This pagesets out in more detail the key principles that underpin UK data protection law and what that means in practice for your organisation. These are:
- Lawfulness, fairness and transparency
- Accuracy
- Purpose limitation
- Data minimisation
- Storage limitation
- Security
- Accountability (see Data Governance)
This section also deals with other material obligations which may come up more regularly, such as engaging third parties, completing risk assessments, and dealing with data breaches.
Fair, lawful and transparent use
A fundamental principle of the law is that an organisation must only use data fairly, lawfully and transparently.
What to do
Put simply, this means that you should:
Identify valid grounds under the UK GDPR for collecting and using personal data. These are known as ‘lawful bases’ and this toolkit sets out some more detail on the bases you may commonly use;
Ensure that you do not do anything with the data that would breach laws;
Use the data in a way that is fair, meaning your use should not be unduly detrimental, unexpected or misleading to the individuals concerned; and
Be clear, open and honest with people about how you use their data and why. This is usually done by providing a privacy notice, which can be hosted on a website.
How to do it
You will need to ensure that the reasons for handling individuals’ data fall within one of the lawful grounds for processing set out in the UK GDPR. For most categories of personal data, this means that at least one of the following must apply whenever you use personal data:
Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. This might apply where you are collecting a member’s data in order to administer their membership.
Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). This may apply where you are collecting data in order to meet certain employment law requirements.
Vital interests: the processing is necessary to protect someone’s life. This is often only relevant in the context of medical emergencies.
Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. This is a more flexible basis of processing.
Note that this means that you will often have an alternative to seeking the individual’s consent for their data to be used.
Additional rules apply where you are processing data on criminal convictions or other ‘special category data’, which includes information on a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation. If you are collecting this information, you should seek further advice to ensure that you are processing this appropriately. You can find more information in ICO guidance here. You may wish to contact the RFU Legal Helpline on 0333 0100337 with any specific queries in relation to special category data.
You will need to assess each process you undertake to determine the appropriate lawful basis and record your decision-making process. You should then record your lawful basis in your record of processing.
Legitimate interests
Legitimate interests can be used as a basis of processing where the collection and use of the data is in the interests of your organisation, or other third party (which may include the RFU or the individuals themselves), but the processing is not required by law or a contract with the individual.
Legitimate interests is the most flexible basis of processing and is most likely to be appropriate where you want to use people’s data in a way they would reasonable expect and which have a minimal privacy impact, or you have a compelling reason for processing.
Examples of where legitimate interests may be an appropriate basis of processing include:
- Inputting first team players onto GMS. The RFU will set this out in its own comprehensive privacy policy;
- Recording who officiates at matches;
- Maintaining lists of players, members, referees, parents of children at a club etc.; and
- Providing an individual’s details to the RFU or a CB for regulatory or disciplinary purposes.
In order to rely on legitimate interests, you will need to complete a ‘legitimate interests assessment’ which is a form of risk assessment to establish that the processing does not improperly override the rights of individuals.
You can find more guidance on these assessments and legitimate interests more generally from the ICO here.
Legal obligation
An organisation may process an individual’s data if there is a legal obligation to do so.
For example, where you are required to maintain accounting records, or provide information to HMRC, this will be subject to a legal obligation.
You can find more guidance on using legal obligation as a basis from the ICO here.
Performance of a contract
In addition, an organisation may use an individual’s data where it is necessary for the purposes of performing a contract. An example of this would be using a member’s details to register them as a player at your club.
You can find more guidance on using performance of a contract as a basis from the ICO here.
Consent (including marketing)
There are some circumstances when you will need consent from an individual to use their data. The UK GDPR sets a high standard for valid consent and it can be easily revoked by the individual. Therefore, if obtaining consent will be difficult, or the data is necessary for you to run your organisation, you should look for a different lawful basis.
A common example of where you will need to obtain consent is to send email marketing. For example, if you want to send out emails promoting club events or adverts for sponsor products. This does not apply to genuine service messages, such as a change of time to an event a person has already registered for. General branding and taglines do not count as marketing, but if the message includes significant promotional material encouraging people to buy products or services, then consent is required.
