Safeguarding Privacy Policy
This policy should be read in conjunction with the Premier League Safeguarding Policy and Section S of the Premier League Rules which governs the notification of referrals to external bodies and football authorities. It explains how the Premier League uses personal data in relation to the safeguarding of children and adults at risk (together, Safeguarding Activity).
This policy applies to personal data provided by, or received in respect of persons associated with the Premier League, including but not limited to Club players (including EFL players, Club Community Organisation participants and Club Academy Players), any persons employed or deployed by a Club or Club Community Organisation whether in a paid, voluntary, consultancy or third-party capacity, as well as match officials, agents, managers, trialists, coaches, scouts, club staff, directors (including shadow directors and club owners) and player family members (you or your), in accordance with the General Data Protection Regulation and other applicable data protection legislation including the Data Protection Act 2018 (together, the Data Protection Law).
We keep our privacy practices and procedures under review and we may amend this policy from time to time. This version is dated August 2020.
PLEASE READ THIS POLICY, TOGETHER WITH ANY OTHER PRIVACY NOTICES WHICH WE MAY PROVIDE TO YOU, CAREFULLY SO THAT YOU ARE AWARE OF AND UNDERSTAND THE WAYS IN WHICH WE COLLECT AND USE YOUR PERSONAL DATA. Our Player and Related Persons Privacy Policy (and in the case of Premier League personnel our Employee Privacy Notice) sets out more information about our use of your data generally. You can review it here.
This policy applies to our use of your personal data, but other organisations such as the Football Association (the FA), County FAs, English Football League (the EFL), the Players' Football Association (the PFA), the Union of European Football Associations (UEFA) and Fédération Internationale de Football Association (FIFA) (together, the Football Authorities) and the Premier League's and EFL's member football clubs (each a Club) (as applicable) are also likely to collect and use your personal data and you should also refer to their respective privacy policies to understand how each of these organisations use your data, including in relation to their safeguarding activities under their own safeguarding policies.
1. Background
1.1. The Premier League is a “controller” under the Data Protection Law, which means that we are responsible for deciding how we use the personal data that we collect about you.
1.2. In accordance with the Data Protection Law, we will ensure that the personal data we hold about you is, at all times:
(a) used fairly, lawfully, and transparently;
(b) collected for limited, specific purposes only;
(c) adequate, relevant to and limited to what is necessary for those purposes;
(d) kept accurate and up-to-date;
(e) not kept for longer than is necessary; and
(f) held securely.
1.3. We shall be accountable for and able to demonstrate our compliance with our obligations under the Data Protection Law, and this policy is one of the ways in which we do that.
1.4 We have appointed a Data Protection Lead to oversee compliance with this policy and our data protection compliance activities. The Data Protection Lead has also established a dedicated data protection team to provide the necessary support.
2. What Personal Data we collect and when
2.1. Personal data means any information about you from which you can be identified. It does not include data where your identity has been removed (i.e. anonymous data). There are also “special categories” of more sensitive personal data which require a higher level of protection, for example personal data revealing or concerning a person's racial or ethnic origin, health, or criminal convictions and offences. We collect and use a range of personal data, including special category personal data in some circumstances, depending on your role or relationship with the Premier League and our Safeguarding Activities. This may be in relation to your recruitment, or a report or other communication that you make or contribute to about other people, or a report or other communication that is made about you.
2.2. You provide some of your personal data to us directly (or via your Club) and, in addition to the personal data described in our Player and Related Persons Privacy Policy (and in the case of Premier League personnel our Employee Privacy Notice), this will also include:
(a) any information you may provide as part of pre-recruitment checks for roles where you would be employed or contracted by the Premier League, such as Disclosure and Barring Service (DBS) checks, which may include your identification verification, references and (where applicable) criminal record checks ;
(b) reported incidents, allegations and disclosures made in accordance with the Premier League Safeguarding Policy or section S of the Premier League Rules and those set out in the relevant sections of the Affiliated Football Safeguarding Referral Form which you complete, or contribute to, and which are submitted to us including in Section 6;
(c) details of the person completing the Affiliated Football Safeguarding Referral Form;
(d) other information which you report, or provide in response to requests and/or in correspondence with the Premier League in relation to our Safeguarding Activities which may include your contact details, role, statements and/or opinions; and
(e) any other personal information you share with us, including by way of email, telephone call or interview as part of our Safeguarding Activities.
2.3. Any information requested as part of a pre-recruitment and procurement check is mandatory, and failure to provide the required information may preclude you from being registered in certain roles. Other information that you provide in relation to Safeguarding Activities may be optional, although failure to provide it may have an impact on the ability to investigate and take action in relation to such matters. When you are asked to provide non-mandatory information to the Premier League this will be clearly indicated.
2.4. We will also collect other personal data about you relevant to our Safeguarding Activities from your Club or other third parties and, in addition to the personal data described in our Player and Associated Persons Privacy Policy (and in the case of Premier League personnel our Employee Privacy Notice), this may include.
