General Conduct Regulations (GCR)
Template Privacy Notice
Cricket Organisation Privacy Notice Template and Guidance Notes
This Template privacy notice and Guidance Notes provide an outline of the key things your Cricket Organisation will need to set out to satisfy the transparency obligations in data protection law when obtaining personal data.
This is a summary guide to the ECB’s suggested approach only. It is provided to you merely to give you an introduction to some of the things your Cricket Organisation should tell individuals when obtaining their personal data.
It does not include a full list of the things you have to do to satisfy the rules and should not be relied on as a substitute for specific legal, financial and/or other advice, which will vary according to your Cricket Organisation’s commercial practices and use of personal data.
The ECB is not liable for the actions taken as a result of this Template or Guidance Notes and you should take your own advice before making any decisions or acting on the content.
Privacy Notice | Recreational Cricket
[INSERT NAME OF CRICKET ORGANISATION]
This privacy notice explains how your personal data will be used and protected and your legal rights in respect of it.
[More information about this and details of how to exercise your rights can be found in our privacy policy at [state URL or other place at where this can be obtained]] [SEE GUIDANCE NOTE GN1]
About us [SEE GUIDANCE NOTE GN2]
[insert full legal name of cricket organisation] (‘us’ or ‘we’ or ‘our’) is [explain what your organisation does in respect of cricket].
We are the data controller for the purposes of data protection law and can be contacted as follows:
Mail [insert address]
Email [insert email address]
Phone [insert phone number]
Website [insert URL]
The personal data we process [SEE GUIDANCE NOTE GN3]
We may process the following categories of personal data:
•
•
•
Where we get your personal data from [SEE GUIDANCE NOTE GN4]
Automated decisions about you [SEE GUIDANCE NOTE GN5]
[We do not normally make any solely automated decisions about you]
[We may make the following automated decisions about you:
• [insert details]
• [insert details]
Our purposes for processing your personal data [SEE GUIDANCE NOTE GN6] and our legal basis for doing so [SEE GUIDANCE NOTE GN7]
Purpose 1
[insert purpose]
Legal basis
[insert legal basis]
Purpose 2
[insert purpose]
Legal basis
[insert legal basis]
Purpose 3
[insert purpose]
Legal basis
[insert legal basis]
Purpose 4
[insert purpose]
Legal basis
[insert legal basis]
Purpose 5
[insert purpose]
Legal basis
[insert legal basis]
Who we may disclose your personal data to [SEE GUIDANCE NOTE GN8] and our legal basis for doing so [SEE GUIDANCE NOTE GN7]
Who we may disclose to 1
[insert details]
Legal basis
[insert legal basis]
Who we may disclose to 2
[insert details]
Legal basis
[insert legal basis]
Who we may disclose to 3
[insert details]
Legal basis
[insert legal basis]
Who we may disclose to 4
[insert details]
Legal basis
[insert legal basis]
Who we may disclose to 5
[insert details]
Legal basis
[insert legal basis]
Where we will hold your personal data [SEE GUIDANCE NOTE GN9]
[insert details].
How long we will keep your personal data for [SEE GUIDANCE NOTE GN10]
[insert details].
Your legal rights over your personal data and complaints
Where you have given your consent to any processing of personal data you have the right to withdraw that consent at any time. If you do, it will not affect the lawfulness of any processing for which we had consent prior to your withdrawing it.
You also have the right of access to your personal data and, in some cases, to require us to restrict, erase or rectify it or to object to our processing it, and the right of data portability.
To exercise your rights or if you have any concerns or complaints about how we are handling your personal data please, please contact us at [insert details]. You can also lodge a complaint at the Information Commissioner’s Office (see www.ico.gov.uk) for details.
Guidance Notes
General considerations and the law
The requirement for a privacy notice comes from Articles 13 and 14 of the UK GDPR. These Articles set out very specific information that you have to provide when you obtain personal data about an individual whether from the individual themselves or from somebody else. You also need to consider:
• the Data Protection Act 2018 which sets out variations to the UK GDPR and
• the Privacy and Electronic Communications (EC Directive) Regulations which deal with things like cookies and getting consent for direct marketing.
GN1 (Introduction)
If you have a privacy policy (for example on your website) that provides more general information that may be relevant, you could include a link to it from the privacy notice. If you do not want to do this, delete the wording in yellow highlighting.
When making your decision on this – it is important you check whether your privacy policy is consistent with the privacy notice you are preparing. If it is not, you will need to either change your privacy policy or do not link to it from the privacy notice.
GN2 (About us)
It is important that you specify the full legal entity name of your organisation. This is used by individuals to check the official Register of Fee Payers maintained by the Information Commissioner.
It is helpful to provide a short description of what your cricket organisation does for example, explaining that yours is a local cricket club based in Cheshire.
GN3 (The personal data we process)
You will need to set out details of the categories of personal data you get about the individual. Examples include:
• Name (and any ‘known as’ name)
• Contact details (eg address, telephone number(s), email address(es))
• Club, team, Recreational Cricket Board, League or other cricket organisation (as applicable)
• Role at club, team, Recreational Cricket Board, League or other cricket organisation (if applicable)
• Age or date of birth
• Gender
• Nationality, ethnicity and other equity and inclusion questions (if applicable)
• Cricket skills and experience (if applicable)
• Fitness and condition (if applicable)
• Details of injuries (if applicable)
• Eligibility to play or participate and associated eligibility evidence (as applicable)
• Social media posts
• Each club / team / competition played for (if applicable)
• Match and training dates attended (if applicable)
• Details of any consents given or withheld (if applicable)
• Actions required / advised to be taken to protect the individual and others including use of protective equipment and whether the requirements /advice has been implemented (if applicable)
• Conduct
• Incidents involving the individual
• Grievances / concerns raised
• Evidence of grievances / concerns / incidents (including any video evidence)
• Comments of or statements given or submissions made by the individual
• Criminal offence(s) (if applicable)
• Breaches of General Conduct Regulations, Recreational Conduct Regulations and/or ECB Competitions General Conduct Regulations
• Breaches of any other ECB regulations applicable to the individual
• Breaches of ECB Anti-Discrimination Regulations
• Actions and decisions taken
• Information in match officials report(s)
• Sanctions and penalties imposed
There may be others and you will need to give some thought to this to ensure you mention all categories of personal data.
