Skip to main content
Payload Logo

About us

Consultations

News and publications

Rules and Guidance

Fans

Careers

Contact us

Club Portal Privacy Notice

What this policy covers

This privacy notice explains how the Independent Football Regulator (“IFR)” as data controller collects, uses and shares information about you (‘personal data’) when accessing the IFR Club Portal.  This privacy policy should be read in conjunction with our main privacy notice.

The IFR recognises the importance of protecting this personal data and is committed to complying with its data protection obligations whilst delivering its work as a public authority.

As the IFR continues to develop its processes and consider the use of new technologies to enhance the way it works, it may be necessary to modify this notice. The IFR will keep this notice under review and update it as appropriate. The date of this document is March 2026.

Why the IFR collects personal data through its IFR Club Portal.

The IFR will receive personal data that may include special category data and criminal offence data from Clubs and individuals when accessing and using the IFR Club Portal.  This information is processed for the purpose of carrying out our functions as a regulator.  This includes (but is not limited to): 

·       IFR’s information gathering powers.

·       Assessment of the suitability of individuals to be owners, directors and officers of football clubs (under Part 4 of the Football Governance Act 2025 (“Act”) (“suitability assessment”).

·       An application process for football clubs to receive operating licences

·       IFR’s monitoring of compliance with our rules and the Act including clubs’ compliance with their licence conditions (under Part 3 of the Act)

·       Investigations and proceedings that may be taken by the IFR

·       Sharing information with and receiving information from other relevant statutory bodies, competition organisers and others under information sharing gateways in the Act or other legislation.

The IFR will only use the necessary amount of relevant personal information it considers to be necessary to carry out a particular activity.

IFR uses Microsoft Dynamics and Dataverse as the platform and database for the Club Portal.  As part of Dynamics and Dataverse, audit history is collected and stored.  This will automatically collect all activity undertaken by a user whilst logged into the Club Portal.  The audit history is retained in accordance with IFR’s retention policy.  This audit history may be viewed by IFR where an issue is identified that requires log and activity history to be reviewed such as when there is a security breach. 

As part of the suitability and licensing assessment, IFR will process information set out in its application process and any additional information that it may request.  This includes but is not limited to:

·       Information to demonstrate honesty, integrity and financial soundness of applicants

·       Information relating to criminal or disciplinary matters

·       Personal financial arrangements

·       Details of involvement with other businesses

·       Information relating to competence including qualifications, experience and training

·       Information relating to source of wealth

We will also obtain information from third parties as part of our assessment process to verify the information provided to us and complete our licensing and suitability assessment.  This will include data organisations with whom we have an agreement, public and open-source records and other government or regulatory bodies.  This may be both within the UK and internationally.  We may also obtain personal data and information from competition organisers or other sporting bodies.   

The IFR’s lawful basis for processing

The lawful basis for the processing of personal data by the IFR will be either of the following:

·       processing is necessary for the performance of a task carried out in the public interest by the IFR, or in the exercise of official authority vested in the IFR (Article 6(1)(e) UK GDPR);

·       processing is necessary for compliance with a legal obligation to which the IFR is subject (Article 6(1)(c) UK GDPR);

·       the data subject has given consent to the IFR’s processing of the personal data for one or more specific purposes (Article 6(1)(a) UK GDPR); and/or

·       processing is necessary for the purposes of a recognised legitimate interest (Article 6(1)(ea) UK GDPR) or is necessary for the purposes of other legitimate interests pursued by the IFR (Article 6(1)(f) UK GDPR).

Special Category Data and Criminal Offence Data

To process Special Category Data and Criminal Offence Data, additional provisions must be met.  Where Special Category Data is processed our lawful basis for this processing is:

·       Processing is necessary for reasons of substantial public interest.  (Article 9(2)(g)) together with one or more of the substantial public interest conditions set out within the Criminal Offence Data provision below.

Where Criminal Offence Data is processed, our lawful basis for processing is:

·       Condition 6 (statutory etc. Government purposes)

·       Condition 11 (protecting the public against dishonesty)

·       Condition 28 (Standards of behaviour in sport)

IFR has an appropriate policy document to safeguard Special Category Data and Criminal Offence Data.

