Why sports teams should avoid relying on consent to comply with GDPR
Published 15 August 2018 By: Katie Russell
In the run-up to 25 May 2018, or "GDPR day", many organisations made huge changes to the way they process “personal data”. However, due to blind spots in guidance available (both form the Information Commissioners Office (ICO) and other sources), there remains uncertainty around what organisations must do to comply with the General Data Protection Regulation1 (GDPR).
By way of initial background, “personal data” means “any information relating to an identified or identifiable natural person”2. "Special category" data (previously called "sensitive personal data"), which attracts heightened protection under GDPR, includes: data revealing a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, sex life, sexual orientation or trade union membership3. Data concerning an individual’s health will also be classed as special category. Sports clubs are in a unique position in an employment context as they are likely to regularly process health information relating to their players, including medical histories, medication, allergies, injuries and potentially medical information which may or may not be not be specific to the sport itself. Great care is therefore needed to keep the information safe.
One major area where sports clubs and organisations could face particular difficulties is where they have relied on consent as a basis for processing data under GDPR, as it may not be the easy fix they thought it was. Accordingly, this article examines why it is essential that organisations identify a legal basis for processing personal data and avoid the trap of falling into reliance on consent. Specifically, it looks at:
The new obligations on employers when processing employees’ personal data
What the "big problem" is with relying on consent
What employers should be doing now
Consequences of non-compliance
Practical guidance going forward
The new obligations on employers when processing employees personal data
Many professional sports people play for and are paid by their clubs. Most are likely to be employees of their clubs, in the same way as permanent coaches, administrators and management teams.
GDPR now sets a much higher threshold in order for consent to be valid in that where consent is obtained it must be freely given and can be withdrawn at any time. Given the nature of the employment relationship, and the likely imbalance of power between employer and employee, the ICO has stated that consent in an employment context will not normally be freely given and therefore will not be valid.5 That is not to say that there are no situations where consent may be freely given and therefore be valid, but employers must be confident that this is the case. The ICO has published guidance available here which offers some examples of such situations.6
Instead, in order to ensure compliance with GDPR, employers tend to rely on other available legal bases for processing employee data such as the fulfilment of the employment contract (for example, they will process employees’ bank details to pay them) or their own legitimate interests. Employers need to process personal data to manage the employment relationship, deal with performance and disciplinary issues, and maintain a safe working environment. In all likelihood, employers’ practices will not change, albeit systems should be reviewed to ensure that employee personal data is only being used for the proper purposes, and that access to information is restricted in accordance with those purposes.
However, the picture is murkier when we consider data classed as falling within a "special category", not least because employers are not permitted to rely on their own legitimate interests as a legal basis for processing special category data.7 The reason behind this is that when processing "special categories" of personal data, the GDPR allows far narrower bases for doing so because of the nature of the information and the greater risk of damage caused by any breach.
Consent – what’s the big problem?
Prior to 25 May, it was easy to fall into the trap of thinking consent was a quick fix to comply with GDPR. A large number of "GPDR advisors" emerged from the woodwork professing to be experts in data-protection law and, in the author’s experience, taking the (incorrect) view that consent would be sufficient. This was accompanied by a huge volume of guidance which was unclear or misleading. The result - organisations were festooned with questionable GDPR advice.
In a panic to have something in place, many organisations, particularly smaller clubs with fewer resources, may have defaulted to taking a consent-based approach.
However, where an organisation needs to use data (and in reality would do so even if consent wasn’t given or was withdrawn) then it is likely to be inappropriate and logistically problematic to seek to rely on employees’ consent.
There are three main reasons why this approach should normally be avoided:
ICO guidance states that consent is not likely to be valid where there is an imbalance of power. The ICO also explains that it is not appropriate to seek consent for processing if the reality is that should consent be withheld or withdrawn, the employer would then continue with processing relying on another legal basis as a “back-up”. The consent that you think you have may not really exist;
Consent can be withdrawn at any time so you are left on shaky ground if consent is withdrawn or withheld but you still need to process data; and
You are not allowed to subject someone to a detriment because they do not consent to processing. Where an individual is subjected to a detriment as a result of withholding or withdrawing consent, this in itself demonstrates that the consent could not have been freely given and is therefore not valid.
