Our club aims to ensure that all data collected about coaches, players and parents is collected, stored and processed in accordance with the Data Protection Act 1998.
This policy applies to all data, regardless of whether it is in paper or electronic format.
2. Legislation and guidance
This policy meets the requirements of the Data Protection Act 1998, and is based on guidance published by the Information Commissioner’s Office.
It also takes into account the expected provisions of the General Data Protection Regulation, which is new legislation due to come into force in 2018.
The club is a not-for-profit organisation that qualifies for an exemption and does not need to register with the ICO.
|Personal data||Data from which a person can be identified, including data that, when combined with other readily available information, leads to a person being identified|
|Sensitive personal data||Data such as:
|Processing||Obtaining, recording or holding data|
|Data subject||The person whose personal data is held or processed|
|Data controller||A person or organisation that determines the purposes for which, and the manner in which, personal data is processed|
|Data processor||A person, other than an employee of the data controller, who processes the data on behalf of the data controller|
4. The data controller
Our club processes personal information relating to players, their parents, coaches and volunteers, and, therefore, is a data controller. Our club delegates the responsibility of data controller to the Data Protection Officer, Desiree Correia.
5. Data protection principles
The Data Protection Act 1998 is based on the following data protection principles, or rules for good data handling:
- Data shall be processed fairly and lawfully
- Personal data shall be obtained only for one or more specified and lawful purposes
- Personal data shall be relevant and not excessive in relation to the purpose(s) for which it is processed
- Personal data shall be accurate and, where necessary, kept up to date
- Personal data shall not be kept for longer than is necessary for the purpose(s) for which it is processed
- Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless the country or territory ensures an adequate level of protection for the rights and freedoms of data in relation to the processing of personal data
6. Privacy/fair processing notice
Players and parents
What information do we collect?
We collect and process personal data from a player and parent when they join and when we carry out annual renewals of your membership. We also collect personal data from volunteers. These may include:
- date of birth
- RFU ID (as assigned in GMS)
- home address, email address and phone number
- type of membership and involvement in particular teams, or any key role a person may have been allocated, such as Chair, Safeguarding Lead, Membership Secretary etc.
- payment and/or bank account details
- marketing preferences, including any consents you have given us medical conditions or disability, where provided with the consent of the player or parent to ensure we are aware of any support we may need to provide to you.
Some information will be generated as part of your involvement with us, in particular data about your performance, involvement in particular matches in match reports and details of any disciplinary issues or incidents you may be involved in on and off the pitch, such as within health and safety records.
We will only retain the data we collect for as long as is necessary to satisfy the purpose for which it has been collected.
What information do we receive from third parties?
Sometimes, we receive information about a player from third parties. For example, a player’s school may contact the club about a player with safeguarding concerns.
We may receive information relating to existing registrations with other clubs or rugby bodies or disciplinary history from the RFU through GMS. Additionally, for certain role holders or those working with children, we may receive information from the Disclosure and Barring Service and RFU on the status of any DBS check you have been required to take.
7. Storage of records
- The club will only use paper records of players to bring to register for matches and will store the records at a safe location. There records will not hold e-mail addresses or phone numbers, but will consist of names, RFU numbers and the date of birth of the players.
- Coaches or admin staff who store personal information on their personal devices are expected to follow sensible security procedures, like having a secure password on the device they use to access the data, and to have an up-to-date virus scanner and firewall.
- Age group communication is decided by the person who volunteers for the role. Many age groups use apps like teamer, where the subscribed has control over their data and can unsubscribe themselves. Where email lists are used, the age group admin will ensure that the people on the list have opted in to receive these, and will remove them immediately when they or their child has left the club or when they ask to be removed.
8. Disposal of records
Personal information that is no longer needed, or has become inaccurate or out of date, is disposed of securely.
How long will you retain my data?
We process the majority of your data for as long as you are an active member and for 3 years after this.
Where we process personal data for marketing purposes with your consent, we will continue to process the data unless you ask us to stop, when we will only process the data for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data indefinitely so that we can respect your request in future.
Where we process personal data in connection with performing a contract or for a competition, we keep the data for 3 years from your last interaction with us.
We will retain information held to maintain statutory records in line with appropriate statutory requirements or guidance.
The RFU will maintain records of individuals who have registered on GMS, records of DBS checks and the resulting outcomes and other disciplinary matters for such period as is set out in the RFU’s privacy notice to be set out on www.englandrugby.com.
Records of your involvement in a particular match, on team sheets, on results pages or in match reports may be held indefinitely both by us and the RFU in order to maintain a record of the game.
Records of your involvement in particular meeting may be held indefinitely by us in order to maintain a record of clubhouse functionality.
10. Data Breach
In the case of a data breach, the data protection officer will be notified immediately and she will take steps to:
- Warn all people involved in the breach
- Review how the breach happened
- Follow up with procedures and/or training to ensure it will not happen again
11. How do I get in touch with you or the RFU?
We hope that we can satisfy queries you may have about the way we process your data. If you have any concerns about how we process your data, you can get in touch at firstname.lastname@example.org
If you have any concerns about how the RFU process your data, you can get in touch at email@example.com or by writing to The Data Protection Officer, Rugby Football Union, Twickenham Stadium, 200 Whitton Road, Twickenham TW2 7BA.
Our admin volunteers are provided with data protection training as part of their induction process.
13. The General Data Protection Regulation
We acknowledge that the law is changing on the rights of data subjects and that the General Data Protection Regulation is due to come into force in May 2018.
We will review working practices when this new legislation takes effect and provide training to admin volunteers where necessary.