family members and emergency contacts;
  • any credit/debit card and other payment details you provide so that we can receive payments from you and details of the financial transactions with you;
  • identification documents such as passport, identity card, utility bill, birth certificate, proof of address, driving licence;
  • immigration documents such as visas and such other documents required to verify your eligibility to play rugby in England;
  • details of any contracts you enter into (including club/player contracts, player/agent contracts, club/coach contracts);
  • your journey through our digital platforms, details of England Rugby services and opportunities you have expressed an interest in, including which links you click on and any searches you made, how long you stayed on a page, and other page interaction information;
  • recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process);
  • records and information pertaining to rankings or ratings, playing details and history, competition results, attendance and performance;
  • performance data, in respect of matches and training sessions, including data gathered from wearable GPS devices and other technology (wearable or otherwise)
  • match data pertaining to matches in which you participate including data in relation to events within the match
  • your accreditations, qualifications and experience inside and outside rugby, including current and previous employments as well as references;
  • your disciplinary and grievance information;
  • your rugby activity such as your playing record, role, club affiliation, and courses undertaken;
  • details required for the purposes of awarding benefits, funding, grants, accreditations, certifications, registrations and such other RFU benefits;
  • details required for the purposes of administering the RFU insurance policies;
  • information inputted by you, your club/school/college/university or by the RFU into the RFU game management system or such other system for managing the game in England (“GMS”);
  • your GMS ID number which is allocated to you if registered on GMS;
  • use of and movements through information and communication systems, passwords, personal identification numbers, IP addresses, user names and other IT system identifying information;
  • information collected in any forms or surveys you complete or that are completed on your behalf or in relation to your participation in rugby;
  • information provided by you in response to your responses to requests from the RFU;
  • records of your interactions with us such as telephone conversations, emails and other correspondence;
  • CCTV footage and other information obtained through electronic or digital means, including video footage of rugby matches in which you have participated;
  • images in photographic form and voice recordings;
  • records of your attendance at any events or competitions;
  • your marketing preferences, including any consents you have given us;
  • details pertaining to the application, prevention, detection, compliance, investigations and enforcement of regulations and governance, including regulatory breaches of RFU Regulations, Remuneration Cap Regulations, Competitions Regulations and World Rugby Regulations (including breaches of RFU Regulation 17 (Anti-Corruption and Betting), RFU Regulation 19 (Discipline), RFU Regulation 20 (Anti-Doping) and RFU Regulation 21 (Safeguarding), such as:
    • your betting history and betting accounts;
    • bank, credit card and tax records; financial information, including salaries, tax payments, HMRC records and other financial and tax documentation;
    • telephone records; internet and email records;
    • information from computers and hard drives and other electronic information storage devices and documents; and
    • information pertaining to your whereabouts.

4. What Special Categories Of Sensitive Personal Information Do We Collect About You?

4.1 We may also collect, store and process the following ‘special categories’ of more sensitive personal information about you which may include the following:

  • information about your race or ethnicity, religious beliefs and sexual orientation;
  • information about your health, including any medical condition, health and sickness records, test results, medical records and health professional information;
  • information provided in order to process applications and queries under the RFU Gender Participation Policy or other inclusion and diversity policies;
  • trade union membership, such as membership of any Players’ Associations, Association of Registered Agents, Premier Rugby Limited, Premier Women’s Rugby Limited or other representative bodies;
  • genetic information and biometric information about you such as blood samples and urine samples (including test results pertaining to such samples); and
  • information about criminal convictions and offences, including information that may be disclosed by the disclosure and barring service.

4.2 In relation to the special category personal data that we do process we, do so on the basis that:

  • the processing is necessary for reasons of substantial public interest, on a lawful basis, or which are set out in Schedule 1, Part 2 of the Data Protection Act 2018 and include where processing is necessary for:
    • the safeguarding of children and individuals at risk;
    • insurance;
    • protecting the public;
    • equality of opportunity or treatment;
    • support for individuals with a particular disability or medical condition;
    • anti-doping in sport; or
    • standards of behaviour in sport
  • it is necessary for the establishment, exercise or defence of legal claims;
  • it is necessary for the purposes of carrying out the obligations and exercising our or your rights in the field of employment and social security and social protection law;
  • based on your explicit consent (solely in relation to information from the disclosing and barring service which is disclosed by you); or
  • processing is necessary for scientific research and statistical purposes.

In the table below, we refer to these as the “special category reasons for processing of your personal data”.