Consent needs to be freely given, meaning there needs to be a genuine choice, and informed, meaning you need to give individual information on what they are consenting to and who the relevant controller is.
Consents should not be bundled, either with each other or into terms and conditions. This means you will need separate tick-boxes for people to agree to your terms and conditions and to obtain their consent to marketing. This also means you will need a separate consent for any third party sponsors or partners if you intend to share details to enable them to do their own marketing. Note that this does not include where you are sending marketing that includes sponsor branding as this only requires consent to receive marketing from you.
Consent needs to be indicated by a clear affirmative action. This means you should not use pre-ticked boxes.
Note that only those 13 years old or over can give consent for online services, like marketing. For those under 13, you will need parental consent.
More detailed ICO guidance on consent can be found here and on direct marketing rules here.
Transparency and privacy notices
Individuals have a right to be informed about how organisations use their data. This means that each club, referee society and CB will need to provide a ‘privacy notice’ setting out certain required information.
This needs to be provided to people when you collect their data for the first time and it is advisable to keep the notice available on your website. If you do not have a website, you can consider how else this may be distributed to members and third parties, such as by email once per season.
You can find more detail on what information is required, and transparency more generally, on the ICO website. The ICO website also has a privacy notice generator which can help small organisations create a bespoke privacy notice.
Cookie policies
If your club, referee society or CB has a website that uses cookies or other similar technology, you will need to obtain consent before setting any non-essential cookies and will also need a policy setting out how that website uses cookies.
These tend to be in standard form and will often be provided by the company that has produced your website.
The ICO has provided a guide to cookies here.
Accurate data
What to do
Another principle is that data must be accurate and kept up to date. The law requires that “every reasonable step” is taken to ensure that inaccurate data is erased or corrected.
How to do it
This principle does not mean that you need to keep asking people if their data has changed, only that you take reasonable steps to keep it up to date. This includes data held on GMS as well as any other records. What this means in practice will depend on the type of data and the reason you have it. In many cases, this means that you should review the data you hold on a regular basis and encourage people to let you know if their details change. If appropriate, you may remind your members to update their details each season. More detail on this principle can be found on the ICO website here.
Purpose limitation
What to do
As set out above, individuals’ data can only be collected and used for specified and legitimate purposes. It must not be used further in a way that is incompatible with these purposes.
How to do it
Ensure that you have a process in place that does not allow individuals’ data to be used beyond what you have told individuals you will use their data for.
For example, if you collect individuals’ data for general administrative purposes, you cannot automatically add them to a database of people who receive commercial mailings from sponsors.
You could, however, use the data for reasons which are compatible with your original purposes for processing.
For example, if you have obtained data in order to administer and manage the team, it would be compatible to process the data for maintaining a record of a club’s results, even if this is not specifically described in a notice.
The ICO has further details on this on its website here.
Data minimisation
What to do
Another principle of data protection law is that organisations must only hold and use the data that they actually need to use. This means that you should only collect the data that is necessary for the purpose you are using it for i.e. do not collect additional data just in case you may need it in the future or because it might be interesting, even if an individual consents to the collection.
How to do it
When collecting data, consider why you are doing so, and what you need. Every piece of data you collect should be necessary for a purpose you have set out in your privacy notice.
For example, only collect bank details if you actually need to use them to pay someone. In particular, be careful only to collect special category data (such as ethnicity, health information, religion or sexuality) if this is absolutely necessary for a particular purpose.
Always consider if you could use information at an anonymous level instead. For example, if you want to know the demographics of your club over time, you may not need to identify individuals to get this information. Anonymous information falls outside of the scope of the UK GDPR, and this is a good way of reducing the amount of personal data you hold.
For more information, please visit the ICO website here.
Storage limitation and retention periods
What to do
Another principle is that you should not keep personal data for longer than you need it. This will differ depending on the type of data and the reason you collected it. This principle is closely tied to the principles of accuracy and data minimisation, as inaccurate or very old data is unlikely to still be necessary.
