10-05-06Sports and Data Protection - An Overview There is no denying that sports and sporting events attract a lot of attention in the 21st Century. The number of players/participants has increased as has the variety of officially recognised sports. With events such as Wimbledon attracting over 467,000 spectators last year and a million-plus attendance at larger events such as the 2003 Rugby Union World Cup (over 1.5 million), the 2002 World Cup Finals (over 2.5 million) and the 2004 Athens Olympics (over 3 million tickets sold), it is no surprise that so many businesses (large and small) are increasingly interested in establishing ties with the sporting world. The lure of access to databases full of contact details of potential new customers is a powerful one, and as the sporting world becomes more and more commercialised every day, it is important for all parties, from the organiser and sponsor down to the fans and the players, to realise the significance of data protection legislation in what they, or others, can or cannot do with Personal Data in the world of sports. This article will focus on information gathered by sports organisers on spectators, customers and enthusiasts in respect of data protection legislation in this country and the EU. Data Protection legislation serves to strike an effective balance between the often competing interests of individuals and those who wish to use their personal information. Since 2000 the relevant primary statute in this area of law has been the Data Protection Act 1998 ("DPA 1998"). The main aims of the DPA 1998 are to: (i) protect individuals' rights to privacy; (ii) ensure individuals's right to access and correction of information held about them; and (iii) prevent against any excessive and unreasonable retention of "personal data". It therefore places obligations on those who process "personal data" and gives substantial rights to those whose "personal data" is being processed. The DPA 1998 defines "Personal Data" as: "data which relate to a living individual who can be identified: (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller…and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual" the definition of "data controller" being: "a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed" . From these definitions, it is immediately clear that most information held by a sports organiser, club, or governing body (potentially being data controllers) about an individual could be taken to be Personal Data - an address, a picture (whether a photograph or from CCTV or a CD-Rom), payment details, a name and phone number - anything that can be used to readily identify the individual. The wide-ranging definition of Personal Data makes it crucial that sports organisers, bodies and clubs realise what precisely they are able to do in the processing of such information. What with "processing" also being given a wide interpretation so that it covers not only disclosure of Personal Data to a third party but also the recording and simple holding of Personal Data, the sports sector should definitely sit up and take notice. So, what exactly can and cannot be done with Personal Data by sports organisers, bodies and clubs? In answering this, the starting point must be the enforceable eight principles of good practice that all data controllers must comply with . These say that where Personal Data is being processed by a data controller, that data must be: 1. fairly and lawfully processed; 2. processed only for limited purposes 3. limited to that which is adequate, relevant and not excessive; 4. accurate and up to date; 5. not kept longer than is necessary; 6. processed in accordance with the individual's rights; 7. kept secure; and 8. not transferred to countries outside of the EEA unless such country has similarly adequate protection for the individual. • Fair and lawful processing This is the most important of the eight principles. Processing includes the obtaining, recording, retrieving, holding, disclosing and use of the Personal Data. For it to be fair and lawful processing, data controllers must ensure that they do not proceed unless at least one of the following conditions are met: - the individual has given his or her consent to the processing; - processing is necessary for the performance of a contract with the individual; - processing is required under a legal obligation (other than one pursuant to a contract); - processing is necessary to protect the vital interests of the individual; - processing is necessary to carry out public functions (such as the administration of justice); and/or - processing is necessary in order to pursue the legitimate interests of the data controller or third parties unless it could prejudice the interests of the individual. In the case of "sensitive" Personal Data (that is Personal Data which includes information about racial/ethnic origin, political opinions, religious or other beliefs, trade union membership, physical or mental health, sexual orientation and criminal allegations, proceedings or convictions), there are additional conditions, one of which needs to have been met for there to be fair and lawful processing: - the individual has given his or her explicit consent to the processing; - it is required by law to process the data for employment reasons; - it is required to protect the vital interests of the individual or another person; and/or - it is required for the administration of justice or legal proceedings. Importantly, where Personal Data has not been obtained from the individual directly but from a third party, processing is deemed as being "unfair" for the purpose of this principle unless the data controller ensures that before the relevant time (or as soon as practicable after such time) the individual has access to: - the identity of the data controller; - the identity of the representative of the data controller; - the purpose or purposes for which the data