Data Retention

The IFR will retain your personal data which has been provided through our IFR Club Portal in line with the requirements of data protection legislation, the obligations on the IFR under the Act, and other relevant legislative requirements, considering factors such as the content and sensitivity of the data, the purposes for which the data is processed, and any business requirements. We will securely dispose of such data when it is no longer necessary to retain it.

Data Sharing 

Personal data will be shared internally with members of staff involved in reviewing and carrying out the suitability assessment and/or determining applications.  This information will be kept securely and have access controls. 

We will not share personal information with third parties except:

·       Where we carry out verification of the information provided to us.  In such cases, we may share personal data with third-party organisations to carry out these checks.  We may also share personal data with data organisations to collate and share information about individuals such as Dunn & Bradstreet, Moodys, Experian. 

·       Our data processors where they carry out services for us.  This may be during the application process or ongoing monitoring of compliance.  We have contracts in place with our data processors.  This means that they cannot do anything with personal data unless we have instructed them to do it.  They will not share your personal information with anyone apart from us.  They will hold the data securely and retain it for the period we instruct unless they are permitted to retain it by law.

·       Where disclosure is necessary under Section 86 of the Act to HMRC, Secretary of State, Welsh Ministers, Financial Conduct Authority, National Crime Agency, Serious Fraud Office or the Sports Grounds Safety Authority for the purpose of facilitating the exercise of that organisation’s function.

·       Where disclosure is necessary under Section 86(3) of the Act to Football Association, Football Association Premier League Limited, Football Association of Wales Limited, Football Conference Limited, Football League Limited or Women’s Professional Leagues Limited for the purpose of facilitating the exercise of that organisation’s function.

Information shared with the above organisations may not be used by the organisation for any other purpose or further disclosed unless permitted by law or court order.

·       The police or other law enforcement agency to investigate and detect crime

·       The courts (in connection with court proceedings).

·       An organisation to whom we are legally obliged to share personal information.  For example, a court order.

·       Another third party where we satisfy ourselves that we have a lawful basis to share personal information.

Law enforcement processing

As part of our statutory functions, we have powers to investigate and prosecute individuals and organisations for alleged criminal offences committed under the Act.  Where we process personal data for the primary purpose of law enforcement processing, the UK GDPR does not apply.  Any processing will be carried out under Part 3 Data Protection Act 2018.

Your Data Protection rights

You have certain rights in relation to your personal data such as the right of access and right of rectification. Full details of the rights available to you are set out in our main privacy notice.  You can contact us using the details below (see “IFR Contact Details”) if you would like to exercise any of these rights.

Where personal data is processed for law enforcement purposes, certain rights may be restricted, in whole or in part, where such restrictions are necessary and proportionate to:

·       prevent prejudice to the prevention, detection, investigation, or prosecution of criminal offences or the execution of criminal penalties;

·       avoid obstructing an official or legal inquiry, investigation, or procedure; or

·       safeguard public security, national security, or the rights and freedoms of individuals other than the data subject.

Security

We have put in place measures to protect the security of your information.

We treat the security of your data very seriously. We have strict security standards, and all our staff and other people who process personal data on our behalf get regular training about how to keep information safe.

We have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information we collect about you.

We have taken measures to make sure an adequate level of security for personal information processed via this website.  Information is stored within the UK or EEA. 

We have put in place procedures to deal with any suspected data security breach and will notify you and the regulator of a suspected breach where we are legally required to do so.

Cookies

We use essential cookies that are required for functionality and security. These cookies cannot be turned off. The cookie deployed is:

·     Authenticate/applicationCookie/ExpireTimeSpan

This cookie prevents the portal session from remaining open indefinitely which would be a security risk.

Changes to our Privacy policy

We keep our privacy notices under regular review. If there are changes, we will update this page to tell you, for example, about any new uses of personal data.

Contact Us

The contact details for the data controller are:

The Independent Football Regulator (IFR)

4th Floor

One New Bailey

New Bailey Street

Salford,

Manchester

M3 5AY

Email: dataprotectionofficer@footballregulator.org.uk

The Data Protection Officer provides independent advice and monitoring of IFR’s use of personal information.

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at: 

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
0303 123 1113
casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Back to top