Also remember – if you get personal data about different types of individual (eg players, parents, coaches), you will need to show the differences. One way of doing this is to have a heading for each category of individual and then listing the different categories of data under each heading.
GN4 (Where we get your personal data from)
You will need to set out details of where you get personal data about the individual from. Examples include:
• the individual
• the ECB / Cricket Regulator
• another Club, team, Recreational Cricket Board, League or other cricket organisation (as applicable)
• Disciplinary officers / bodies / panels
• Statements/submissions in disciplinary matters
• Disparity Safety Panel
• Appeal bodies / panels
• Other participants, witnesses, spectators, complainants
• Social media
• Family members
• Umpires and other match officials
• Team captain
• Coaches and the management team
• Legal and other professional advisers
• Regulators
• Police / statutory agencies (if applicable)
• National governing bodies of other sports
• UK Anti-Doping / WADA
There may be others and you will need to give some thought to this to ensure you mention all categories of potential sources of the personal data
Also remember – if you get personal data about different types of individual, you will need to show the differences. One way of doing this is to have a heading for each category of individual and then listing the different sources under each heading.
GN5 (Automated decisions about you)
If you make any decisions about individuals that are wholly automated (eg you select players for a match solely using a computer algorithm or artificial intelligence (AI)) you will need to provide meaningful information about the logic involved as well as the envisaged consequences for the individual.
GN6 (Our purposes for processing your personal data)
You will need to set out the purposes for which you process personal data about the individual. Examples include:
• Compliance. Ensuring compliance with ECB regulations and policies including General Conduct Regulations, Recreational Conduct Regulations, ECB Competitions General Conduct Regulations, Disparity Regulations, Anti-Discrimination Regulations and, where relevant, Anti-Corruption Code
• Case handling. Includes dealing with evidence, referrals and appeals.
• Participant and spectator welfare.
• Dealing with any safety concerns, incidents and complaints
• Disciplinary purposes. Administration for disciplinary purposes and regulatory enforcement
• Safeguarding.
• Record keeping. Includes maintaining ECB records for the ECB’s cricket management programmes and maintaining statistics
• Diversity monitoring (EDI). Diversity monitoring and compliance (such as in respect of ethnicity, gender, race, age and disability) and providing equal opportunities
You will probably be able to think of many more purposes for which you will process personal data.
The important thing is that you have to set out all purposes in the privacy notice.
GN7 (legal basis)
This point is a little more complicated to explain than the others so it is important that you read this Guidance Note very carefully.
The law sets out the potential legal bases for processing personal data. The options differ depending on the nature of the personal data.
Most personal data is ‘ordinary’ personal data but some categories are designated as ‘special category data’ or ‘sensitive personal data’. Special category data includes things like medical information, race or ethnicity, sexual orientation. You can find a list of special category data in Article 9 of the UK GDPR.
There are many legal bases for processing personal data. Some examples that may be relevant are:
For ordinary personal data
• Consent of the individual
• The processing is necessary for performing a contract to which the individual is subject
• The processing is necessary for compliance with a legal obligation to which the organisation is subject
• The processing is necessary for the purposes of the legitimate interests of the organisation (or someone else) and those interests are not overridden by the rights and freedoms of the individual (note if you rely on this legal basis – you must specify what your legitimate interest is)
For special category data
• Explicit consent of the individual
• The processing is necessary to protect the vital interests of the individual
• The processing relates to personal data that are manifestly made public by the individual
• The processing is necessary for the establishment, exercise or defence of legal claims
• The processing is necessary to comply with the law or is necessary for the purposes of equality of opportunity
• The processing is necessary for the purposes of preventative or occupational medicine or the provision of health care
• The processing is necessary for the purposes of protecting an individual (who is under 18 or is over 18 and at risk) from harm or neglect or protecting the physical, mental or emotional wellbeing of an individual (who is under 18 or is over 18 and at risk)
• The processing is necessary for measures to protect the integrity of sport or a sporting event and must be carried out without consent of the individual
There are many other legal bases and you should consult Articles 6 and 9 of the UK GDPR and Schedule 1 Part 2 of the Data Protection Act 2018 to see which ones apply.
If you process any personal data relating to criminal conviction or offences, you should consult Article 10 of the UK GDPR and Schedule 1 Part 2 of the Data Protection Act 2018 to see which legal bases may apply.
GN8 (Who we may disclose your personal data to)
You will need to specify who you will share personal data with. Where you can provide a name you should do so (for example, you may state that your share particular categories with the ECB / Cricket Regulator) but you could list categories of recipient (for example, with leagues in which the player participates).
GN9 (Where we will hold your personal data)
If the personal data is only processed in the UK you should state this. If the personal data may be processed elsewhere – you should specify where. Transferring data to some countries (especially those outside the European Economic Area or Switzerland) require additional measures to be put in place and you have to specify these in the privacy notice.
GN10 (How long we will keep your personal data for)
There are rules for how long you can keep personal data for (generally – not for longer than necessary to achieve the purpose for which you received it).
It is a legal requirement for you to specify how long you will keep the personal data for in the privacy notice. If you do not have a specific retention date – you can explain the criteria you will use for disposing of the personal data.