5. How do we use this information, and what is the legal basis for this use?

The table below describes the main purposes for which we process your personal information, the categories of your information involved and our lawful basis for being able to do this. For the purposes of this policy, please note that the purposes and lawful basis set out below apply equally if you are a child or an adult.

Purpose Lawful basis
To administer any membership account(s) and/or registration/accreditation and/or relationship you have with us and managing our relationship with you, and dealing with payments and any support, service or enquiries made by you. This is necessary to enable us to properly manage and administer your membership contract with us.
To arrange and manage the provision of national governing body services, including the promotion of rugby in England by various mediums. This is necessary to enable us to properly administer and perform our responsibilities and services as a national governing body which will cover administering your membership contract with us, complying with our legal obligations, and our and third party legitimate interests in governing the sport of rugby
To send you information relevant and relating to your participation in rugby, including but not limited to, surveys and other forms of questionnaire. This is necessary to enable us to properly manage and administer your relationship with us and your participation in rugby which will cover administering your membership contract with us, complying with our legal obligations, and our and third party legitimate interests in governing the sport of rugby
To administer and make decisions about your progression and accreditation /registration/membership status. This is necessary to enable us to properly manage and administer your development through the course and/or programme which will cover administering your membership contract with us, complying with our legal obligations, and our and third party legitimate interests in governing the sport of rugby. We process special category personal data on the basis set out in 4 above.
To administer your attendance at any courses or programmes you sign up to. This is necessary to enable us to register you on to and properly manage and administer your development through the course and/or programme in accordance with our contract with you.
To answer your queries or complaints. We have a legitimate interest to provide complaint handling services to you in case there are any issues with your relationship
The security of our IT systems. We have a legitimate interest to ensure that our IT systems are secure.
To conduct data analytics studies to better understand player performance, match data, event attendance and trends within the sport. We have a legitimate interest in doing so to ensure that our relationship is targeted and relevant.
To conduct health and player safety analysis and research. We have a legal obligation and a legitimate interest to provide you and other members of our organisation with a safe environment in which to participate in rugby.
To provide and administer insurance policies put in place by or on behalf of the RFU. We have a legitimate interest in doing so to ensure the insurance policies can be administered. We process special category personal data on the basis set out in 4 above.
To ensure equality of opportunity and treatment and to participate in rugby. We have a legal obligation and a legitimate interest to provide you and other members of our organisation with a safe environment in which to participate in rugby. We process special category personal data on the basis set out in 4 above.
For the purposes of equal opportunities monitoring. We have a legitimate interest to promote a sports environment that is inclusive, fair and accessible. We process special category personal data on the basis set out in 4 above.
Support for individuals with a particular disability or medical condition. We have a legal obligation and a legitimate interest to provide you and other members of our organisation with a safe environment in which to participate in rugby. We process special category personal data on the basis set out in 4 above.
To use information about your physical or mental health (including any injuries) or disability status, to ensure health and safety and to assess your fitness to participate, to provide appropriate adjustments to our sports facilities and to monitor, manage and undertake research with regards to injuries, health and safety within the game. We have a legal obligation and a legitimate interest to protect the integrity of rugby and to provide you and other members of our organisation with a safe and fair environment in which to participate in rugby. We process special category personal data on the basis set out in 4 above.
To conduct performance reviews, manage performance and determine performance requirements and administer your development, training requirements on any player/coach/referee pathway programme. This is necessary to enable us to properly manage and administer your development through the performance programme. We process special category personal data on the basis set out in 4 above.
To make decisions about your progression and development through any player/coach/referee pathway programme and to assist with the delivery of rankings and ratings. This is necessary to enable us to properly manage and administer your development through the performance programme. We process special category personal data on the basis set out in 4 above.
To administer and monitor your attendance at events and competitions. This is necessary to enable us to register you on to and properly manage and administer your development through the performance programme.
To arrange for any trip or transportation to and from an event. This is necessary to enable us to make the necessary arrangements for the trip and/or transportation to the event. We process special category personal data on the basis set out in 4 above.
To administer any drug and alcohol testing, and administer, apply and uphold the anti-doping regulations. We have a legal obligation and a legitimate interest to protect the integrity of rugby and to provide you and other members of our organisation with a safe and fair environment in which to participate in rugby. We process special category personal data on the basis set out in 4 above.
To administer any testing regime pertaining to pandemics and epidemics. We have a legal obligation and a legitimate interest to protect rugby and to provide you and other members of our organisation with a safe and fair environment in which to participate in rugby. We process special category personal data on the basis set out in 4 above.
To safeguard children and individuals at risk, and to comply with legal obligations and requirements with regards people working with children or adults at risk. We have a legal obligation and a legitimate interest to provide you and other members of our organisation with a safe and fair environment in which to participate in rugby. We process special category personal data on the basis set out in 4 above.
To apply, administer, uphold, prevent, detect, investigate and ensure compliance with regulations, codes, policies and processes, and to protect and uphold the integrity and repute of the game, the RFU and other rugby stakeholders. We have a legitimate interest to protect the integrity of rugby and to provide you and other members of our organisation with a safe and fair environment in which to participate in rugby. We process special category personal data on the basis set out in 4 above.
To undertake and gather evidence for investigations, and administer grievance or disciplinary hearings. We have a legitimate interest to protect the integrity of rugby, to provide a safe and fair environment for all members and to ensure the effective application, adjudication and management of disciplinary decisions, hearings and appeals. We process special category personal data on the basis set out in 4 above.
To publish decisions of disciplinary hearings to ensure transparency and awareness amongst, clubs, educational institutions, constituent bodies and other stakeholders involved in rugby. We have a legitimate interest to protect the integrity of rugby, to provide a safe and fair environment for all members and to uphold the disciplinary process and Regulations. We process special category personal data on the basis set out in 4 above.
To record match data, player match appearance and performance data and to share this with other stakeholders or licensees. We have a legitimate interest to: (i) ensure that data is accurate for competition integrity, (ii) to promote player participation in rugby throughout England; (iii) to report on rugby participation to stakeholders; and (iv) to promote and/or commercialise the sport of rugby and England Rugby.
To assess your eligibility for and to provide support, benefits, funding, grants, accreditations, certifications, registrations and such other RFU benefits. This is necessary to enable us to properly administer and perform any application or contract for the provision of a benefit which will cover administering your membership contract with us, complying with our legal obligations, and our and third party legitimate interests in governing the sport of rugby.
To conduct research projects and statistical analysis to inform changes to the game. We have a legitimate interest in improving player welfare and rules and regulations. We process special category personal data on the basis set out in 4 above.

