This section covers some basic principles and definitions you will need to know to implement and maintain your compliance programme. More detail is contained in other sections of this toolkit and linked as appropriate.
What is personal data?
Put simply, personal data is any information which relates to a living person and allows you to identify them. Most obviously, this can be an individual’s name, but it could be their address, email address, medical history or sporting history.
Rugby clubs, referee societies and constituent bodies use individuals’ data in a number of ways. This includes obtaining and using data about players, referees, administrators, other volunteers, employees and website users.
It can be held in a large number of places, such as GMS, club spreadsheets, committee minutes, disciplinary judgments, member application forms and many more. Importantly, privacy rules will capture personal data held at club/referee society/CB premises and systems, but also on an individuals’ own equipment at their homes if they are using it as part of their role at the club/referee society/CB.
What are the UK laws?
All organisations in the UK will be subject to the UK General Data Protection Regulation (UK GDPR). This is supplemented by the Data Protection Act 2018.
The UK GDPR gives individuals more rights in relation to their data, and places an increased onus on all organisations, whether commercial companies or not-for-profit organisations such as rugby clubs, to secure individuals’ data and use it only as necessary.
In simple terms, the UK GDPR helps protect our players, members and clubs by requiring that data is kept more secure, and that organisations only hold the data that they need to.
The UK GDPR also requires organisations to be more transparent about the data they use. Organisations holding personal data will need to give more information to people about what they do with those people’s data, why, and how long they will keep it.
They must also keep the information secure. One safe way to store and use data is through the RFU’s Game Management System (GMS). If you store data in other ways, you will need to think carefully about how this data is secured.
The Privacy and Electronic Communications Regulations (PECR, or sometimes ‘ePrivacy’ regulations) apply to direct marketing (including email, telephone, text, and post), and other online privacy concerns, such as the use of cookies and similar technologies. For rugby clubs, referee societies, and constituent bodies, the relevancy of these rules primarily concerns the need to obtain individuals’ consent prior to setting cookies or sending marketing.
These rules apply to organisations operating in the UK, so will capture all RFU member clubs, referee societies, and constituent bodies. In the UK, the data protection regime is monitored and enforced by the Information Commissioner’s Office (ICO).
What this toolkit does
The RFU has put together this toolkit to help clubs, referee societies and CBs in the following ways:
- To understand what the data protection laws require
- To provide practical steps to achieve compliance
- To signpost to further resources to help achieve compliance
This toolkit is divided into five sections:
The ICO has a large amount of guidance available on its website.
For any general queries relating to data protection, please contact the RFU Legal Helpline on 0333 0100337.