Employers must have certain types of information, particularly special categories of data, in order to fulfil their role. Holding and processing this information is required to, for example, ensure fitness to play or compete, to uphold the rules of the relevant sport and to comply with anti-doping rules or guidance.
Taking this to a heightened level, imagine a situation where the processing of Lance Armstrong’s personal data relied on his consent. Armstrong may well have undergone a number of drugs tests, but he would have had a legal ground to refuse or withdraw his consent at any time which would prevent this information from being processed. The organisation processing this data would then be in an absurd position where they knew he was a drugs cheat but may be in breach of data privacy rules if it is disclosed. The Data Protection Act 2018 (DPA) sets out the UK’s derogations and exceptions from GDPR and contains special rules permitting the processing of data for anti-doping purposes. However, these rules will only help if you have told individuals that you will be relying on that basis for processing data (if you have told individuals you will only process with their consent, then you may find that they are quick to withdraw that consent if the processing is likely to catch them out for using a banned substance). Provided that the legal basis for processing and storing information is communicated to individuals in a tailored privacy notice, organisations can avoid such situations.
What to do now?
If consent is withdrawn, you cannot easily substitute another legal basis in its place – as organisations should have been clear from the outset about their basis for processing. If you have picked consent then you may find yourself at the mercy of the person giving that consent. If new legal bases for processing personal data are selected to replace consent, it is possible that this could result in a complaint being made to the ICO which could well be upheld.
For organisations which haven’t changed the way they process personal data, it would be worth engaging proactively with GDPR and structuring their privacy policies around their needs and requirements.
There are three legal bases, contained in the DPA, that organisations must be alive to which will enable them to process special categories of personal data in a sporting context:
where the individual is an employee, in order to calculate sick pay or properly manage sickness absence or other occupational health issues relating to the employment;
for the purposes of taking measures designed to eliminate doping which are undertaken by or under the responsibility of a body or association that is responsible for eliminating doping in a sport, at a sporting event or in sport generally; or
where necessary for the purposes of taking measures designed to protect the integrity of a sport or a sporting event.
Each of the above legal bases for processing set out in statute represent exemptions to the normal processing rules. On its face, this may appear to be straightforward: if a player is accused of doping or not adhering to the rules of the sport, then it is likely to be justifiable to gather medical information relevant to that doping accusation, or to otherwise gather personal data relevant to an alleged rule breach. It is also likely to be justifiable to transfer this personal data to the sport’s governing body or adjudication panel, provided that the possibility of such a transfer is set out clearly in a Privacy Notice provided to the individual (and provided that the governing body/panel’s use of such data is subject to appropriate safeguarding measures).
Other issues to consider
Not all of the medical data which clubs gather will necessarily be covered by the above legal bases. This will depend on the purpose(s) it will be used for. For example, a professional may be seen by the team doctor for a consultation and may disclose information relevant to the well-being of the wider team (for example a contagious infection).
In professional sport context, there may be strong personal or commercial reasons why an individual may not wish certain health information to be shared with the club (for example details of a hidden injury that may affect their future prospects or commercial value). Complex issues of privacy and confidentiality and duty of care issues come into play as between a player, their club and the team doctor. Clubs should be open at the outset about the role the doctor plays in treating or advising the individual, and if it is intended that their personal medical data will be shared (for example where necessary for the wellbeing of the team). Medical staff will of course be bound by their own professional obligations. Although it can be challenging to capture these complexities clubs/organisations should try to tailor their Privacy Notices to cover all expected circumstances. GDPR is very clear about what information should be included in a privacy notice8 but these should be drafted on a case-by-case basis.
Another point to remember is that where a medical practitioner has responsibility for ongoing treatment and care, rather than treating the employee for a specific injury or one-off issue, the Access to Medical Records Act 1988 will require individual consent to release any medical records to the employer. Therefore, a lot rides on the scope of the relationship.
