Paris, the CITY of LOVE SPORT - and the 2024 Olympic and Paralympic Games are less than nine months away. And Australian athletes are busy preparing. From training plans, nutrition intake, sleep patterns, injury management, every tiny data point is tracked, crunched and scrutinised. What's worrisome is that athletes' data is regularly shared - and not only within Australia, but across a constellation of sporting organisations, non-government organisations (NGOs) and other entities, the world over.
Having competed at the Olympics and in three Commonwealth Games, I have 'ticked' all manner of consent forms, for all manner of teams and organisations - all while giving up control of my personal and sensitive health information in the process. For athletes and sporting organisations, this is business as usual, for privacy and data experts, this is a minefield.
While Australia has been late to the privacy reform party, with the EU leading the charge and enacting the General Data Protection Regulation (GDPR) in 2018, the Paris Games and 2024 might mark the point when Australia's privacy framework gets a serious workout. At the end of September this year, the Commonwealth Government Response to the Privacy Act Review Report committed to overhauling - and, in a large measure, adopting GDRP-style reforms.
Why should sporting organisations pay attention?
One of the many GDPR-style changes relates to transferring information overseas - and requiring an assessment of whether the data recipient's jurisdiction has equivalent privacy protections. If not - that would likely be a breach. And then, there's the issue of consent - and whether the consent to share the athlete's information is given freely. And what about athletes under 18? Or those who feel pressure not to raise a fuss because they just want to compete?
Those issues don't just apply to the 'Big End' of sport. Where smaller organisations may have been exempt from the Privacy Act, the reforms nix the 'small business exemption' (less than $3m in annual turnover) meaning that virtually all incorporated entities will be captured. That means smaller organisations will need to track personal information, ensure that it's kept secure and not mishandled - or face serious fines form the Privacy Commissioner ($50m)!
With the amount of personal information that sporting organisations deal with daily, a fitness check on how they are collecting, handling and retaining data will be essential. Like Max Verstappen's next win, privacy reform is inevitable, so you should get your skates on well before Milano (winter Olympics) 2026 - and get up-to-speed on the reforms.
Sporting organisations should ask themselves:
- Do we need the data we're collecting? And if not, let's delete it. ASAP.
- Have we considered how and why we are collecting children's or vulnerable people's data - and are we double checking that it is securely stored, and accessible to only those who have a specific need to see it?
- Do we have a data breach response plan? And why not?
The 2023 Australian Community Attitudes to Privacy Survey showed that 84% of Australians want more control over the collection and use of their personal information. In an increasingly litigious environment, sport organisations should be proactive in developing ways to protect the personal information they hold about their athletes, volunteers and fans alike. Like training for a marathon, the sooner you start, the better.
Luckily, my firm - Synergy Law - is here to help with a bit of training and to help you start eget into privacy shape with an International Association of Privacy Professionals (IAPP) Privacy Reform Seminar at our Barton, ACT Offices on the 16th of November. Please reach out to CHosking@synergygroup.net.au or DMesman@synergygroup.net.au for more information or to register your attendance.
