Safeguarding Privacy Policy

Summary of how The Football Association Limited (“The FA”) uses your data

  • The FA processes information about participants in grassroots and professional football in order to safeguard its participants and ensure the welfare of both children and adults at risk. This involves both proactive checks, such as carrying out Disclosure and Barring Service (“DBS”) checks with its partner GB Group on roles which interact with children and adults at risk, and reactive work in dealing with safeguarding matters that are escalated to it in accordance with The FA’s safeguarding framework.
  • The information processed by The FA can involve sensitive and criminal records data – particularly where a DBS check discloses relevant criminal convictions, or where the sensitive data of an alleged perpetrator or victim is relevant to a safeguarding enquiry. This is processed on the basis of preventing and detecting unlawful activity, and for the purposes of safeguarding individuals at risk.
  • Information may be obtained both directly from participants, and from third parties: such third parties include the DBS, other football stakeholders such as County FAs or clubs, and other participants or third parties that raise potential issues of abuse. This can include other sports governing bodies, charities such as the NSPCC, ChildLine or other statutory bodies or agencies such as the police or local authorities.
  • Data is shared, where appropriate, with other stakeholders who may come into contact with or have a role in dealing with participants who pose a risk of harm to children or adults at risk in football or other environments, such as Local Education Authorities, the police, County FAs, clubs and others sports governing bodies.
  • Our privacy policy sets out more details of your data protection rights, including your right to object to certain processing.

What does this Policy cover?

This Policy describes how The FA will make use of your data when you participate in the game – whether as a child, adult at risk, their parent or carers or as someone who interacts with such individuals – in order to carry out its Safeguarding and Child Welfare functions. Other important policies that may be relevant to how The FA processes your data in other circumstances can be found by reviewing The FA Website Privacy Policy.

This Policy describes your data protection rights, including a right to object to some of the processing which The FA carries out. More information about your rights, and how to exercise them, is set out in the “What rights do I have?” section.

What information does The FA collect about me?

The FA collects information you provide as part of your registration with The FA as a participant, and information you provide as part of any DBS application. Information may also be provided directly to The FA in responses to requests for representations, or where you make a communication about a safeguarding matter. Information you provide will include details such your FA number (FAN), your contact information, your role, your identity documents and information included in correspondence with The FA.

What information is provided by third parties about you?

Information is obtained through DBS checks for participants where this is relevant for their role. This involves the use of GB Group, which is an umbrella organisation contracted by The FA to carry out DBS checks. The content of a disclosure certificate obtained from a check is shared both with The FA and with County FAs where relevant.

Information may also be obtained from third parties where they make reports about alleged behaviour of concern or harm that involves you (either as an alleged victim or alleged perpetrator or witness). This can arrive from a wide range of third parties, such as County FAs, Local Education Authorities, the police, charities like the NSPCC, ChildLine and directly from other participants in football. We may retain details of allegations as intelligence, even if we decide that further action is not warranted in the circumstances.

How does The FA use this information, and what is the legal basis for this use?

The FA will use this information for the following purposes:

  • As required by The FA to conduct its business and pursue its legitimate interests, in particular:
    • communicating with you or about you where necessary to administer the game and implement The FA’s Safeguarding and Child Welfare Policies,  and relevant regulations in place to ensure the welfare of individuals at risk;
    • administering its systems holding safeguarding data, e.g. Whole Game System which holds details of which individuals have a current DBS check in place; and
    • collecting, sharing and retaining evidence and intelligence in relation to safeguarding and enforcing applicable FA rules and regulations regarding safeguarding, including the processing of criminal offence and potentially sensitive data provided by you or by GB Group to prevent and detect unlawful activity and where necessary to protect children and adults at risk from neglect or physical, mental or emotional harm or to protect their physical, mental or emotional wellbeing.
  • For purposes which are required by law:
    • in response to requests by government or law enforcement authorities conducting an investigation; and
    • ensuring that enhanced DBS checks are conducted where individuals will interact with children or adults at risk. 

How is data shared, where and when?

Information may be passed to GB Group, leagues, clubs, County FAs, Local Education Authorities, charities such as the NSPCC, the police and other sports governing bodies, or any other relevant third party, where this is necessary and appropriate to ensure that The FA meets its safeguarding obligations and purposes as set out above.

Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of the parties’ legal or legitimate interests in compliance with applicable laws.

Personal data will also be shared with third party service providers, who will process it on behalf of the controllers for the purposes identified above.  Such third parties include the providers of software used by The FA and County FAs to maintain records of intelligence, case management and DBS checks.

Where information is transferred outside the EEA, and where this is to a stakeholder or vendor in a country that is not subject to an adequacy decision by the EU Commission, data is adequately protected by EU Commission approved standard contractual clauses, an appropriate Privacy Shield certification or a vendor's Processor Binding Corporate Rules.  A copy of the relevant mechanism can be provided for your review – you can ask for this using the contact details below.

What rights do I have? 

You have the right to ask The FA for a copy of your personal data; to correct, delete or restrict (stop any active) processing of your personal data; and to obtain the personal data you provide to us for a contract or with your consent in a structured, machine readable format.

In addition, you can object to the processing of your personal data in some circumstances (in particular, where one of the data controllers doesn’t have to process the data to meet a contractual or other legal requirement, or where it is using the data for direct marketing).

These rights may be limited, for example if fulfilling your request would reveal personal data about another person, where it would infringe the rights of a third party (including our rights) or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping.  Relevant exemptions are included in both the GDPR and in the Data Protection Act 2018. We will inform you of relevant exemptions we rely upon when responding to any request you make.

To exercise any of these rights, you can get in touch with us – or our data protection officer – using the details set out below. If you have unresolved concerns, you have the right to complain to an EU data protection authority where you live, work or where you believe a breach may have occurred. This is likely to be the Information Commissioner’s Office in the UK.

Information that is provided in order to carry out a DBS check so that you can take up a relevant role with a club, league or County FA is mandatory. If relevant data is not provided, you cannot be registered in certain roles. Other information you provide is optional, although where you are asked to provide information and refuse to do so, where relevant to an investigation into a safeguarding matter, this may have consequences in relation to relevant enforcement action that will be explained at the time of the investigation.

How do I get in touch with you, or your data protection officer?

If you wish to make a data privacy request, you can do so via our online form, which can be found here. We hope that we can satisfy queries you may have about the way we process your data. If you have any concerns about how we process your data, you can get in touch at or by writing to: Data Protection Officer, Wembley Stadium, PO Box 1966, London, SW1P 9EQ.

How long will you retain my data?

The FA retains information relating to safeguarding matters as follows:

  • information contained in DBS certificates is retained for the duration of any investigation or case;
  • information and/or intelligence gathered in relation to safeguarding matters, and details of any actions taken by The FA and any decisions taken to bar participants from participation on safeguarding grounds or to enforce FA Regulations will be reviewed every 7 years. If The FA considers that ongoing retention is justified, it will continue to retain relevant information until at least the next review. We will also review the information we hold about you at the end of any investigation or case to ensure this remains relevant. For particularly serious cases, we may inevitably hold information indefinitely, but this will remain subject to review.

Where your data is held on FA systems, then at the end of the retention periods set out above, we will not irrevocably delete your information for another 3 months – your data in an inactive form for this time to ensure that any consequential links across our systems remain intact in the event that your data is removed in a particular location.

Last updated: 6 March 2020.