6. What information do we receive from third parties?

6.1 We may receive information about you from third parties and in particular we may combine your information with other information that we obtain from our dealings with you or which we receive from other organisations, including information from

  • constituent bodies,
  • representative bodies,
  • clubs, schools, colleges, universities,
  • other sports,
  • other rugby union governing bodies,
  • other rugby stakeholders (such as Players’ Associations, the Association of Registered Agents, Premier Rugby Limited, Premier Women’s Rugby Limited),
  • law enforcement,
  • testing providers,
  • data providers,
  • regulatory bodies (such as the Gambling Commission, UK Anti-Doping, World Anti-Doping Agency), and
  • such other reputable third parties with whom we have relationships.

6.2 We may receive information about you from our group companies, subsidiaries or associated (joint venture) companies in which we have an interest including: World Rugby, European Professional Clubs Rugby, England Rugby Travel Limited, Twickenham Experience Limited, British & Irish Lions DAC, Six Nations Rugby Limited, Premier Women’s Rugby Limited, Rugby Reflink Limited, RFU Hotel Limited and RFU Health and Leisure Limited.

6.3 We may receive information about you from the rights owner(s) of event(s) you have attended at Allianz Stadium, if we have been informed that you have provided the necessary consent or we have another lawful ground to have your information such as for health and safety and/or operational reasons relating to your attendance at the event.