is intended to be processed; and - any other information required to make the processing to be fair. Where the provision of the above information involves a "disproportionate effort" (i.e. where the effort to contact the individual is disproportionate to the negative impact caused to his or her rights by not making any such contact) or where the recording or disclosure of the information is necessary for compliance with non-contractual legal obligations to which the data controller is subject. "Relevant time" here means when the data controller first processes the data or in a case where there is likely to be disclosure of the data to a third party at the time of first processing, within a reasonable period of time. It should be noted that it is a criminal offence to knowingly or recklessly obtain or disclose personal information without the consent of the data controller. This covers unauthorised access to and disclosure of personal information. The DPA 1998 also stipulates that if a person has obtained Personal Data illegally it is a criminal offence to offer to sell or to sell personal data. • Limited purposes "Personal data" can only be processed for specified and lawful purposes, and cannot be processed for any other purpose. Therefore, data controllers such as sports organisers, bodies and clubs cannot say that they are going to process the information one way and then go on and use it for any other purposes. Similarly, permission to use data in one way does not necessarily give the data controller a blanket licence to use the data in any way it wishes. One requirement is for data controllers to register themselves with the Information Commissioner. Part of the registration process will be to make it clear why any Personal Data will be processed. Therefore, notification of the intended processing purposes can be made in two ways: (i) in a notice given by the data controller to the relevant individual and (ii) in a notification given to the Information Commissioner. Data controllers should note that where they are processing Personal Data but have not notified the Information Commissioner either of the nature of the processing being undertaken or of any changes that have been made to that processing there is a strict liability criminal offence. • Adequate, relevant and non-excessive Data controllers are not permitted to hold Personal Data unless it is adequate, relevant and not excessive in relation to the purpose(s) for which it is processed. Therefore, data controllers cannot accumulate Personal Data for the sake of accumulation - the recording of such data cannot be heavy-handed and must be for a reason. • Accurate and up to date Personal Data must be accurate and, where necessary, kept up to date. This principle will not be breached where inaccurate information in personal data accurately records information obtained from the individual if the data controller has taken reasonable steps to ensure the accuracy of the data. In this context, "inaccurate" means data that is "incorrect or misleading" . It must be noted that the data controller is under a duty to use reasonable steps in verifying the accuracy of the data obtained, such reasonableness to depend on the circumstances. • No longer than is necessary Data controllers are not permitted to keep data beyond the length of time necessary for the purpose(s) for which it is being processed. • Processed in accordance with the individual's rights Information must be processed in accordance with the relevant individual's right to: - obtain access to Personal Data about the individual held by the organisation; - receive information from the organisation about the purposes for which the Personal Data will be used; - prevent the use of the information that is likely to cause damage or distress; - object to direct marketing; - object to purely automated decision-making in certain cases; - receive compensation for breach of an organisation's obligations; - require rectification or destruction of inaccurate information about the individual; and - ask the Information Commissioner to assess whether the DPA 1998 has been contravened. If an individual feels that such rights are not complied with, he or she has the right to make a formal complaint to the Information Commissioner as well as the right to apply to the court to ensure that inaccurate data is rectified, erased or destroyed and the right to stop the processing of Personal Data that is causing damage or distress to the individual or which is unnecessary. • Secure Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of Personal Data. Furthermore, such measures must be taken against accidental loss or destruction of, or damage to, Personal Data. The DPA 1998 suggests that the cost and state of technology at the relevant time available to the data controller and the nature of the data to be protected are significant factors when considering whether or not such a principle has been breached. It can be reasonably inferred from this is that data controllers must monitor technological advances so as not to fall foul of its requirements under this Act. Obviously this places a rather onerous duty on all data controllers, but although irritating and potentially costly, makes sense under the spirit of the legislation. In addition, data controllers have an obligation to ensure that their employees have been suitably trained to deal lawfully with the data. Once again, cost implications arise as how to do this efficiently. Obviously the earlier people are trained in their careers, the safer the system. • Non-EEA Transfers This is a key requirement of the DPA 1998 and is often overlooked at the risk of data controllers in all industries. "Personal data" collected or processed in any other way within the EEA (i.e. the EU plus Norway, Liechtenstein and Iceland) cannot be transferred to a country or territory outside of the EEA. The rationale behind this is obvious in