Feature: Sports and data protection - March 2006  

In the first part of a two-part feature, Malcolm Murray, a partner in Clintons Solicitors’ Sports Group, and Arif Mahmud a solicitor in the same Group, examine the current state of play in the sports and data protection field within the European Union.

There is no denying that sports and sporting events attract a lot of attention in the 21st Century. The number of players/participants has increased as has the variety of officially recognised sports. With events such as Wimbledon attracting over 467,000 spectators in 2005 and a million-plus attendance at larger events such as the 2003 Rugby Union World Cup (over 1.5m), the 2002 World Cup Finals (over 2.5m) and the 2004 Athens Olympics (over 3m tickets sold), it is no surprise that so many businesses (large and small) are increasingly interested in establishing ties with the sporting world. The lure of access to databases full of contact details of potential new customers is a powerful one, and as the sporting world becomes more and more commercialised every day, it is important for all parties, from the organiser and sponsor down to the fans and the players, to realise the significance of data protection legislation in what they, or others, can or cannot do with Personal Data in the world of sports. This article will focus on information gathered by sports organisers on spectators, customers and enthusiasts in respect of data protection legislation in this country and the EU.

Data Protection Act 1998 - Definitions

Data Protection legislation serves to strike an effective balance between the often competing interests of individuals and those who wish to use their personal information. Since 2000 the relevant primary statute in this area of law has been the Data Protection Act 1998 (DPA 1998). The main aims of the DPA 1998 are to: (i) protect individuals’ rights to privacy; (ii) ensure individuals’s right to access and correction of information held about them; and (iii) prevent against any excessive and unreasonable retention of “personal data”. It therefore places obligations on those who process “personal data” and gives substantial rights to those whose “personal data” is being processed.
The DPA 1998 defines “Personal Data” as: “data which relate to a living individual who can be identified: (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller…and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”
The definition of “data controller” is: “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed” .
From these definitions, it is immediately clear that most information held by a sports organiser, club, or governing body (potentially being data controllers) about an individual could be taken to be Personal Data – an address, a picture (whether a photograph or from CCTV or a CD-ROM), payment details, a name and phone number – anything that can be used to readily identify the individual. The wide-ranging definition of Personal Data makes it crucial that sports organisers, bodies and clubs realise what precisely they are able to do in the processing of such information. What with “processing” also being given a wide interpretation so that it covers not only disclosure of Personal Data to a third party but also the recording and simple holding of Personal Data, the sports sector should definitely sit up and take notice.

Eight Principles

So, what exactly can and cannot be done with Personal Data by sports organisers, bodies and clubs? In answering this, the starting point must be the enforceable eight principles of good practice that all data controllers must comply with. These say that where Personal Data is being processed by a data controller, that data must be:

1. fairly and lawfully processed;
2.  processed only for limited purposes
3.  limited to that which is adequate, relevant and not excessive;
4.  accurate and up to date;
5.  not kept longer than is necessary;
6.  processed in accordance with the individual’s rights;
7.  kept secure; and
8.  not transferred to countries outside of the EEA unless such country has similarly adequate protection for the individual.

Fair and lawful processing

This is the most important of the eight principles. Processing includes the obtaining, recording, retrieving, holding, disclosing and use of the Personal Data. For it to be fair and lawful processing, data controllers must ensure that they do not proceed unless at least one of the following conditions are met:
the individual has given his or her consent to the processing; processing is necessary for the performance of a contract with the individual; processing is required under a legal obligation (other than one pursuant to a contract); processing is necessary to protect the vital interests of the individual; processing is necessary to carry out public functions (such as the administration of justice); and/or processing is necessary in order to pursue the legitimate interests of the data controller or third parties unless it could prejudice the interests of the individual.
In the case of “sensitive” Personal Data (that is Personal Data which includes information about racial/ethnic origin, political opinions, religious or other beliefs, trade union membership, physical or mental health, sexual orientation and criminal allegations, proceedings or convictions), there are additional conditions.
Importantly, where Personal Data has not been obtained from the individual directly but from a third party, processing is deemed as being “unfair” for the purpose of this principle unless the data controller ensures that before the relevant time (or as soon as practicable after such time) the individual has access to: the identity of the data controller; the identity of the representative of the data controller; the purpose or purposes for which the data is intended to be processed; and any other information required to make the processing to be fair.

