Data Governance in sport is a bit like the Wild West, where entrepreneurs sign 'prospects' up to contracts that are light on detail - and tend to be even lighter on legalities. And I'm a case in point. One sporting contract I signed gave me very little ability to negotiate or amend the terms, but it gave the other party virtually unlimited rights to record collect, transmit, measure, use, modify, and alter any information related to my training and race data. This included, but was not limited to heart rate, calorie intake, power output, velocity, cadence, and location data. In the sporting world, this is referred to as "performance data".
You won't find "performance data" listed as a subset of personal information (PI) or sensitive information (SI) under Australia's Privacy Act, 1988. Arguably, performance data should be considered sensitive information, considering its close relationship with health information or biometrics. At the very least, it should be considered PI, but the reality is that very few people in the sporting industry - or the broader community, even think of athlete's performance data in terms of personal privacy. And the problem is only getting bigger.
A discussion paper published in April 2022 indicated that Australia needs to urgently "start a conversation about data governance in professional sport." The discussion paper reveals that Australian professional sports are collecting more personal information about athletes than they can meaningfully deal with or that is useful. My own sporting contract and experience is evidence of this data farming.
The misclassification of 'performance data' as 'something other' than PI may have far reaching repercussions for the athlete's whose data is being collected, and the organisations collecting it - particularly when you consider the Government's Response to the Privacy Act Review Report (the Report). The government agreed-in-principle (Proposal 4.1) to expand the definition of PI to information that "relates to" an individual and requiring a connection that is not too tenuous or remote. In the sporting world, there is already a reduced pool of candidates. it is likely that an individual athlete would be reasonably identifiable, even if their identity is not known or their data has been (allegedly) anonymised.
In most cases, the collection of athlete's performance data will not be nefarious. Regardless of the motivation, sporting teams and organisations would be well placed to consider conducting Privacy Impact Assessments (PIA) to determine, at a minimum, what type of information they are collecting. Is it personal or sensitive information? And is your organisations meeting the required standards for handling this information under the Australian Privacy Principals (APPs). My Synergy Law colleague, David Mesman, recently wrote an article on PIAs. David looked at what they are and when your organisation might consider running one.
The APPs require that personal information should only be collected where it is "reasonably necessary" for an organisation's functions or activities. The guidance from the Office of the Australian Information Commission (OAIC) indicates that PI that is "merely helpful, desirable or convenient... being entered in a database in case it might be needed in the future" or collected as part of "normal business practice", simply does not satisfy this requirement.
Even if your orgnisation decides not to undertake a PIA, your team should ask, before you collect anything - do we really need this data?
Other questions that might serve as a 'warm up' for a PIA include:
- Is our organisation using the data for the original (approved) collection purpose?
- Has our organisation considered all possible - and future, situations where the data might be used?
- Do we have a robust Privacy Policy that prevents data being moved from our organisation without the athlete's permission?
If you can't answer "Yes" to these questions, Synergy Law is happy to discuss them with you. Our objective is to provide best practice, strategic and value-for-money solutions that are not limited to a single engagement or project. We pride ourselves on thinking from a whole-of-organisation and sector perspective, with an in-depth understanding of the real risks faced by government agencies and other organisations.