(a) information that is obtained from third parties through pre-recruitment and procurement checks for roles where you would be employed or contracted by the Premier League, such as Disclosure and Barring Service (DBS) checks, including via the SRR app, which may include your identification verification, references and (where applicable) criminal record checks;
(b) reported incidents, allegations and disclosures as reported to us in our Safeguarding Referral Forms or provided in response to our requests and/or in correspondence with the Premier League in relation to our Safeguarding Activities;
(c) information that is obtained from the safeguarding activities of Clubs, Club Community Organisations, other Football Authorities and other interested parties such as the Charity Commission, charities and voluntary bodies such as the NSPCC and ChildLine, statutory bodies and agencies such as local education authorities or the police, and directly from other participants in football; and
(d) any other personal information shared with us, including by way of email, telephone call or interview as part of our Safeguarding Activities.
2.5. Information reported to us may include your personal data because your safety is of concern or because your behaviour or the behaviour of others is of concern and may include records of incidents, allegations or disclosures about abuse, exploitation, inappropriate conduct or poor practice and details of how such incidents and allegations are resolved, which may include health information and details of criminal offences and illegality (i.e. special category data).
2.6. Please note that we may collect and process your personal data (including from public sources) without your knowledge or consent where this is required and/or permitted by law.
3. How and why we use your Personal Data
3.1. We only collect and use personal data in accordance with Data Protection Law.
3.2. The Premier League may collect and use personal data because it is necessary for our "legitimate interests", that is, in order to operate, administer, regulate and govern the Premier League competitions and to support Clubs' associated activities in an effective and lawful manner and in particular, because it is necessary:
(a) to implement and enforce our Safeguarding Policy and section S of the Premier League Rules including conducting pre-recruitment checks, receiving and reviewing reports and communications and taking necessary action to protect the welfare of individuals at risk and to prevent abuse and poor practice;
(b) to operate and administer our systems and procedures, including holding data from such checks, reports and communications, in support of our Safeguarding Policy; and
(c) in conducting our Safeguarding Policy section S of the Premier League Rules to share such data with other parties who can help to protect the welfare of individuals at risk and to prevent abuse and poor practice.
3.3. Before using your personal data for our legitimate interests, we make sure that we take into account any potential impact that such use may have on you to ensure that your interests and fundamental rights and freedoms do not override those interests. In other words, we have determined that the Premier League has a legitimate need to process your personal data and we are not aware of any reasons that, on balance, mean we should not be doing so. If you have concerns about our processing please refer to Your Rights in Connection with Your Personal Data below.
3.4. In conducting our Safeguarding Policy, and in accordance with Data Protection Law, we may also use your personal data for purposes which are required by law, including:
(a) to comply with a legal obligation (for example, because the court has ordered us to do so);
(b) to respond to requests by the government or law enforcement authorities conducting an investigation;
(c) to implement enhanced DBS checks where individuals will interact with children or adults at risk; and
(d) to protect yours or someone else's vital interests in emergency situations.
3.5. We generally do not rely on your consent in order to process your personal data and we will inform you specifically when we seek to obtain this from you as well as your ability to withdraw that consent at any time.
Special Category Data
3.6. We also only use special category personal data in accordance with the Data Protection Law and therefore only if:
(a) It is necessary for reasons of substantial public interest. Data Protection Law provides for the use of special category personal data where it is necessary for the prevention and detection of unlawful acts, and for the purposes of safeguarding of children and individuals at risk. Data Protection Law also provides for the use of special category personal data for the purposes of measures designed to protect the integrity of a sport or a sporting event. This includes measures to prevent or protect against dishonesty, malpractice or other seriously improper conduct, or failure by a person participating in the sport or event in any capacity to comply with standards of behaviour set by a body or association with responsibility for the sport or event.
(b) We have your explicit written consent. In limited circumstances, we may approach you for your written consent to allow us to process certain sensitive data where there is no other legal basis. If we do so, we (or a third party) will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. For example, we may request consent (including parental or guardian consent) to processing a youth player’s medical and other additional needs to ensure that we comply with our obligation to safeguard children and young adults.
You have the right to withdraw your consent at any time and can do so by contacting us using the details provided below.
(c) Less commonly, we may process your personal data where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
3.7. Unless otherwise required or permitted by law, before using your personal data for a purpose unrelated to the reason we collected it, we will notify you and explain the purpose and legal basis which allows us to do so.
3.8. If you have any questions or require any additional information about the purposes for which your personal data is required and/ or our legal justification you can contact the Premier League's dedicated Data Protection Team using the contact details set out below.
4. Who we share your Personal Data with
4.1. We may share certain elements of your personal data with other individuals and organisations as part of our Safeguarding Activities, always on a need-to-know-basis and for legitimate prescribed reasons.
