UK data protection law grants individuals certain rights in respect of the data you collect about them. This includes rights of access, but also a number of other rights. This section provides information on what those rights are and what that means for you in practice.
Right of access
The right of access is probably the most well-known right. This entitles individuals to request a copy of all of the data you hold about them. A request does not need to be provided in any particular form, so you will need to know how to recognise one. In most cases, you will have one month to provide the information and you cannot charge a fee for responding.
You will also need to provide information on how the data is used and where it is shared. This can often be achieved by providing a copy of your privacy notice.
How to prepare
This can be an onerous task, but it is an important one. You should ensure that you have a process in place ahead of time that will enable to you recognise and respond to data subject access requests.
The RFU has provided an example of what this process may look like at Appendix 2. You should tailor this to suit your organisation and set out the details of which individuals will be notified and who is responsible for reviewing records and determining what information should be provided.
What to do if you receive a request
You will need to follow the process you have set out for yourselves.
You will need to find all data held by the organisation on that individual. If all individuals’ data is held in one place (for example GMS), this will be easier. You may need to go through emails, databases and other places where individuals’ data is stored.
If an individual requests data held in GMS from the club or referee society, then it is the responsibility of the club or referee society to supply this – requests should not be forwarded on to the RFU.
If an individual requests their data, we recommend engaging with them fully. Often an individual will only want a specific set or piece of information and you are permitted to ask clarifying questions to help understand the request.
The individual is only entitled to receive information about themselves, not information about other people, or other commercially sensitive information. It can be very difficult to determine what information should be provided, particularly where information is intertwined with data on other individuals. You should also be aware that a number of exemptions apply and you will need to consider these carefully and obtain independent advice where appropriate.
You will need to provide the information within one month and it should be provided in a sensible format. For example, if the individual made the request electronically, it would be reasonable to provide the information in a common electronic format.
Where to find more information
There is extensive guidance on the ICO website here.
You can also contact the RFU Legal Helpline on 0333 0100337 for further guidance.
Other rights
There are a number of other rights afforded to individuals. These include:
- The right to have their data rectified if it is incorrect;
- The right to have their data deleted (otherwise known as ‘the right to be forgotten’);
- The right to restrict your use of their personal data;
- The right to have their data transferred to a third party;
- The right to object to certain uses of their personal data; and
- Additional rights in respect of automated decision-making.
All of these rights are subject to their own limitations and exemptions, which will need to be assessed if you receive a relevant request. For example, an individual cannot use the “right to be forgotten” to remove all of their data from GMS if they are playing or coaching (as from a governance perspective it is important that this data is kept correctly), or if they are in a disciplinary process (including anti-doping or safeguarding).
The processes you implement to assist in responding to access requests can also be used to assess and respond to other rights requests.
Further information can be found at ICO here. You should also consider whether it would be appropriate to obtain independent advice if you receive a relevant request.