Australia is a nation of sports lovers. With so many exciting events on the Australian sporting landscape (regular events like the Australian Open, Santos Tour Down Under, Melbourne Cup and of course, the upcoming FIFA Women's World Cup, 2026 Commonwealth Games and the 2032 Brisbane Olympic and Paralympic Games), our love of sport won't be waning any time soon.

Professional sport, unlike other professions, operate in a space where the narrowest of margins can be the difference between first and second place, or between placing and not placing. The margins can be so small that it's difficult for an ordinary person to comprehend.

Recent reviews into elite sport, including the Human Rights Commission Review into gymnastics, highlight the "win at all costs" approach that can be rampant in professional sport. This is not particularly surprising when only a small percentage of professional athletes and teams who are at the top of their game make significant financial gains from their (relatively short-lived) profession.

When the difference between, for example, being a medal-winning Olympian or not, or breaking a world record or not, can have significant impacts on an athlete (in terms of financial payments, sponsorships etc.), it is no surprise that athletes and sporting organisations hunt for that winning edge, that micro adjustment that might just make the difference to an athlete's or team's performance and be the difference between being offered significant sponsorships or receiving significant prize money and not. 

So how do you do this? Well, one way is to dissect and analyse every piece of data you can to know where and how to make those micro adjustments to improve performance (or whatever the relevant metric is).

In this first article of a two-part series on data protection in sport, we explore the main legal issues that athletes and sporting organisations alike should be aware of when collecting and using athletes' data.

How are athletes' data collected and used?

Data collection in sport is not new. It has long been commonplace to record athletes' data, particularly things like heart rate, to understand the body and ultimately increase performance. What is changing though is the type of data that can be collected, the technological advances, the ease at which it can be collected and the ways in which the data can be stored and manipulated. 

Every moment of an athlete's life can be monitored and tracked 24 hours a day, seven days a week, with the data being stored in the cloud, often unbeknownst to the athlete. Data collection is no longer limited to the time an athlete is actually training. Data is collected and analysed from a huge variety of sources - wearables (i.e. watches, oura rings, heart rate monitors), athlete management systems and a plethora of other technological advancements (including within an athlete's clothing).

The amount and type of data that can be collected is staggering. Demographic data, biometric data (i.e. body measurements and calculations), positional data (e.g. tracking the movement of players during a game), physiological and player wellbeing data are routinely collected. These data are used for everything from correcting technique and preventing injuries to monitoring performance in real-time, analysing where goals are most often scored from, predictions of athletic prowess in children, predictions of particular performances or probabilities of certain teams winning or losing (generally by the use of artificial intelligence).

As consumers of sport, we often know things like the power to weight ratio of our favourite cyclists, the amount of force measured from the hands of our favourite swimmers and the resting heart rate of our favourite long-distance runner because the data has been collected and published.

The Australia Academy of Science, together with the University of Western Australia's Minderoo Tech & Policy lab, recently released a discussion paper surrounding the collection and use of athlete data in Australia (Discussion Paper). The Discussion Paper illustrates that there needs to be a significant improvement in the understanding of the legal issues, by athletes and sporting organisations alike, surrounding the collection and storage of data gathered from athletes.

If you are a sporting organisation, you need to ensure you have appropriate privacy policies and systems in place to cover the legal issues we explore below. Simply inserting a generic clause in an athlete's contract is not enough.

What are the main legal issues?

The Privacy Act 1988 (Privacy Act) is the legislative instrument that is used to promote and protect the privacy of individuals and regulate how Australian Government agencies and organisations with an annual turnover of more than $3 million handle personal information.1

The Privacy Act includes 13 Australian Privacy Principles (APPs) that set out an organisation's obligations in relation to (amongst other things not discussed in this article):

  • collection and management (including disclosure) of personal information
  • governance and accountability
  • integrity of and an athlete's ability to correct their personal information
  • the rights of individuals to access their personal information.

It is important for sporting organisations to be aware of their obligations under the Privacy Act. If an athlete or other person makes a complaint about a breach of the APPs, your organisation can be subject to regulatory action and subsequent penalties for breach.