4.2. We share information with Clubs, Club Community Organisations, the Premier League Charitable Fund, other Football Authorities and other interested parties including without limitation the Charity Commission, charities and voluntary bodies such as the NSPCC and ChildLine, statutory bodies and agencies such as local education authorities or the police, the Care Quality Commission, Ofsted or the DBS, and other relevant third parties, including those who are the subject of Safeguarding Activities because their safety is of concern or because their behaviour or the behaviour of others is of concern and when determining the outcome of disciplinary or regulatory proceedings and appeals in respect of such proceedings.
4.3. Personal data may also be shared with third party service providers, who will process it on behalf of the controllers for the purposes identified above. Such third parties include the providers of software used by the Premier League to maintain records of intelligence, case management and DBS checks.
4.4. All third-party service providers who we share your personal data with are required to take appropriate security measures to protect your personal data. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified limited purposes and in accordance with our instructions.
5. Transferring personal data outside the EEA
5.1. Some countries outside of the European Union (EU) do not have laws that protect privacy rights and personal data as extensively as the UK and other countries in the EU. Therefore, in accordance with Data Protection Law, if we do transfer your personal data outside of the EU, we ensure that your personal data is afforded a similar level of protection by ensuring one of the specific safeguards approved by the European Commission is in place. You can find further information about these safeguards at https://ec.europa.eu/info/law/law-topic/data-protection_en.
5.2. If you would like further information on the specific mechanism used by us when transferring your personal data out of the EEA please contact us using the details provided below.
6. Security of your Personal Data
6.1. The Premier League is committed to protecting your privacy and has put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. Details of these measures are available upon request using the details provided below.
6.2. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
7. Data retention
7.1. In accordance with Data Protection Law, Premier League will only keep your personal data:
(a) for as long as necessary to fulfil the specific purposes we collected it for in relation to safeguarding matters but we will review the information we hold, and the decisions and actions that we have taken, at the end of each case or investigation and thereafter every 3 years;);
(b) to the extent reasonably necessary to comply with a legal requirement or legal reasons - for example, documents containing personal data may need to be retained for an extended period of time (generally for six years) if there is a real risk that they could be the subject of a claim, or may otherwise be relevant to future litigation; or
(c) as advisable in light of certain legal issues (or potential issues) - for example, we may retain information in relation to safeguarding issues after the conclusion of an investigation so that we can address historical allegations in the future.
7.2. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
7.3. In accordance with the Premier League's Data Retention Policy and Data Protection Law, after the applicable retention period has ended, the personal data will be either (as applicable):
(a) securely deleted or destroyed - when the information is no longer required in any form; or
(b) anonymised (so that it can no longer be associated with you) - for example, where the data remains useful in an aggregated/ generic form for statistical purposes.
8. Your rights in connection with your Personal Data
8.1. Under Data Protection Law, you have certain rights (depending on the circumstances) in connection with your personal data, which include:
(a) Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it, provided always that this does not adversely affect the rights and freedoms of other people.
(b) Request correction of the personal data that we hold about you. Where any of the information we hold about you is incorrect or incomplete we will act promptly to rectify this, including where you have requested us to do so.
(c) Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
(d) Object to use of your personal data where we are relying on our legitimate interests (see “How and why we use your Personal Data”) and there is something about your particular situation which makes you want to object to our use on this ground.
(e) Withdraw your consent to our use of your personal data where we do so in reliance on your consent. Once we have received notification that you have withdrawn your consent, we will no longer process your personal data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
(f) Request the restriction of use of your personal data. This enables you to ask us to suspend the use of personal data about you, for example if you want us to establish its accuracy or the reason for using it.
8.2. We are committed to respecting your rights. You may action your rights (as applicable) by contacting us using the details provided below and we will comply with your requests within a reasonable period unless we have a lawful reason not to do so. Requests should be made in writing and to ensure that personal data is dealt with carefully and confidentially the Premier League will require the requestor to provide verification of their identity and all applications must be accompanied by copies of at least two official documents, which show your name, date of birth and current address (for example, driving licence, birth/ adoption certificate, passport, recent utility bill).
8.3. Note: in responding to such requests, we will explain the impact of any objections, restrictions or deletions requested, which may be significant if our use of your personal data is necessary for you to fulfil your role or relationship with the Premier League.
8.4. We will not charge you a fee to exercise your rights unless your request for access is clearly unfounded or excessive, in which case we may charge you a reasonable fee. Alternatively, we may refuse to comply with the request in such circumstances.
9. Contact us
If you have any questions about this privacy policy or how we handle your personal data, please contact the Data Protection Lead using the following contact details:
Premier League Data Protection Lead
The Football Association Premier League Limited
Brunel Building
57 North Wharf Road
London
W2 1HQ
dataprotection@premierleague.com
10.Complaints
You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK data protection authority. The ICO's contact details as are follows: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; Tel: 0303 123 1113 (local rate) or 01625 545 745; https://ico.org.uk/global/contact-us/.