Feature: Sports and data protection - April 2006  

In the second part of a two-part feature, Malcolm Murray, a partner in Clintons Solicitors’ Sports Group, and Arif Mahmud a solicitor in the same Group, examine the current state of play in the sports and data protection field within the European Union.

Sports Organisers - examples of Data Protection Act 1998 application

The DPA 1998 has undoubtedly added a necessary complexity to the way any business handles any information it has in connection with individuals. In the sports sector specifically official bodies, clubs, associations, marketing agencies and the like must ensure that any information they hold on players, participants, referees/umpires, employees or any spectators is dealt with in a commercial manner within the restrictions of the DPA 1998. Below are key areas in the sporting world that need particular attention with regards to spectator information supplied to sports organisers. Of course, such a list is by no means intended to be exhaustive as there are a plethora of circumstances, as can be inferred from the text above, that could easily fall within the data protection regime. Prospective data controllers should remain vigilant whenever an individual’s data is at hand.

1. Individuals’ right to certain information

A sports organiser will almost without exception be a data controller for the purposes of the DPA 1998. If people have applied for tickets to an event, at some point it is feasible that they will provide the organiser with their contact details. It is therefore crucial that it meets its obligations as such. Especially important will be compliance with the first principle of ‘fair and lawful processing’, and it must provide the following details to all individuals that acquire a ticket at some point (often on the back of the ticket):
- the full identity of the data controller;
- the identity of any representative of the data controller to get in touch with should there be any questions or problems;
- the purpose or purposes for which the data is intended to be processed; and
- any other information required to make the processing to be fair.
Failure to provide such information would certainly contravene the DPA 1998 and could lead to any number of sanctions as enforced by the Information Commissioner.

2. Unsolicited Marketing

The database of spectators that a sports organiser may build up before, during and after a sporting event is of course a great resource for exploitation at a later date for the direct marketing of other products or services provided by the sports organiser. However, organisers must note that such marketing has been qualified by the DPA 1998. Individuals now have the right to send the organiser a written notice requiring them to stop or not to begin processing their Personal Data for the purposes of direct marketing at the end of such period of time as is reasonable in the circumstances. If the organiser does not stop such communications following this type of notice, an official complaint may be made to the Information Commissioner who will then proceed to investigating the matter and issuing any sanctions it deems fit under the circumstances.

3. Transfer of spectator information to a third party

As mentioned above, the database of spectator and/or fan information is an important asset of a sports organiser’s inventory. In the current climate of increased sports commercialisation many third parties, including sponsors, advertisers, marketeers and statisticians will also often approach the sports organiser in order to gain access to the potentially lucrative details of attendees at sports events who may be converted to consumers for their own products and services.
The big temptation of course would be to commercially exploit such a database as any other asset – selling it to an interested third party at the right price. However, as no doubt is clear by now, nothing is ever quite so easy under the DPA 1998. Under the first principle of ‘fair and lawful processing’, the sports organiser must ensure that it does not pass on or sell such a database to any third party unless it has first obtained the express consent of the individuals whose details are held within that database. To supply the database without such consent would also amount to processing for a reason undisclosed by the data controller at the time and would therefore also fall foul of the second principle. It is imperative that organisers realise that just because a third party is an event or title sponsor, this does not discharge the requirement of such consent. Of course, this will have repercussions on the fee that a sponsor can charge a would-be sponsor in any sponsorship arrangement. The pool of potential new consumers that is a database is often the major reason why a sponsor will be interested in being involved with an event or league in the first place.
The most effective way round this problem is the well known device of ‘opt-in’ boxes. Whether tickets are bought through the website of the organiser or directly from the box office, the organiser should ask the purchaser to tick a box or other wise authorise the organiser to pass on his or her contact details to specified third parties. Best practice suggests that the wording for the “opt-in” be clear, obvious and straightforward. It should also provide the purchaser with enough information as to the type of processing that will take place so that the decision whether to tick or not can be a reasonably informed one. Although, such an approach is not a sure-fire way of getting potential customers to the sponsor or interested third party, it is certainly a safer route with regards to the issue of proper consent than “opt-out” boxes where an individual is asked to tick a box if he or she does not want his or her details going to a third party.

4. Transfer of spectator information abroad

As mentioned above, the sports organiser needs to think twice if it is to transfer data outside of the EEA and to a country not recognised by the European Commission as having “adequate” systems in place. Of course, the most apt way round this may be to subscribe to the “model contract” terms as provided for above, but this requires legal advice and can be rather complicated and costly in time and money.

5. Spectators’ image caught on CCTV at event

Increased security at or around events by organisers often means use of CCTV technology. Recent case law suggests that CCTV images of an individual will not always fall within the DPA 1998 regime . The two main questions that seem to be of importance are whether the individual is the focus of the information and whether the information tells the organiser something significant about them. If the CCTV system used is basic – that is limited to only a few cameras that cannot be moved remotely recording only what is happening before them – then it is less likely that the DPA 1998 would apply. However, if cameras are used and moved remotely and are used to observe what an individual is doing for the organiser’s own business purposes and/or the recorded images are given to third parties not being the police, then the DPA 1998 will almost certainly apply (unless other exceptions apply). Therefore, best practice dictates that sign posts be made clearly visible notifying all guests to sports events that that CCTV cameras are in operation for security purposes.

Best foot forward – a summary

Data protection can be a subtle and complex area of law and yet it will apply very often in the business world. With professional sports being irrevocably linked to commerce, and the public becoming more educated about their rights to privacy, the DPA 1998 simply cannot be ignored.
In order to ensure compliance with the eight data protection principles, as best practice, sports organisers should:
• be registered as data controllers and notify the Information Commissioner of any Personal Data retained by them and keep their data up to date;
• appoint a data protection officer within their organisation with a good understanding of the DPA 1998;
• obtain each individuals' consent to the sports organisers holding and processing their Personal Data (especially where it is ‘sensitive’);
• provide necessary information to individuals, including information about the purposes for which the Personal Data will be used, informing them of their right to obtain access to any information held by the sports organisers and their right to object to direct marketing;
• carefully consider the relative merits of offering an option of “opting in” rather than ‘opting out’;
• implement procedures to deal with requests from individuals (i) to access their Personal Data; or (ii) objecting to certain processing;
• implement a formal and written data protection policy affirming the importance of good data protection practice and endorsing the data protection principles;
• have in place sufficient technical and organisational security measures for the retention of any Personal Data and monitor any technological upgrades or developments that may take place;
• inform the public, by way of its publicity literature, that it complies with the DPA 1998;
• ensure that every one at all levels within the sports organiser understands the DPA 1998, their obligations under it and that data protection is an integral part of all of their working procedures and recording systems;
• ensure that where they appoint service providers to carry out data processing activities on their behalf, they put in place contractual security measures to comply with the DPA 1998 (the sports organiser is responsible for compliance with the DPA 1998 and not the service provider);
• erect signage that CCTV use is under operation for the purposes of security; and
• not transfer any acquired Personal Data to countries outside the EEA unless one of the exemptions applies.

For more information on this or any other legal issue relating to sport please contact Malcolm Murray at mmurray@clintons.co.uk

This article was seen first by people who receive the monthly newsletter, join them.