New Data Protection laws set to impact the sports sector
Clubs and sports’ organisations hold a mass of data on individuals – be that information about players, fans, employees, membership data or marketing datasets. Increasingly, such data is collected through mobile apps and websites, often run by third parties, upping the number of data flows and, consequently, the level of care that needs to be applied by organisations and their business partners to protect that data.
Some data could be highly sensitive to the individual (an employee’s or club member’s disability information for example). Other data could be crucial to the club or business (for example information relating to the exploitation of a players’ image, or a sportsperson’s biometric or health information tracking their physical performance).
The risks of failing to properly govern such data isn’t just about the impact on individuals either, there are significant commercial risks. We blogged recently on the 7 key things you need to know about the EU’s new General Data Protection Regulation (GDPR), which sets a very high level of regulatory fines for failures to comply, and organisations can suffer damage to a customer base and reputation if associated with a high-profile data breach.
In general, if you are processing data that can be linked back to an individual, you need to be aware of the new rules and set up to comply. This is why our readership’s eyes should perk up at the mention that the UK government has just last week published its new Data Protection Bill (the “Bill”). With the Bill we are now one step closer in the timeline towards implementation of the GDPR – coming into force on 25 May 2018.
The Bill itself transfers the provisions of the GDPR into UK law and expands on it with rules specific to the UK. There is a lot to say about the GDPR. But what’s new in the draft UK bill for the sport sector to take note of? We explain below.
Anti-doping disclosures and Data Protection
There’s a rocky history with anti-doping and the transfer / acquisition of athletes’ personal data. Our briefing last year looked at the legal ramifications arising from failures to properly protect athlete health data (and subsequent publication on the website Football Leaks). These leaks caused large-scale concern amongst clubs and athletes about the protection of private health information sent out to anti-doping bodies such as the World Anti-Doping Agency (WADA) – triggered in particular by the publication of blood test data held by the IAAF.
For an anti-doping system to work properly, it’s important that there is a basis in law for disclosures of information to the national and international bodies who can investigate instances of suspected doping and take action through anti-doping programs.
Most organisations rely on the consent of an individual to process personal data, but in the context of anti-doping, relying on consent is problematic: violations could go undetected if a player refused consent for information to processed by an anti-doping agency about them. Even if consent was obtained, there is a risk that it would not be freely given, nor able to be withdrawn, and would therefore be invalid under the GDPR.
It’s important then that another lawful basis for transfers of anti-doping information can be identified. Not least because the rules relating to transfers to third countries are being tightened under the GDPR (WADA’s servers, for example, are in Canada), and development of technology has led to increasingly indirect means of gathering anti-doping information.
In fact, it is so important to the proper functioning of the system that transfers for anti-doping purposes have been given a specific nod in the GDPR (Recital 112) and now a full provision within the draft of the UK Data Protection Bill (Schedule 1, Part 2, Condition 21).
So what does the draft legislation say?
For UK organisations empowered to investigate doping in sport, or for UK organisations that may handle, or come into contact with, information relevant to anti-doping (such as testing information, or information about a player’s performance, diet, and health), processing will be permitted under the ‘substantial public interest’ condition.
This is where the processing:
- is in connection with measures designed to identify, prevent or eliminate doping undertaken by or under the supervision of a body with responsibility for eliminating doping in a sport, at a sporting event or in sport generally; or
- is for the purpose of providing information about doping, or suspected doping, to such a body.
So if you are a body whose purpose it is to investigate doping, you will be able to process personal information by relying on the ‘public interest’ (to the extent that you need to, to identify, prevent or eliminate doping).
If you are providing information to such a body, you can also do so under the public interest condition.
Nothing too ground breaking here, but nice for UK organisations who process such data to know they have a specific provision they can rely on for their lawful basis for processing. We expect to see this provision repeated in the final form once the Bill passes into UK law, and, given the specific reference to anti-doping transfers in the GDPR, we expect other national legislatures to adopt the same.
It’s a particularly helpful clarification in the context of WADA’s mandatory International Code for the Protection of Privacy and Personal Information (the “Code”), which requires athletes and athlete support personnel (including coaches, trainers, managers, agents, team staff, officials, medical, paramedical personnel or parents) to furnish a significant amount of personal information to anti-doping organisations. The Code is a minimum standard of protection set by WADA, and does not override or lower the bar for any national legislation.
Hopefully this marks the next step in a move towards a system of effective anti-doping regulation in an environment where athletes’ privacy rights are respected.
If you would like any further advice on data protection and how your business may be affected by the GDPR or the Bill, please contact one of our data protection experts at Mills & Reeve, Paul Knight, Sarah Whyman or Ed Hadcock.