Managing athlete data: a guide for sports organisations

Understanding the basics

In simple terms, data protection can be defined as a set of rules created to protect people’s personal information, and when it comes to Sport, it underpins everything. Using analytics, athlete performance can be tracked, measured and coached using a wealth of information generated by data. However, whilst there are many benefits that come with this, so does the responsibility to protect people’s data in accordance with the UK General Data Protection Regulation (UK GDPR).

The aim of this article is to therefore provide sports organisations with a sound understanding of key elements of the UK GDPR and their responsibilities when handling an athlete’s personal data.

What data are we talking about?

We’re talking about any information that can identify an athlete. Examples include:

• Biometric data: Heart rate, sleep patterns, and other data from wearable tech.
• Location data: GPS tracking of movement.
• Medical records: Injury history, rehabilitation progress.
• Psychological assessments: Mental health and performance evaluations.
• Basic information: Name, address, contact details.

The legal groundwork: why can you collect this data?

You can’t just collect athlete data without a valid legal reason. Under UK GDPR, this usually boils down to:

• Consent: The athlete agrees to you using their data. This is crucial for sensitive health data, which includes information about an athlete’s physical or mental health, like medical diagnoses, injury reports, genetic data, disability status, or results from drug tests.
• Legitimate Interest: You have a genuine business reason, and it doesn’t override the athlete’s rights. However, you need to conduct a Legitimate Interest Assessment (LIA) to ensure this.
• Contractual necessity: The data is needed to fulfil a contract. This can include an employment contract for a professional athlete or a membership agreement where the athlete pays a membership fee in return for access to and use of training facilities, kits, pitch hire and sports equipment.

Transparency and security: keeping athletes informed and data safe

• Privacy notices: You must tell athletes what data you collect, why, who has access, and how long you retain the data for. When drafting the privacy notice, use clear, simple language.
• Data security: Protect data from breaches. Common examples include:
  • using strong passwords and multi-factor authentication.
  • encrypting sensitive data.
  • having a data breach response plan in place.
• International transfers: when sharing personal data with an organisation outside of the United Kingdom, you must ensure you have appropriate safeguards in place. The most common examples include (i) relying on UK ‘adequacy regulations’ (essentially, this is when another country has been assessed as providing ‘adequate’ protection for an individual’s personal data) or (ii) using the ICO’s International Data Transfer Agreement or International Data Transfer Addendum..
• Data minimisation: when processing personal data, you must ensure that the processing is limited to what is necessary.
• Storage limitation: Retain data only for as long as needed. You should develop a data retention schedule.

Athlete rights: what can they ask for?

Under UK GDPR, athletes have rights, including (but not limited to):

• Access (Subject Access Requests or SARs): They can ask for a copy of their data.
• Rectification: They can ask you to correct errors in their data.
• Erasure (right to be forgotten): They can ask you to delete their data.
• Restriction of processing: They can ask you to limit how you use their data.
• Data portability: They can ask you to transfer their personal data to a third party in a commonly used, machine-readable format.

Knowing when an athlete has made one of the above requests is paramount as (i) it may not always be obvious at first glance (for example, an individual may request a copy of their personal data whilst also emailing regarding other matters) and (ii) unless an exception applies, you have to deal with the request without undue delay and in any event, within one month. It is therefore important that your staff have received appropriate training and are able to spot when an athlete has made one of the above requests and what action needs to be taken.

What happens if you don’t comply?

For most sports organisations, complying with your obligations under the UK GDPR requires a significant amount of work and failing to comply can have serious consequences. These include:

• ICO’s enforcement powers: The Information Commissioner’s Office (ICO) has a range of powers, including issuing warnings, enforcement notices and penalty notices (for the most serious of offences – and I do mean the most ‘serious’ – the ICO can issue fines of up to £17.5m or 4% of your annual worldwide turnover, whichever is the higher).

• Reputational damage: Data breaches and privacy violations can harm your organisation’s reputation.
• Legal action: Athletes whose data protection rights have been infringed may have grounds to pursue claims for compensation through the courts.

Practical steps for your organisation

• Data audit: as an initial step, we would recommend that you conduct a data audit as this will help you identify your data processing activities and identify any potential risks. A data audit will help you identify all the personal data you collect, where it comes from, what you use it for, who has access to it, and how long you keep it.
• Security measures: an athlete’s data must be protected by robust security measures to avoid unauthorised access, alteration, or destruction. You should:

1. • implement multi-factor authentication and ensure all staff use a strong password.
   • encrypt sensitive data both in transit and at rest.
   • implement strict access controls so that only those individuals who need to know have access to it.

• Training: all staff that handle personal data should receive regular, up-to-date training on data protection. Common topics include identifying and responding to subject access requests and identifying and reporting data breaches.
• Contract reviews: when an athlete’s personal data is shared with the likes of sponsors or service providers (essentially any third party), it is your responsibility to ensure all contracts uphold the appropriate data protection provisions and are regularly reviewed.
• Privacy notices: it is important that the athletes are aware of what personal data you collect about them and what you do with it. You could include this on your internal intranet or within your club’s policies.

If you require assistance in ensuring your sports organisation complies with its data protection obligations, please do not hesitate to contact our Sports Team.