Loading ...

Data and sport - big data means big privacy protections

Data collection and use on the rise across Australian sports – time to exercise caution?

The last decade has seen an explosion in the collection and use of data analytics within Australia, across professional sport codes such as the AFL, A-League, NRL, Big Bash Cricket, as well as in their amateur Sunday League counterparts. This growth is expected to continue, with the sport data analytics industry expected to grow globally to a staggering US$6.34 billion by 2030.[1]

This has been made possible by the growing popularity of a range of smart devices, watches, trackers, garments and patches. For example, heart rate, VO2 max, body fat composition, hydration status, blood glucose levels and sleep and movement patterns, are amongst some of the physiological and performance data types which sports entities may gather. Sports entities may share certain data about player injuries or illnesses for the purpose of nursing players back to full health, or store data for future use to prevent re-injury, optimise training and match performance outcomes.

Many teams (rightly or wrongly) feel compelled to capture as much data as possible to monitor health, fitness and to attain an edge over competitors. Coaches, doctors, physiotherapists and sport scientists are not always familiar or confident as to what their legal privacy obligations are to athletes. Who is responsible or accountable may not always seem clear-cut, especially when club staff are involved at several stages of data’s overall life-cycle.

This article provides an overview of the current legal framework governing the collection, use and disclosure of athlete data by sports entities under the Privacy Act 1988 (Cth) (Privacy Act).

Who is covered under the Australian Privacy Principles (APPs) and Privacy Act?

The APPs and Privacy Act apply to APP Entities. If a sports entity has an annual turnover of more than $3 million then it will be an APP Entity, bound by the Australian Privacy Principles and the Privacy Act.

Irrespective of annual turnover, a smaller entity that is related or provides support to a sport club, body or individual athlete may also be considered an APP Entity. This could occur where an entity provides a ‘health service’ and holds ‘health information’ - as defined under sections 6FA and 6FB of the Privacy Act.

What data is covered by the APPs and Privacy Act?

For the purposes of this article, the data in question is the ‘personal information’, ‘sensitive information’ and ‘health information’ of athletes, and it includes any physiological or biometric data.

For clarity:

  • personal information includes information, or an opinion, that could identify an individual such as their name, address, date of birth, gender among others

  • sensitive information includes information, or an opinion, about an individual’s racial or ethnic origin, their political opinions or religious beliefs, criminal records, sexual orientation, and can include ‘biometric information’

  • health information is any personal information about an individual’s health or disability such as notes about symptoms or diagnoses, specialist reports and test results, prescriptions, dental records, and others.

Sensitive information and health information are each a subset of personal information.

‘Biometric’ or ‘physiological’ data may fall under any one or more of the definitions and is therefore covered by the APPs.

What are the APPs?

There are 13 APPs which govern the standards, rights and obligations around:

  • the collection, use and disclosure of personal information

  • an organisation or agency’s governance and accountability

  • integrity and correction of personal information

  • the rights of individuals to access their personal information.

These principles have been designed to be technology neutral, meaning they adapt to changing technologies.

Who owns athlete data?

The concept of data ownership is somewhat nebulous in the eyes of Australian law:

  • firstly, ‘ownership’ in the legal sense can only apply to ‘property’

  • secondly, ‘data’ in and of itself is not necessarily considered property.

The Privacy Act does not confer ‘ownership’ rights in respect of data. Accordingly, the use of the term ‘ownership’ is misleading and inaccurate. Sports entities simply ‘hold’ personal information they collect, they do not own it. Sports entities should take care to avoid statements and actions which suggest that they ‘own’ the data.

Under the Privacy Act and the APPs, individuals have certain rights regarding their own personal information, including but not limited to, the right to:

  • know why their data is being collected

  • remain anonymous (unless it is impractical for the APP Entity collecting the information to do so in relation to a particular matter)

  • seek access to their data (subject to certain exceptions, for example where giving access would have an unreasonable impact on the privacy of other individuals)

  • request the deletion or de-identification of their data (where an APP Entity no longer needs the personal information for any purpose for which the information may be used or disclosed under the APPs).

Specific consent is required from an individual to collect and use sensitive information or health information. This means sporting entities need to get consent from athletes to collect ‘biometric’ or ‘physiological’ information. For this reason, some of Australia’s main sports codes have put in place Collective Bargaining Agreements between players and their clubs, leagues or associations which specify in clear terms what types of personal data can be collected and shared with broadcasters or other clubs.

Collecting data

Under APP 5, an APP entity that collects personal information about an individual must take ‘reasonable steps’ to either notify the individual of certain matters relating to its collection and use of personal information or to ensure the individual is aware of those matters. ‘Notice’ usually takes the form of a Privacy Collection Notice or a Privacy Policy and covers amongst other things:

  • the purpose of collection

  • whether the collection is required or authorised by law

  • the consequences if personal information is not collected

  • the usual disclosures of personal information of the kind collected by the entity.[2]

However, in the privacy policies of many sporting entities there appears to be little differentiation with respect to the audience from which personal information is collected (i.e. club staff, fans, casual website browsers or athletes). As such, to ensure the best protection and to ensure compliance, the privacy policies of sporting entities should be tailored to the specific audience to comply with APP 1 (open and transparent management of personal information).