Limited purposes

“Personal data” can only be processed for specified and lawful purposes, and cannot be processed for any other purpose. Therefore, data controllers such as sports organisers, bodies and clubs cannot say that they are going to process the information one way and then go on and use it for any other purposes. Similarly, permission to use data in one way does not necessarily give the data controller a blanket licence to use the data in any way it wishes.
One requirement is for data controllers to register themselves with the Information Commissioner. Part of the registration process will be to make it clear why any Personal Data will be processed. Therefore, notification of the intended processing purposes can be made in two ways: (i) in a notice given by the data controller to the relevant individual and (ii) in a notification given to the Information Commissioner.

Adequate, relevant and non-excessive

Data controllers are not permitted to hold Personal Data unless it is adequate, relevant and not excessive in relation to the purpose(s) for which it is processed. Therefore, data controllers cannot accumulate Personal Data for the sake of accumulation – the recording of such data cannot be heavy-handed and must be for a reason.

Accurate and up to date

Personal Data must be accurate and, where necessary, kept up to date. This principle will not be breached where inaccurate information in personal data accurately records information obtained from the individual if the data controller has taken reasonable steps to ensure the accuracy of the data. In this context, “inaccurate” means data that is “incorrect or misleading”. It must be noted that the data controller is under a duty to use reasonable steps in verifying the accuracy of the data obtained, such reasonableness to depend on the circumstances.

No longer than is necessary

Data controllers are not permitted to keep data beyond the length of time necessary for the purpose(s) for which it is being processed.

Processed in accordance with the individual’s rights

Information must be processed in accordance with the relevant individual’s right to: obtain access to Personal Data about the individual held by the organisation; receive information from the organisation about the purposes for which the Personal Data will be used; prevent the use of the information that is likely to cause damage or distress; object to direct marketing; object to purely automated decision-making in certain cases; receive compensation for breach of an organisation’s obligations; require rectification or destruction of inaccurate information about the individual; and ask the Information Commissioner to assess whether the DPA 1998 has been contravened.

Secure

Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of Personal Data. Furthermore, such measures must be taken against accidental loss or destruction of, or damage to, Personal Data. The DPA 1998 suggests that the cost and state of technology at the relevant time available to the data controller and the nature of the data to be protected are significant factors when considering whether or not such a principle has been breached. It can be reasonably inferred from this is that data controllers must monitor technological advances so as not to fall foul of its requirements under this Act. Obviously this places a rather onerous duty on all data controllers, but although irritating and potentially costly, makes sense under the spirit of the legislation.

Non-EEA Transfers

This is a key requirement of the DPA 1998 and is often overlooked at the risk of data controllers in all industries. “Personal data” collected or processed in any other way within the EEA (i.e. the EU plus Norway, Liechtenstein and Iceland) cannot be transferred to a country or territory outside of the EEA. The rationale behind this is obvious in that it should not be possible to circumvent the data protection rules by transferring Personal Data to a place where it will enjoy no legal protection and where individuals will have no rights in respect of their information. However, an important exemption does apply – namely, if the country or territory outside of the EEA ensures an “adequate level” of protection in relation to such processing of data, then a data controller will not be deemed as failing to comply with its obligations under this principle.
The European Commission has so far decreed that the equivalent regimes of Switzerland, Canada, Argentina, Guernsey, Isle of Man, the US Department of Commerce's so-called “Safe Harbor” scheme for the application of Privacy Principles to data imported from the EU, and the transfer of Air Passenger Name Record to the United States' Bureau of Customs and Border Protection provide this “adequate” protection . The implications of this limited list are immediately clear - if Personal Data is in fact being transferred outside of the EEA, and it is not being transferred to any of these countries, then it is in effect illegal. Data Controllers should consult the “Commission decisions on the adequacy of the protection of Personal Data in third countries” part of the Europa website to see whether any other countries are added to the list of “adequate” protection territories in due course.

For more information on this or any other legal issue relating to sport please contact Malcolm Murray at mmurray@clintons.co.uk

Clintons Solicitors is the Legal Sponsor of Sport and Technology

This article was seen first by people who receive the monthly newsletter, join them.