In the sporting context, data that is routinely collected from athletes will be considered "personal information" under the Privacy Act. That is:

"Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  1. whether the information or opinion is true or not; and
  2. whether the information or opinion is recorded in a material form or not".

This could be:

  • a photograph or video of an athlete
  • their name, email address, date of birth etc.

Much of the information collected from athletes will also fall within the subset of personal information that is "sensitive information". This requires a higher level of privacy consideration than other personal information. Sensitive information is personal information that includes information or an opinion about an individual's race or ethnic origin, health or genetic information.

How should you collect and manage data?

Open and transparent management of personal information

APP 1 requires APP entities to manage personal information in an open and transparent way. This does not relate simply to collecting data, but all steps along the chain from collection to destruction of data. APP 1 also requires an organisation to take reasonable steps to implement practices, procedures and systems to enable the organisation to deal with complaints about the organisation's compliance with the APPs.

How can you ensure an organisation is open and transparent? A general clause in a contract that an athlete signs on commencement is not likely to be sufficiently open and transparent. You should still ensure that contracts include clauses that govern the collection and use of data and that those clauses are sufficiently wide. The best practice would be to have a well-drafted privacy policy that clearly sets out the organisation's position regarding the collection, use, disclosure, storage, destruction and de-identification of information.

If your organisation has a general privacy policy that does not differentiate between athletes and other participants in the sport (such as administration staff etc.), this is unlikely to be sufficient to comply with APP 1.

Collection of personal or sensitive information must be 'reasonably necessary' for the organisation's functions or activities

APP 3 limits an organisation's ability to collect personal information by requiring that an organisation must only collect personal information that is reasonably necessary for one or more of its functions or activities.

The Discussion Paper found that often in the sporting context, the data being collected may be inherently interesting and helpful but is not "reasonably necessary" for one of the organisation's functions or activities. Whether information is "reasonably necessary" will depend on whether there is a clear connection between the information collected and the organisation's functions or activities.

APP 3 also imposes a further requirement for sensitive information that requires the individual to consent to the collection of this information. This consent must be express, voluntary, specific and informed. It must also be able to be withdrawn.

This again highlights the importance of a properly drafted privacy policy. It will not be sufficient if an athlete's contract includes a generalised consent to the collection and use of data. 

Notification of the collection of personal information

Once your organisation has collected personal information, it must take reasonable steps to notify the individual or ensure the individual is aware of certain matters under APP 5. These include:

  • the fact that the data has been collected and the circumstances of its collection
  • the purpose for which the information was collected
  • whether the information is required or authorised by law.

These reasonable steps, which will depend on the circumstances, must be taken before or at the time that the personal information is collected.

The Discussion Paper found that more often than not, sporting organisations include a general contractual provision in an athlete's contract that refers generically to the collection of data. This is not sufficient to comply with APP 5. Each time data is collected, an organisation should ensure it complies with APP 5.

How can the data be used once it is collected?

Once personal information has been collected and you've notified the athlete (under APP 5) of the purpose for which the information was collected, APP 6 requires that an organisation can only use or disclose personal information for a purpose for which it was collected (or a secondary purpose in some circumstances).

This makes it clear that an organisation can only use or disclose the information it has obtained in ways the individual would expect (unless an exception applies, such as where the athlete consents or the secondary use or disclosure is required or authorised by law).

This again highlights that a generalised consent in an athlete's contract will not be sufficient to ensure an organisation is complying with APP 6.

Key takeaway

The Discussion Paper has highlighted a lack of understanding by sporting organisations regarding their legal obligations with respect to the collection and use of athlete data.

If you are a sporting organisation, you have legal obligations with respect to this data that must be addressed by a properly drafted privacy policy and organisational privacy processes. Simply relying on generalised provisions in an athlete contract will not be sufficient and could result in regulatory action.

Next week, we will discuss issues regarding ownership of athlete data and an athlete's rights.

Footnote

1 If you are an organisation with a turnover of less than $3 million, you may still be required to comply with the Australian Privacy Principles. Please get in touch with us if you need advice.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.