You will also need to include information on storage periods in your privacy notice. It is not usually necessary to specify the exact storage periods for each type of data, but you will need to provide information on the principles you considered when setting such storage periods. Individuals can also ask for more information, so you should be prepared to provide detail on your storage periods if asked.
Once retention periods are set, these should be recorded in your record of processing. You should also implement a policy for the regular review and deletion of data.
How to do it
You will need to review the data you collected and why you have it. You should consider whether there are any regulations that set out specific time periods. For example, there are a number of laws governing the retention of employee data that you should abide by. There may also be rugby regulations that you will need to take account of. For example, match results and team lists need to be retained indefinitely.
You should also consider any common limitation periods. For example, many organisations will set retention periods at around seven years following the expiry of contracts to reflect statutory limitation periods. This will not apply in every case and you should seek appropriate advice when considering your retention periods.
You should also implement appropriate procedures for review and deletion of data. What is appropriate will depend on your organisation, but it may be sensible to review data at the end of a season or membership cycle.
Having all of this data in one place, such as GMS, will make this process easier.
The ICO has produced guidance on storage limitation here.
Data security
What to do
A key principle of UK data protection law is that organisations should process personal data securely by implementing ‘appropriate technical and organisational measures’. It will be vital for your club, referee society or CB to implement appropriate security controls for all data.
Some of these controls can be technological ones, but many other controls are very practical.
How to do it
What is appropriate will depend on the data you have as well as the resources available to you. However, the UK GDPR does suggest measures including the pseudonymisation and encryption of data where appropriate.
A secure way to store data will be in GMS, where significant technological security measures are in place.
For other ways in which you store data, there are a variety of steps that you can take:
- If data is secured on a computer, ensure that antivirus software is kept up to date;
- Any computer on which data is stored has appropriate password protection and is kept secure;
- Any hard copy documents containing individuals’ data are kept secure; and
- If there are any databases or spreadsheets containing large amounts of personal data, consider whether these should be password protected.
Also be aware of how data is transferred:
- If you send out spreadsheets or lists of individuals’ data, consider whether you need to send these all out by email, and to each recipient, or whether you are able to use more secure means such as encrypted links; and
- Where emails are sent out to large distribution lists and there is no need for others to reply to all, ensure recipients are bcc’d rather than cc’d to avoid disclosing others’ contact details.
Where to find more information
The ICO provides detailed guidance on the security principle here. You may also want to take advice from security professionals.
Data breaches
It is possible that a data breach may occur, even where your organisation has implemented a robust compliance programme.
A data breach is, put simply, a security incident that has affected the confidentiality, integrity or availability of personal data.
There will be a personal data breach whenever any personal data is accidently or unlawfully lost, destroyed, altered or disclosed, or if someone accesses the data or passes it on without proper authorisation, or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
There may be a number of ways this can happen, such as a lost laptop, a file sent to the wrong recipient or a hack. It need not be technological, for example a lost hard copy file could also be a data breach.
What to do
You will need to have in place a procedure to identify, report and manage a data breach. As noted elsewhere, each club/referee society/CB is likely acting as a controller of the data it holds. A controller has 72 hours from the time it becomes aware of a breach to make a report to the ICO. Most breaches will need to be reported to the ICO, unless they are unlikely to result in a risk to the rights and freedoms of affected individuals. These reports can be made online to the ICO here. On the same page, the ICO also provides a simple assessment tool to help you determine if you need to make a report. You can give updates on the report, so you do not need to wait until you have all the information available to make the initial report.
Where a breach results in a high risk to the rights and freedoms of individuals, you may also need to inform those individuals of the breach directly, providing them with information on the breach, the likely consequences, and any protective actions they should take.
You will also need to thoroughly investigate any breach to determine the causes and implement appropriate remedies to reduce the likelihood of recurrence. You should also keep detailed records of any data breach, whether or not you decide to report it.
How to do it
You should ensure you have a process in place ahead of time setting out what your staff need to do in the event of a breach. The procedure need not be complex. In fact, the simpler it is, the better.
