Search

Legal and Administration

20 Jul 2023 | 4 min |

What you need to know

This section covers some basic principles and definitions you will need to know to implement and maintain your compliance programme. 

What is personal data?

Put simply, personal data is any information which relates to a living person and allows you to identify them. This can be an individual’s name, their address, email address, medical history or sporting history.

Rugby clubs, referee societies and constituent bodies use individuals’ data in a number of ways. This includes obtaining and using data about players, referees, administrators, volunteers, employees and website users.

Data is stored in a large number of places, such as GMS, club spreadsheets, committee minutes, disciplinary judgments, member application forms and many more. Privacy rules will capture personal data held at club/referee society/CB premises and systems. Additionally data is stored on personal devices used as part of their role a club/referee society/CB. 

What are the UK laws?

All organisations in the UK will be subject to the UK General Data Protection Regulation (UK GDPR). This is supplemented by the Data Protection Act 2018.

UK GDPR gives individuals more rights in relation to their data, and places an increased onus on all organisations, whether commercial companies or not-for-profit organisations - such as rugby clubs - to secure individuals’ data and use it only as necessary.

UK GDPR helps protect our players, members and clubs by requiring that data is kept securely, and that organisations only store necessary data. 

UK GDPR requires organisations to give more information to people about how, why and how long they will store their data.

Organisations must keep the information secure. A safe way to store and use data is through the RFU’s Game Management System (GMS). If you store data in other ways, you will need to think carefully about how this data is secured.

The Privacy and Electronic Communications Regulations (PECR, or sometimes ‘ePrivacy’ regulations) apply to direct marketing (including email, telephone, text, and post), and other online privacy concerns, such as the use of cookies and similar technologies. For rugby clubs, referee societies, and constituent bodies, the relevancy of these rules primarily concerns the need to obtain individuals’ consent prior to setting cookies or sending marketing.

These rules apply to organisations operating in the UK, so will capture all RFU member clubs, referee societies, and constituent bodies. In the UK, the data protection regime is monitored and enforced by the Information Commissioner’s Office (ICO).

RFU GDPR Toolkit

The RFU has put together this toolkit to help clubs, referee societies and CBs in the following ways:

  • To understand what the data protection laws require
  • To provide practical steps to achieve compliance
  • To signpost to further resources to help achieve compliance

 

This toolkit is divided into five sections:

  • Practical steps to take now
  • Data governance
  • Collecting and using data
  • Data security
  • Other rights of individuals 

 

The ICO has a large amount of guidance available on its website.

For any general queries relating to data protection, please contact the RFU Legal Helpline on 0333 0100337.

Related topics