Data has always been used in sport in unsophisticated ways, but the difference in today’s world is the type of data and how it is being used.
Most Australian professional sporting leagues, associations and clubs fall under the realm of the Privacy Act 1988 (Cth) (the Act), and many smaller sporting organisations and clubs who are currently exempt from the provisions by virtue of having a turnover of less than $3M will likely soon be captured by pending reforms to the Act.
The types of information collected or generated about identified (or reasonably identifiable) athletes by sporting organisations would fall within the legal definition of “personal information”.
The vast majority of information would also fall within the more protected subcategory of personal information termed “sensitive information”, particularly by virtue of being “health information”.
The Act sets out the following restrictions in relation to the collection of data:
- transparency and notice;
- that the collection is reasonably necessary; and
- that individuals consent to the collection of sensitive information.
In practice in professional sport, the collection of athlete data and the purposes of collection are usually only addressed generically by clubs and organisations, often as a once-off practice within the context of signing a player contract and agreeing to associated terms. Athletes are then often uninformed about the continuous and detailed nature of the data collected about them and the use and users of their data.
Further, privacy policies tend to be undifferentiated for different audiences, whether athletes, staff, fans, or casual visitors of a website and sometimes “sneaky” with the use of tiny fonts or no opt-outs.
Organisations must not collect personal or sensitive information “unless the information is reasonably necessary for one or more of the entity’s functions or activities”. A sporting organisation must not fall into the mindset of simply collecting everything it can if it is not for a legitimate function or activity.
Consent to collection of athlete data should be voluntary, informed, current, specific, unambiguous and should be timed where possible to coincide with the time of collection of data. At the very least, it should be able to be withdrawn at any time. This is a high bar that does not in most cases appear to have been genuinely met, particularly with respect to the collection of athlete data in professional sport.
Sporting organisations and clubs should ensure they have:
- transparency and understanding of their obligations under the Act and the Australian Privacy Principles; and
- clear privacy policies and procedures and clarity around what is and isn’t acceptable to collect, store, use etc.
Going forward, we expect to see an increased focus on the protection of athletes in relation to data collection in athlete contracts and collective bargaining agreements.