A suggested procedure is contained in Appendix 1. Note that this is only a suggested starting point and not a formal process approved by the ICO – you should work out a process which is appropriate for your club/referee society/CB. In particular, you will need to identify which individuals at your organisation need to be informed and involved in the investigation and decision-making process. Who this is will depend on your organisation, but it would be sensible to include senior figures, suitable security/technology personnel, legal advisors, and, when needed, communications advisors.
Where to find more information
The ICO has detailed guidance on what constitutes a data breach and what to do. This can be found on the ICO website here.
A simpler guide aimed at small businesses is also available here, and may be an easier starting point.
Data protection impact assessments
What to do
Where the club/referee society/CB is using individuals’ data, there are some occasions when it must conduct a Data Protection Impact Assessment (DPIA). This is a type of detailed risk assessment to help you analyse, identify and minimise data protection risks in certain projects. DPIAs can be very involved tasks, so it is important to identify if one is needed early on in a project.
Most clubs, referee societies, and CBs are unlikely to need to carry out DPIAs as a matter of course, because they are required where new technologies are used and there is a high risk to the rights of individuals. However, you should note the requirements to check in the event that you start a project involving the use of personal data, particularly if it involves new technologies, location tracking, or use of data of children or other vulnerable individuals.
One common instance where a DPIA may be required is where CCTV is used, though its use will still need to result in a high risk to people.
How to do it
The ICO has detailed guidance on when a DPIA is needed and how to complete one here. The ICO also provides a template to help you complete the assessment, available here.
The ICO also provides some simple guidance on steps to take when utilising CCTV here.
Using third party providers
Many organisations will use third parties to process data for them.
This could be another company hosting a website, or for larger and more complex clubs other actions such as mailing houses for larger scale mailouts, or other technological providers. Where a third party is using data on your behalf and under your instructions, it is more likely that the third party will be a ‘data processor’.
There may also be limited situations where your organisation acts as a ‘joint controller’ with another organisation.
What to do
Where a third party acts as your processor, you will need to have a contract with that third party, and that contract will need to contain certain minimum provisions. See the section on ‘Contracts’ in the Practical Steps to Take section of this toolkit for more details.
If you act as a joint controller, you will need to enter into a written agreement with the other joint controller(s). This should set out the division of responsibilities for the processing, including responsibility for responding to data subject requests and what will happen in the event of a breach.
Where to find more information
The ICO provides detailed advice on this here.
For legal advice on this, you can contact the RFU’s Legal Helpline on 0333 0100337
International data transfers
In some cases, the third party you are sharing data with may not be based in the UK. For example, you may use a software provider that is based in another country. In such cases, you will need to take additional steps, which may require including additional terms in your agreements. This is important, as many jurisdictions outside the UK have less stringent protections for individuals’ data.
What to do
Where you share data with a third party, find out whether they will hold individuals’ data outside the UK.
If the third party will hold individuals’ data outside the UK, then you will need to first check whether that jurisdiction or business benefits from an ‘adequacy decision’. If they do, then no further additional terms are needed. The current list of adequacy decisions is available on the ICO website here.
If there is no adequacy decision, you will need to conduct additional assessments as to whether you can share the data. If you can, you will also likely need to enter the International Data Transfer Agreement (IDTA) with the third party, which cannot be amended. These assessments are complicated, and you should read the ICO guidance carefully and seek appropriate independent advice.
Where to find more information
The ICO guidance on international transfers is available here. The ICO also provide a template transfer risk assessment and the IDTA.
For legal advice on this, you can contact the RFU’s Legal Helpline on 0333 0100337.
Children's data
If you collect and process data concerning children, additional considerations will apply. This may happen if your club has a youth team or if you are working on safeguarding matters related to children. The ICO has provided detailed guidance on the use of children’s information here, as well as useful resources which can be found here. Some particular points you should be aware of include:
- Children have the same rights over their data as adults, so they can also request access to their data.
- You may need to write another version of your privacy notice so that it can be understood by children.
- Only children aged 13 and over can provide their consent. If you are relying on consent for any processing of data on children under the age of 13, you will need to obtain the consent of the person who holds parental responsibility.