that it should not be possible to circumvent the data protection rules by transferring Personal Data to a place where it will enjoy no legal protection and where individuals will have no rights in respect of their information. However, an important exemption does apply - namely, if the country or territory outside of the EEA ensures an "adequate level" of protection in relation to such processing of data, then a data controller will not be deemed as failing to comply with its obligations under this principle. The European Commission has so far decreed that the equivalent regimes of Switzerland, Canada, Argentina, Guernsey, Isle of Man, the US Department of Commerce's so-called "Safe Harbor" scheme for the application of Privacy Principles to data imported from the EU, and the transfer of Air Passenger Name Record to the United States' Bureau of Customs and Border Protection provide this "adequate" protection . The implications of this limited list are immediately clear - if Personal Data is in fact being transferred outside of the EEA, and it is not being transferred to any of these countries, then it is in effect illegal. Data Controllers should consult the "Commission decisions on the adequacy of the protection of Personal Data in third countries" part of the Europa website to see whether any other countries are added to the list of "adequate" protection territories in due course . Obviously such a restriction had startled many a data controller over the years. Therefore, the European Commission threw another live-saver their way in the form of contract terms legitimising a transfer of personal information outside the EEA. It has devised a set of model contracts and has made a decision of adequacy for those times where they are used. Once again, such terms can be found on the Europa website . In addition, multi-national organisations have also been granted the right to transfer Personal Data outside of the EEA but within their group of companies as long as they can ensure suitable "adequacy". This can be achieved by the adoption of binding codes of corporate conduct by the organisation known as "binding corporate rules". If a body goes down this route it will need the approval of the data protection authorities in the relevant countries. Data controllers wishing to take advantage of this concession should visit the Information Commissioner's "model checklist" for more information . The DPA 1998 has undoubtedly added a necessary complexity to the way any business handles any information it has in connection with individuals. In the sports sector specifically official bodies, clubs, associations, marketing agencies and the like must ensure that any information they hold on players, participants, referees/umpires, employees or any spectators is dealt with in a commercial manner within the restrictions of the DPA 1998. Below are key areas in the sporting world that need particular attention with regards to spectator information supplied to sports organisers. Of course, such a list is by no means intended to be exhaustive as there are a plethora of circumstances, as can be inferred from the text above, that could easily fall within the data protection regime. Prospective data controllers should remain vigilant whenever an individual's data is at hand. 1. Individuals' right to certain information A sports organiser will almost without exception be a data controller for the purposes of the DPA 1998. If people have applied for tickets to an event, at some point it is feasible that they will provide the organiser with their contact details. It is therefore crucial that it meets its obligations as such. Especially important will be compliance with the first principle of "fair and lawful processing", and it must provide the following details to all individuals that acquire a ticket at some point (often on the back of the ticket): - the full identity of the data controller; - the identity of any representative of the data controller to get in touch with should there be any questions or problems; - the purpose or purposes for which the data is intended to be processed; and - any other information required to make the processing to be fair. Failure to provide such information would certainly contravene the DPA 1998 and could lead to any number of sanctions as enforced by the Information Commissioner. 2. Unsolicited Marketing The database of spectators that a sports organiser may build up before, during and after a sporting event is of course a great resource for exploitation at a later date for the direct marketing of other products or services provided by the sports organiser. However, organisers must note that such marketing has been qualified by the DPA 1998. Individuals now have the right to send the organiser a written notice requiring them to stop or not to begin processing their Personal Data for the purposes of direct marketing at the end of such period of time as is reasonable in the circumstances. If the organiser does not stop such communications following this type of notice, an official complaint may be made to the Information Commissioner who will then proceed to investigating the matter and issuing any sanctions it deems fit under the circumstances. 