The Irish Data Protection Authority ("DPC") has conducted research into the protection of personal data within the sports industry in Ireland. The recently published results of this research show that there are significant deficiencies in compliance with privacy legislation and, furthermore, that there is insufficient knowledge and awareness in this area within sports associations. This raises concerns for the rest of Europe, as this problem is likely not only in Ireland, but also in other countries.
The DPC focused its research on several topics, including the responsibilities of organizations that manage personal data (such as sports clubs) and parties that process data on their behalf (such as software vendors for membership records, for example). In addition, the DPC looked at the handling of sensitive personal data, such as medical data, the rights of people whose data is processed and staff training. For its research, the DPC worked with more than 100 "mainstream" Irish sports clubs, such as soccer and rugby clubs, as well as clubs participating in Irish traditional sports such as "Gaelic football" and "camogie. There was a particular focus on the processing of children's personal data.
The survey found, among other things, that 41% of Irish sports clubs do not have a privacy policy. However, such a policy is crucial to demonstrating that a sports club is complying with its obligations under the AVG. Many of the sports clubs surveyed do not appear to have a procedure for dealing with requests from data subjects, such as a request for access or a request to delete or rectify data. In addition, the survey found that 56% of sports clubs in Ireland do not have a retention policy. This raises concerns because sports clubs may therefore be storing personal data for much longer than necessary. The lack of documentation and policies can lead to non-compliance with privacy laws, data breaches and loss of confidence among sports club members about the protection of their personal data.
With technology continuing to evolve, more and more sports clubs are also starting to use performance analysis via wearable devices, for example, to collect data from players. For example, at high levels in the sports world, it is already very common for players to wear heart rate monitors during practices and games. Data about the athlete, team or a performance are not only available to athletes, trainers and coaches, but also increasingly to enrich the experience of fans. For example, spectators can increasingly view live statistics and data during a live sporting event. Data collection takes place not only at the highest level of sport, but also regularly at performance teams of amateur clubs. Much information is also recorded there regarding the physical and mental performance of children and young people, which requires great care in processing that data.
39% of the clubs that participated in the DPC's survey indicated that they collect performance data from athletes. It is important to be aware that performance data is likely to be health data as it relates to the physical and possibly mental well-being of athletes. In principle, health data should not simply be collected or shared unless there is a legal basis for it, such as medical necessity or athlete consent. In doing so, it is essential to know the limits of the softening of this health data, such as, for example, the extent of the necessity of the data processing, how long this data may be kept and who within the sports club has access to the data.
When a sports club plans to introduce technology for the purpose of data analytics, it is advisable to conduct a Data Protection Impact Assessment ("DPIA"). In certain cases, this may also be mandatory. In this way, the risks of this use can be identified and measures can also be taken to minimize these risks. According to the Irish data regulator's survey, only 9% of clubs indicated that they had conducted a DPIA. The DPC therefore concludes that sports clubs are clearly unaware of their obligations to assess risks arising from data processing and to implement the conduct of a DPIA. This also raises concerns because sports clubs may be carrying out several processing operations that pose a high risk to data subjects and appropriate measures are not being taken to mitigate these risks.
Worryingly, practices around compliance with privacy laws and the protection of personal data in the Irish sports industry are clearly substandard. However, it is likely that this problem will also occur in many sports clubs and organizations in other countries within Europe. Unlike commercial enterprises, non-profit associations and foundations are likely to have privacy and data protection somewhat less high on their agenda, simply because they often have fewer (financial) resources to do so. This will also apply to sports associations.
Nevertheless, compliance with privacy laws and the protection of personal data is also very important in the sports sector. For many people, especially young people, participating in sports is an important aspect of their lives and well-being. Children and their parents should therefore be able to engage in sports activities without having to worry unnecessarily that their privacy rights will be violated and their personal data not properly protected. It is therefore important to improve data protection practices in the sports world and for more sports clubs to comply with their obligations under the AVG. A first important step towards this is to increase awareness and knowledge of privacy and data protection within the sports sector. Ultimately, sports clubs will then hopefully be better able to protect personal data, and potentially health data, of athletes, staff and other stakeholders.
If you have any questions about this topic or could use help in drafting documentation and policies regarding the protection of personal data for a (sports) association, please contact one of our specialists.
