Athlete data is more than just numbers and stats. It can provide very valuable insights into performance, health, injury risk and even mental state. Thanks to rapid developments in sports tech, sporting organisations (SOs) are increasingly using data to make decisions that affect the careers and lives of athletes (both positively and negatively) to give SOs the edge over their competition.

This has become an area of contention for athletes, with the realisation that some SOs have failed to meet their legislative obligations. Former NRL player Jamie Buhrer emphasised this point earlier this year during discussions relating to collective bargaining agreement negotiations between the Rugby League Players Association and the National Rugby League (NRL). The area has also been highlighted in the Australian Football League’s (AFL) Collective Bargaining Agreement 2023-2027, where the parties agreed that, within 6 months of execution of the Agreement, a full review of relevant parties’ compliance with the applicable privacy laws would be undertaken.

So, what laws govern the collection, use and disclosure of athletes’ data? In Australia, these issues are regulated by the Privacy Act 1988 (Cth) (the Act). Almost all elite SOs need to comply with the Act when they deal with athlete data (because they meet the definition of an APP entity in the Act).

Types of Information

The Act applies to, among other things, the collection, use, storage and disclosure of an individual’s ‘personal information’. Relevantly for the purposes of this article, included within the definition of personal information is ‘sensitive information’.

It is worth noting that the Act does not confer ownership of personal information to any person – it merely sets out how such information should be dealt with.

Personal Information

Section 6 of the Act defines personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

1. whether the information or opinion is true or not; and
2. whether the information or opinion is recorded in a material form or not.

Examples of personal information includes an athlete’s name or address.

Sensitive Information

Section 6 of the Act also refers to sensitive information. Sensitive information includes, among other things:

1. information or an opinion about an individual's:
   1. racial or ethnic origin; or
   2. religious beliefs or affiliations; or
   3. philosophical beliefs; or
   4. sexual orientation or practices; or
   5. criminal record,
   that is also personal information; or
2. health information about an individual; or
3. genetic information about an individual that is not otherwise health information

Relevant to sports, sensitive information includes information regarding an athlete’s fitness level, body fat %, injuries, medical reports and other data obtained whilst training or playing.

Regulation of Personal Information

The collection, use and disclosure of an athlete’s personal information and sensitive information is largely regulated by section 15 of the Act, which prohibits SOs from breaching the Australian Privacy Principles (APPs). The APPs are a set of principles that provide athletes with specific rights over their information and place restrictions on SOs when dealing with athletes’ data. These rights and restrictions include:

1. a requirement to notify athletes when their personal information is being collected;
2. limits on the collection, use and disclosure of information by SOs; and
3. the right of athletes to access their personal information.

Notification of the Collection of Personal Information

APP 5 requires SOs to notify athletes when they collect their personal information. In doing so, they are required to provide information including, but not limited to:

1. the purpose of the collection;
2. whether the collection is required or authorised by law;
3. any consequences that may arise if the personal information is not collected; and
4. the usual disclosures of personal information of the kind collected by the SO.

In practice, this is often set out in a SOs Privacy Policy.

Collection, Use and Disclosure

APP 3 states that a SO must not collect, use or disclose an athlete’s personal information or sensitive information unless it is reasonably necessary for their functions or activities. Further, APP 3 requires a SO to also obtain an athlete’s express consent to collect, use or disclose their sensitive information. Importantly, this consent must be:

1. adequately informed;
2. voluntarily given;
3. current and specific; and
4. provided by a person who has capacity to understand and communicate their consent.

It is this area that has been put under the spotlight in recent times, with some athletes/players’ associations alleging that SOs have not been collecting, using and disclosing sensitive information relating to athletes in the manner required pursuant to the Act. It is therefore now a major discussion point in CBA and other contract negotiations with athletes.

Access to Information

APP 12 provides athletes with the right to access their personal information held by a SO. This is not an unconditional right, and the SO may refuse to provide such access in certain circumstances.

Conclusion

Safeguarding athletes’ data in the modern age is a nuanced challenge. While advancing technologies empower organisations to make more impactful, informed decisions, they run the risk of infringing on athletes’ privacy rights. Navigating this legal landscape requires a conscientious adherence to the applicable regulations in order to balance data-driven decisions with athletes’ privacy, ensuring trust and integrity across Australian sports.