Only where the information is directly relevant to the protection of the integrity of the sport, to ensure anti-doping, or where necessary for the management of employee health in the employment context, will clubs have a legal basis for processing "special category" data, unless one of the other specific exceptions contained in GDPR applies such as for the defence of legal claims.
Consequences of non-compliance
GDPR introduced harsh penalties for non-compliance. Fines are capped at the greater of €10m or 2% of an organisation’s global turnover for minor breaches; and the greater of €20m or 4% of global turnover for more serious breaches.
Affected individuals can claim compensation where they have suffered damages. For example, if an individual suffers significant reputational damage as a result of a data breach, this could undermine a lucrative sponsorship deal. Many athletes rely on an unblemished image, brand and reputation in order to achieve high value deals. Large players in this industry will therefore likely insist on tightly worded "get-out" clauses in the event that their athletes’ reputations are ever tarnished. In circumstances like these, should damage occur by way of a personal data breach, the perpetrator would likely face a substantial damages claim.
Many sporting organisations are also heavily reliant on public funding. Organisations are often required to show compliance with regulations (including data protection law) to secure funding. Therefore, it is important that data privacy is taken seriously, and that systems and policies are tailored to the organisation.
Clubs should be taking steps to ensure data processing is compliant with GDPR. If a consent-based approach has been adopted, this should be reviewed and advice taken on changing this at the earliest opportunity. The fundamental principles of GDPR, outlined above, should be at the forefront of how clubs handle any data they store and process.
Employment contracts should also be reviewed and updated to take account of the new legislation. Insofar as possible, employers should remove any reference to employee consent from all employment contracts. As noted above, the ICO have explained that they do not consider it appropriate to seek consent from employees in order to process data if the reality is that processing would continue if consent was withheld or withdrawn. Including consent in employment contracts does not act as a "belt and braces" approach as it did under the Data Protection Act 1998. Instead, it creates confusion over the legal basis for processing, and suggests that the primary basis is consent. Another legal basis can only be relied upon if it has been properly communicated in accordance with GDPR. As such, by trying to rely on consent while also having a back-up, the employer could find that they are instead limiting themselves to consent as the basis for processing when in fact there are more appropriate basis that should have been relied upon and communicated to the employee. The Article 29 Working Party specifically stated that “the two lawful bases for the lawful processing of personal data, i.e. consent and contract cannot be merged and blurred”.9 The Working Party further notes that “the "tying" of the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of that contract or service, is considered highly undesirable”.10 Employers should therefore choose which legal basis they are relying on in order to process personal data and stick to this.
Where clubs are concerned about the data they process and how they do so, it is important they seek independent legal advice. This will help ensure that their own systems and practices are fully compliant, and that appropriate safeguarding measures are taken.
This work was written for and first published on LawInSport.com (unless otherwise stated) and the copyright is owned by LawInSport Ltd. Permission to make digital or hard copies of this work (or part, or abstracts, of it) for personal use provided copies are not made or distributed for profit or commercial advantage, and provided that all copies bear this notice and full citation on the first page (which should include the URL, company name (LawInSport), article title, author name, date of the publication and date of use) of any copies made. Copyright for components of this work owned by parties other than LawInSport must be honoured.
- Tags: Data Protection | Data Protection Act 2018 | Employment | European Union | General Data Protection Regulation (GDPR) | Governance and Regulation | Information Commissioners Office (ICO) | United Kingdom (UK)
- Key information on the General Data Protection Regulation for the sports industry
- Top 10 tips for safeguarding children and vulnerable adults in sports
- New survey launched: How is the sports sector coping post GDPR?
- How the GDPR could impact the handling of sports disputes
Katie Russell is an Employment Partner in the Business of Sport Group at law firm Shepherd and Wedderburn LLP. Katie uses her experience of employment law combined with her knowledge of sports law to provide highly specialised advice to sports organisations and their teams to help address the specific challenges they face.