Major reforms to the Privacy Act (the Act) are anticipated in the coming year by the Federal Government which will directly affect sporting organisations and clubs – particularly in relation to the legalities around the way they collect, use and retain athlete and member data.
Whilst these reforms have to date been ‘agreed in principle’ by the federal government and are yet to be implemented in legislation, organisations can take practical steps now to prepare and get ahead of the impending changes.
Data has always been used in sports in unsophisticated ways, but the difference in today’s world is the type of data and how it is used. The types of information collected or generated about identified (or reasonably identifiable) athletes would fall within the legal definition of “personal information”. The vast majority of it would also fall within the more protected subcategory of personal information termed “sensitive information”, particularly by virtue of being “health information”.
The proposed changes that will be particularly relevant to sporting entities include:
- Removal of small business exemption – Until now, entities that have a turnover of less than $3M have been exempt from complying with the Act, with limited exceptions. Â In perhaps the most significant of the changes, many smaller sporting organisations and clubs who previously may have considered themselves exempt from the provisions by virtue of having a turnover of less than $3M will now be captured by the Act.
- Obtaining and clarifying consents – Consent will need to be voluntary, informed, current, specific, and unambiguous. Consent should be timed where possible to coincide with the time of collection of data and, at the very least, be able to be withdrawn. This is a high bar that does not, in most cases, appear to have been genuinely met with, particularly with respect to collection of athlete data in professional sport.
- 72 hour reporting time frame – All serious data breaches will have to be reported to the Privacy Commissioner within 72 hours, significantly reduced from the current 28 day reporting timeframe. Sporting organisations should be reviewing their current practices of collecting, retaining and protecting athlete and member data now and taking steps to put in place a data breach plan before having to deal with such a data breach incident in the future.
- Additional protection for children and vulnerable individuals – In relation to children, those will include additional transparency requirements in relation to children and a prohibition on direct marketing (and targeting) of children. Sports dealing with the collection of data from participants who are minors should make themselves aware of and ensure they meet these requirements.
Looking forward, sporting organisations and clubs will need to have:
- increased transparency and understanding of their obligations under the Act and the Australian Privacy Principles; and
- clear privacy policies and procedures and clarity around what is acceptable to collect, store, use etc and what isn’t.
We also expect to see an increased focus on protection of athletes and their personal data in the negotiation of contracts and collective bargaining agreements by athletes and their associations