Consent may also be necessary to collect sensitive information about an athlete. It is becoming common for professional athletes to be asked by their parent clubs prior to the commencement of their employment, to sign a player contract consenting to the collection of personal information. While the terms of the player contract should always be open to negotiation, it is worth mentioning that the asymmetric bargaining relationship between athletes and their clubs generally operates to limit any meaningful opportunity for athletes to negotiate on the scope of collection broadly, or to resist data collection and use in particular instances. On the other hand, some athletes may relish the opportunity to share performance data, as a way to lift their profile and increase the chance of third-party sponsorships.

Under APP 3, an organisation may only collect personal information where it is ‘reasonably necessary’ for the organisation’s functions or activities. It is the responsibility of the relevant sport organisation to justify that the relevant collection is reasonably necessary.

The Office of the Australian Information Commissioner (OAIC) provides guidance stating that:

  • ‘collection, use or disclosure would not be considered necessary where it is merely helpful, desirable or convenient’

  • ‘using all the data for unknown purposes’ is not likely to be considered reasonably necessary

  • ‘just because data analytics can discover unexpected or interesting correlations, this does not mean that the new personal information generated is necessary to the legitimate functions and activities’ of an organisation.[3]

In practice, this will mean that sports entities will need to determine early why they need to collect and process particular datasets. Through the use of a Privacy Impact Assessment, organisations can map what they expect to learn by processing that data and then assess whether the personal information is relevant and not excessive, in relation to its legitimate functions and activities.

Collecting data from children and young people

It is also good practice and in some instances is necessary for sport organisations to seek a parent’s or guardian’s consent prior to collection personal information. Elite pathway programs, sport institutes and academies come to mind. The OAIC provides additional guidance in this regard.

Once data has been collected

Under APP 6, an entity can only use or disclose personal information for a purpose for which it was collected (known as the ‘primary purpose’). An entity can also use or disclose personal information for a secondary purpose if an exception applies, for example:

  • where the athlete themself has consented to a secondary use or disclosure

  • the athlete would reasonably expect the organisation to use or disclose their personal information for the secondary purpose and that purpose is related to the primary purpose of collection, or, in the case of sensitive information directly related to the primary purpose

  • the secondary use or disclosure is required by or under an Australian law.

Aside from this, under APP 11 reasonable steps must be taken to protect athlete information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Where personal information is no longer needed for any purpose, the sport organisation must take reasonable steps to destroy the information or ensure that it is de-identified. What is considered ‘reasonable’ will depend in part on the sport organisation’s:

  • size, resources, complexity of its operations and its business model

  • amount and sensitivity of the personal information held

  • possible adverse consequences for an athlete in the case of a breach

  • practical implications of implementing the security measure, including the cost and time involved, and whether a security measure is in itself privacy invasive.

Notification regime for privacy breach

Under the Privacy Act, organisations or agencies are required to notify individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved. This type of breach is termed an ‘eligible data breach’ and arises upon the satisfaction of the following three criteria:

  1. there is unauthorised access to or disclosure of personal information, or a loss of information that an organisation holds

  2. this is likely to result in serious harm to one or more individuals

  3. the organisation has not been able to prevent the likely risk of serious harm with remedial action.

Notification is not required if the organisation acts quickly enough to remediate the breach and as a result, the ‘serious harm’ is unlikely to occur. ‘Serious harm’ is not defined in the Privacy Act, but typically, it will require an objective assessment – that is, from the perspective of a reasonable person in the organisation’s position.

It is incumbent on sports entities to ensure that they comply with all relevant data privacy laws. By restricting information collection to only that information which is actually needed, should a data breach occur, the scope for serious harm to ensue is potentially lessened.

Penalties and fines for privacy breaches

Sport organisations should also be aware that pursuant to the Privacy Act:

  • the Information Commissioner can handle complaints and recognise external dispute resolution schemes, conduct investigations, and make privacy assessments of whether an entity is maintaining and handling personal information in accordance with the Privacy Act

  • under section 13G, for serious or repeated interferences with privacy maximum civil penalties are as follows:

    • for a person other than a body corporate: $2.5 million; and

    • for a body corporate, the greater of:

      • $50 million;

      • if a court can determine the value of the benefit that the body corporate (and its related bodies corporate) directly or indirectly obtained from the contravention – 3 times the value of that benefit; or

      • if the court cannot determine the value of that benefit – 30% of the adjusted turnover of the body corporate during the breach turnover period (minimum 12 months) for the contravention.

Key takeaways

It is prudent for sports teams, clubs and/or independent health service providers to:

  • have an up-to-date privacy policy in place, which is specific to athlete data

  • implement contractual provisions in athlete contracts, where the athlete consents to the collection of sensitive information

  • maintain robust physical and cloud security measures

  • upskill and train their staff regarding data collection, use, transfer, and disclosure in line with current privacy laws and ‘best practice’ regarding personal information protection.

 

Authors: Michael Cossetto, Robert Lee and Maja Samardzic

 

[1] See https://finance.yahoo.com/news/sports-analytics-market-worth-6-120000424.html?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAAMzAA7isZK9Il2VfZaP0YHu-ggh22Jh6AJvOqV6piMJhYllpXBwk9hZ3xDb-GQ9NbOr9l6wTf_-ocaOaTUcp03Kb8TRJ0WE29VjT9iVmYNy3tHkiYvlL6JMd8KjHIOb6EZFhEzMp8myJMAa5heHI4ISdeTQJRDAAJYDxKx8LixZX.

[2] https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-5-app-5-notification-of-the-collection-of-personal-information

[3] https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-data-analytics-and-the-australian-privacy-principles