The IAAF blood test data leak - was publishing the data lawful?
On 2 August 2015, the Sunday Times published an article entitled ‘Revealed: sport’s dirtiest secret’ (the Article),1 which claimed that the disclosure of supposedly ‘secret’ data held by the International Association of Athletics Federations (IAAF) revealed “the extraordinary extent of cheating by athletes at the world’s top events”. The Sunday Times and German broadcaster ARD/WDR stated that blood test data had been leaked to them by a whistle-blower concerned about the content (the Database).
In its response to these allegations, on 4 August 2015 the IAAF confirmed that, following internal investigations, it believed that there was no whistle-blower and that the Database had been obtained illegally.2
The Database allegedly contains more than 12,000 blood test results of over 5,000 athletes and the Article has led to finger-pointing in the sporting world. Whatever the position regarding the anti-doping procedures and practices implemented by the IAAF, the Article has placed innocent athletes in the public eye and forced them to defend themselves, some even feeling the need to release extremely personal information into the public domain in order to do so.
The actual Database has not been disclosed by the Sunday Times (reportedly after being threatened by an injunction by the IAAF and promising not to do so). But what is the position from a data protection perspective? What rights did the press have to obtain and hold personal information about 5,000 individuals without their consent? Were they permitted to publish information about the blood tests of athletes? And should the athletes themselves have had any say in the matter?
Was the publication of the data lawful?
From an English law perspective, blood test results are classed as 'sensitive personal data' under the Data Protection Act 1998 (DPA), and any entity that obtains, holds or uses that data must comply with higher levels of protection afforded by our national legislation, which implements the current European Directive 95/46/EC3 regarding the processing of personal data. The World Anti-Doping Agency (WADA) also has its own International Standard for the Protection of Privacy and Personal Information4 that seeks to impose a minimum level of protection of privacy and personal data in those jurisdictions where data protection requirements may not be as stringent as in Europe. This is a mandatory International Standard and all relevant organisations and persons must comply. The IAAF is based in Monaco (which is not part of the European Union) and must comply with the International Standard to protect the privacy of the individuals whose data it holds and ensure that the data held by it is secure and remains confidential.
At present, it is not known how the Sunday Times acquired the data in question, but if the data was held in the UK, the Sunday Times had an obligation to comply with the DPA. In an attempt to balance the often-conflicting rights under Article 8 (right to respect for private and family life) and Article 10 (freedom of expression) of the European Convention of Humans Rights, journalists are able to process personal data without the consent of the individual where there is public interest. Section 32 DPA exempts those processing information for the purposes of journalism from most of the provisions of the DPA that could prevent investigative journalism.
However, section 32 DPA does not provide a ‘blanket exemption’ for journalists. Following the Ashley Madison data breach in July 2015, the Information Commissioner's Office (ICO) reminded journalists5 that the section 32 exemption cannot be used by the media in every case. It can only be relied upon where the data is processed only for journalism with a view to publication. Additionally, the journalist must have a reasonable belief that the publication is in the public interest, and that they would be unable to do their job if they complied with the provisions of the DPA.
Another important point, as mentioned above, is that the IAAF confirmed on 4 August 2015 that the Database was not leaked by a staff member at the IAAF, but had been illegally obtained by the Sunday Times. The IAAF claims it has informed the relevant police authorities and it has vowed to "pursue all legal means to expose the circumstances of the disclosure and the conduct and motives of the persons involved".6 Under section 55 of the DPA, it is a criminal offence for any individual to knowingly obtain personal information without the consent of the data controller (in this case, the IAAF). However, there is also a defence available if it can be shown that in the circumstances the obtaining, disclosing or procuring was justified as being in the public interest. It is likely that anyone involved in acquiring the Database would seek to rely on this provision.
What is the legal position of the athletes?
So the Sunday Times may believe that its actions in the matter are justified and in the public interest, but what about the athletes whose names have been dragged into the limelight over the past month. Do they have any rights in the matter?
In its guidance, the ICO is very clear that journalists should only obtain sensitive information about the health of an individual if they are confident that the "public interest in doing so sufficiently justifies the intrusion into their privacy".7 The ICO also expects that, where practical, the individuals about whom the information relates should be notified that their data is being collected.
It seems that the Sunday Times may have informed the relevant athletes and asked for consent to publish, although comments from Paula Radcliffe in her statement published in The Telegraph on 8 September 2015, suggest she was unhappy with the Sunday Times' approach: "The Sunday Times recently attempted to obtain the consent of athletes to publish their stolen medical data, asserting behind the scenes to the effect that if consent isn’t given it will look like an athlete has something to hide and may therefore be guilty of doping."8
An athlete is within their rights to publish their blood test results if they wish, as the information is their personal data for the purposes of the DPA (indeed, if they do not have it to hand then they can make a Subject Access Request under section 7 of the DPA to obtain it, if it is held in this jurisdiction). It is, however, a difficult exercise for an athlete to decide whether to do so. The interpretation of blood data is a specialist task and, without this specialist knowledge and knowledge of the surrounding circumstances affecting the athlete at the time, the data alone is not proof of doping. Nonetheless, a number of athletes, including Mo Farah,9 decided to publish their blood test results to demonstrate their innocence, and we suspect we are likely to see more athletes doing so in the coming weeks and months.
International athletes must provide sensitive personal information to third parties to be able to compete, yet if this data falls into the wrong hands, their reputations may be damaged merely by maintaining their privacy. After all, publishing our blood test results is an act most of us would refuse to do. An organisation that holds sensitive personal data has both a moral and legal obligation to protect that data, but once that data has been lost, the protection of individuals' privacy is not necessarily the priority of the new data controller.
This may be especially true of news outlets; if they receive interesting leaked data they are likely to want to publish it in some form, both to inform the public and to generate profit. An athlete connected with the data may then be faced with the difficult decision as to whether to voluntarily disclose.
This work was written for and first published on LawInSport.com (unless otherwise stated) and the copyright is owned by LawInSport Ltd. Permission to make digital or hard copies of this work (or part, or abstracts, of it) for personal use provided copies are not made or distributed for profit or commercial advantage, and provided that all copies bear this notice and full citation on the first page (which should include the URL, company name (LawInSport), article title, author name, date of the publication and date of use) of any copies made. Copyright for components of this work owned by parties other than LawInSport must be honoured.
- Tags: Anti-Doping | Athletics | Data Protection Act 1998 | Databases | European Convention on Human Rights | European Directive 95_46_EC | European Union | Governance | Human Rights Act 1998 | Information Commissioners Office (ICO) | Intellectual Property | International Association of Athletics Federations (IAAF) | Regulation | World Anti-Doping Agency (WADA) | World Anti-Doping Code (WADC)
- Protecting athletes’ data: an examination of database rights in the UK and EU
- WADA confirms that leaked Athletics Database does not originate from its Anti-Doping Administration & Management System (ADAMS)
- WADA’s Independent Commission to launch investigation into doping allegations against international athletics
- WADA alarmed by widespread doping allegations against international athletics
Abby Brindley is a solicitor in Mishcon de Reya's Private department where she works on a wide range of commercial disputes for both companies and individuals. She has specialist knowledge and interest in the evolving area of data protection and regularly advises on rights and obligations under the Data Protection Act 1998, acting for both individuals and companies. She also provides training on data protection issues for the firm and its clients