7. With Whom Do We Share Your Information?

7.1 We share personal information with the following parties:

  • Any party approved by you;
  • We may share information about you with our group companies, subsidiaries or associated (joint venture) companies in which we have an interest including England Rugby Travel Limited, British & Irish Lions DAC and Six Nations Rugby Limited.
  • World Rugby, European Professional Club Rugby, other rugby union governing bodies across the globe, rugby and non-rugby competition organisers and other sporting governing bodies for the purposes of applying, administering and upholding regulations, codes, policies and processes, and to protect and uphold the integrity and repute of the game, the RFU and other stakeholders.
  • National and regional rugby bodies (including referee societies, constituent bodies, any Players Association, Premier Rugby Limited, Premier Women’s Rugby Limited) and other clubs/rugby entities where necessary to for the purposes of applying, administering and upholding regulations codes, policies and processes, and to protect and uphold the integrity and repute of the game, the RFU and other stakeholders and to allow them to properly administer rugby and regulation on a local, regional and national level;
  • Other service providers: for example, email marketing, market intelligence, market research, mail houses, print facilities, payment processors, data analytics service providers, third party marketing platforms, gamified experience service providers, merchandising services, payment processors, CCTV contractors, third party monitoring companies, case management system suppliers, ticketing operators, software suppliers, research parties, investigatory service providers, data providers, commercial rights providers, anti-doping testing providers and other medical testing providers, medical providers, promotional advisors, contractors or suppliers and IT services (including Customer Relationship Management, website, video and teleconference services).
  • When someone visits England Rugby digital platforms we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.
  • To Government, statutory agencies, regulatory bodies (such as the Gambling Commission, UK Anti-Doping, World Anti-Doping Authority and Public Health England) or other parties where we are required to do so by law, for reasons of public health and safety or to assist with investigations or initiatives.
  • Police, law enforcement and security services and other relevant regulators, such as the Information Commissioner’s Office: to assist with the investigation and prevention of crime and the protection of national security and for the purposes of applying, administering and upholding regulations.
  • On our website for the purposes of publishing decisions of disciplinary hearings to ensure transparency and awareness amongst, clubs, educational institutions, constituent bodies and other stakeholders involved in rugby.
  • Broadcasters, other partners and official data licensees or providers in respect of the broadcasting and/or promotion or commercialisation of matches, match and player data, and/or usage other related content for various commercial, data usage, statistical and/or analysis purpose

7.2 We do not disclose personal information to anyone else except as set out above or as set out in our other Privacy Notices.

8. International Data Transfer

The personal information we collect may be transferred to and stored in countries outside of the UK and the European Economic Area (EEA). Some of these jurisdictions require different levels of protection in respect of personal information and, in certain instances, the laws in those countries may be less protective than the jurisdiction you are typically resident in. We require third parties to respect the security of your data and to treat it in accordance with the law, and if we do share your personal information outside the UK and/or the European Economic Area, you can expect a similar degree of protection in respect of your personal information.

9. What rights do you have?

9.1 You have the following rights:

  • Right of access (also known as a subject access request): you can ask us for a copy of your data in a machine readable format or any other common format you wish;
  • Right to erasure: (Also known as right to be forgotten) you can ask us to delete your data;
  • Right to be informed: you can ask us how why and whom we share your data with;
  • Right to object: you can ask us to stop processing your data;
  • Right to restrict processing: you can ask us to only process certain data;
  • Right to rectification: you can ask us to update your data;
  • Right to data portability: you can ask us to move copy and transfer your data to a third party; and
  • Rights related to automated decision making and profiling: you have the right not to be subject to a decision based solely on automatic processing, including profiling.

9.2 These rights may be limited, for example if fulfilling your request would reveal personal data about another person or if there is a legal or regulatory reason for not providing data, or if you ask us to delete or restrict the use of information which we are required by law to keep or have legitimate interests in keeping or using.

9.3 For more detailed information on the rights you have as an individual which you can exercise in relation to the information we hold about you, please refer to the Information Commissioner’s Office website https://ico.org.uk/.

9.4 To exercise any of these rights, you can get in touch with us – or our data protection officer – using the details set out below. If you have unresolved concerns, you have the right to complain to the applicable data protection authority where you live, work or where you believe a breach may have occurred. This is the Information Commissioner’s Office in the UK.

10. How long will we retain your data?

10.1 The duration for which we retain your personal information will differ depending on the type of information and the reason why we collected it from you. We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any regulatory, legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. After this time, information is deleted/destroyed in accordance with the RFU’s approved retention schedules. Please contact legal@rfu.com for further information about retention periods.

10.2 In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

10.3 It is important to ensure that the personal information we hold about you is accurate and up-to- date, and you should let us know if anything changes, for example if you change your phone number or email address. You can contact us by using the details set out in the "How do you get in touch with us?" section below.

11. How do you get in touch with us?

11.1 The RFU tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

11.2 We hope that we can satisfy queries you may have about the way we process your data. If you have any concerns about how we process your data, you can get in touch at legal@rfu.com or by writing to Data Protection Officer, Rugby Football Union, Rugby House, Allianz Stadium, 200 Whitton Road, Twickenham TW2 7BA.

12. Changes to this Privacy Notice?

12.1 This Privacy Notice may be updated from time to time. The date of the most recent revisions will appear on the bottom of the page.

 

Last reviewed: 2nd September 2024 | Version 9.0