We store medical and biometric data of our athletes, what will GDPR and the UK Data Protection Bill mean for this?
26 April 2018
The GDPR, which comes into force on 25 May 2018, imposes more onerous requirements when processing (including storing) ‘special categories’ of personal data, which includes ‘data concerning health’ and ‘biometric data’. The processing of ‘special’ personal data is prohibited unless the data controller can show that an exception applies.
One exception is that the data subject has given ‘explicit consent’. However, consent is problematic: it is difficult to obtain in the employment context because it must be ‘freely given’ (which, according to the UK ICO, cannot be the case where there is an imbalance of power) and consent, in any scenario, can also be withdrawn at any time. Clubs should therefore look to other exceptions to process athlete personal data. The availability of other exceptions must be carefully analysed on a case-by-case basis, but the following are most likely to apply:
Firstly, clubs might be able to argue that the processing is ‘necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law’. Clubs can therefore look at national law to rely on this exception. For example, under the Health and Safety at Work etc. Act 1974, clubs owe duties to their employees (and others) to maintain a healthy and safe working environment – and so clubs might be able to rely on the 1974 Act to, for example, process medical and biometric data to identify whether an athlete has cardiovascular problems. Clubs might also look to the Equality Act 2010 to process medical records, in order to comply with disability discrimination obligations.
Alternatively, clubs might be able to claim that the processing is ‘necessary for the assessment of the working capacity of the employee’. However, under this exception clubs must ensure that the personal data is only processed by ‘a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies’. This ‘working capacity’ exception might therefore permit a club to process the data under the supervision of a club doctor or physiotherapist. This exception can only apply, however, where an athlete is an employee of the club.
If the athlete is not an employee (e.g. a youth player), the club will not be able to rely on the ‘working capacity’ exception. The other two exceptions discussed above potentially will be available, but others may also apply. For example, if a player has made an injury public via social media, the club might be able to rely on an exception which applies where the ‘processing relates to personal data which are manifestly made public by the data subject’.
As you’ll appreciate, the law is complex and whichever exception is being relied upon, careful scrutiny on a case-by-case basis will inevitably be required to ensure the club has a right to process the special data. Further, in every case a club should not process more personal data than is necessary. In particular, clubs should only process personal data which would impact the athlete’s sporting performance and not, for example, irrelevant information about an athlete’s sexual health. The data should also only be processed for no longer than is necessary; for example if a player changes club, the data should be destroyed or transferred to the player/the new club’s doctor. Clubs should also ensure that they protect personal data by applying security measures which are proportionate to the risk that is attached to the processing activities.
It’s worth noting that associations and other not-for-profit bodies (e.g., the FA) may be able to rely on a separate exemption where the processing relates to their ‘legitimate activities’. Bodies which are tasked with eliminating doping in sport will (under the draft UK Data Protection Bill) also be able to rely on the GDPR’s ‘substantial public interest’ exemption to the extent that the processing activity relates to measures designed to eliminate doping.
Finally, the UK Data Protection Bill is still on its journey through Parliament and the detail is subject to change. It also remains to be seen how the GDPR will be interpreted in practice and whether any regulatory guidance relating to this topic will be issued. The important thing is to think this through and not assume a blanket approach will work.
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018.