3. Transfer of spectator information to a third party As mentioned above, the database of spectator and/or fan information is an important asset of a sports organiser's inventory. In the current climate of increased sports commercialisation many third parties, including sponsors, advertisers, marketeers and statisticians will also often approach the sports organiser in order to gain access to the potentially lucrative details of attendees at sports events who may be converted to consumers for their own products and services. The big temptation of course would be to commercially exploit such a database as any other asset - selling it to an interested third party at the right price. However, as no doubt is clear by now, nothing is ever quite so easy under the DPA 1998. Under the first principle of "fair and lawful processing", the sports organiser must ensure that it does not pass on or sell such a database to any third party unless it has first obtained the express consent of the individuals whose details are held within that database. To supply the database without such consent would also amount to processing for a reason undisclosed by the data controller at the time and would therefore also fall foul of the second principle. It is imperative that organisers realise that just because a third party is an event or title sponsor, this does not discharge the requirement of such consent. Of course, this will have repercussions on the fee that a sponsor can charge a would-be sponsor in any sponsorship arrangement. The pool of potential new consumers that is a database is often the major reason why a sponsor will be interested in being involved with an event or league in the first place. The most effective way round this problem is the well known device of "opt-in" boxes. Whether tickets are bought through the website of the organiser or directly from the box office, the organiser should ask the purchaser to tick a box or other wise authorise the organiser to pass on his or her contact details to specified third parties. Best practice suggests that the wording for the "opt-in" be clear, obvious and straightforward. It should also provide the purchaser with enough information as to the type of processing that will take place so that the decision whether to tick or not can be a reasonably informed one. Although, such an approach is not a sure-fire way of getting potential customers to the sponsor or interested third party, it is certainly a safer route with regards to the issue of proper consent than "opt-out" boxes where an individual is asked to tick a box if he or she does not want his or her details going to a third party. 4. Transfer of spectator information abroad As mentioned above, the sports organiser needs to think twice if it is to transfer data outside of the EEA and to a country not recognised by the European Commission as having "adequate" systems in place. Of course, the most apt way round this may be to subscribe to the "model contract" terms as provided for above, but this requires legal advice and can be rather complicated and costly in time and money. 5. Spectators' image caught on CCTV at event Increased security at or around events by organisers often means use of CCTV technology. Recent case law suggests that CCTV images of an individual will not always fall within the DPA 1998 regime . The two main questions that seem to be of importance are whether the individual is the focus of the information and whether the information tells the organiser something significant about them. If the CCTV system used is basic - that is limited to only a few cameras that cannot be moved remotely recording only what is happening before them - then it is less likely that the DPA 1998 would apply. However, if cameras are used and moved remotely and are used to observe what an individual is doing for the organiser's own business purposes and/or the recorded images are given to third parties not being the police, then the DPA 1998 will almost certainly apply (unless other exceptions apply). Therefore, best practice dictates that sign posts be made clearly visible notifying all guests to sports events that that CCTV cameras are in operation for security purposes. Data protection can be a subtle and complex area of law and yet it will apply very often in the business world. With professional sports being irrevocably linked to commerce, and the public becoming more educated about their rights to privacy, the DPA 1998 simply cannot be ignored. In order to ensure compliance with the eight data protection principles, as best practice, sports organisers should: • be registered as data controllers and notify the Information Commissioner of any Personal Data retained by them and keep their data up to date; • appoint a data protection officer within their organisation with a good understanding of the DPA 1998; • obtain each individuals' consent to the sports organisers holding and processing their Personal Data (especially where it is "sensitive"); • provide necessary information to individuals, including information about the purposes for which the Personal Data will be used, informing them of their right to obtain access to any information held by the sports organisers and their right to object to direct marketing; • carefully consider the relative merits of offering an option of "opting in" rather than "opting out"; • implement procedures to deal with requests from individuals (i) to access their Personal Data; or (ii) objecting to certain processing; • implement a formal and written data protection policy affirming the importance of good data protection practice and endorsing the data protection principles; • have in place sufficient technical and organisational security measures for the retention of any Personal Data and monitor any technological upgrades or developments that may take place; • inform the public, by way of its publicity literature, that it complies with the DPA 1998; • ensure that every one at all levels within the sports organiser understands the DPA 1998, their obligations under it and that data protection is an integral part of all of their working procedures and recording systems; • ensure that where they appoint service providers to carry out data processing activities on their behalf, they put in place contractual security measures to comply with the DPA 1998 (the sports organiser is responsible for compliance with the DPA 1998 and not the service provider); • erect signage that CCTV use is under operation for the purposes of security; and • not transfer any acquired Personal Data to countries outside the EEA unless one of the exemptions applies.