Do WADA’s International Standards sufficiently protect athletes’ personal data?
Following the reports earlier this year regarding the acquisition of personal data belonging to athletes by unauthorised persons, including the Sunday Times (as discussed in our article of October 20151), many athletes are genuinely concerned with the protection of their private health information entrusted to the World Anti-Doping Agency, National Anti-Organizations and/or International Federations.
This high profile leak raises important questions over sufficiency of the safeguards in place to protect athletes’ personal information (such as blood samples) since athletes must provide such confidential information to comply with the strictures of the World Anti-Doping Code 2015 (the “Code”).
This article examines the safeguarding policy that is designed to ensure that such information is kept safe: the World Anti-Doping Agency International Standard for the Protection of Privacy and Personal Information,2 and looks at why significant leaks are still occurring.
The International Standard for the Protection of Privacy and Personal Information (the “Standard”)
The Standard is a mandatory framework that applies to all anti-doping organisations globally. An anti-doping organisation is defined as a signatory to the Code:3
"responsible for adopting rules for initiating, implementing or enforcing any part of the Doping Control process”.4
The first version of the Standard came into effect in June 2009 in recognition of the fact that anti-doping organisations are required to collect and process personal data belonging to athletes; a responsibility that should not be taken lightly. The Standard has recently been updated, and the latest version came into effect in January 2015.
Data protection and privacy legislation varies significantly between nations and, as such, the Standard sets out the rules with which an anti-doping organisation must comply to meet a minimum level of protection. This set of rules must be adhered to by all organisations worldwide.
Compliance with the Standard obliges anti-doping organisations to ensure that “appropriate, sufficient and effective privacy protections” are implemented,6 irrespective of the level of protection offered by national legislation.
The Standard Uncovered
What is personal data, and what personal data can an anti-doping organisation collect and process?
The Standard relates to the protection of data collected as a result of "anti-doping activities" carried out by the anti-doping organisations to identify any violations of anti-doping rules. These activities include conducting testing and carrying out investigations.
Much like our national data protection legislation (the Data Protection Act 1998), the Standard separates personal data into two categories:7
- Personal Information: including the athlete’s name, date of birth, contact details, sporting affiliations, anti-doping test results, and results management. The use of the general term 'personal information' includes 'sensitive personal information' (see below). Information collected about other individuals connected to the athletes, such as their doctor or physiotherapist, would also fall into this category; and
- Sensitive Personal Information: including personal data such as the racial or ethnic origin of the athlete, whether they have any convictions, and information about their health and genetic makeup (including information obtained from specimens or samples).
The Standard applies to anti-doping organisations that "process" personal data. The term “process” is broad and means the collection, use, storage, filing, analysis, storage etc. of data. However the Standard makes it clear that 'processing' should only be carried out in relation to personal data when required for anti-doping activities, or in order to engage effectively in the fight against doping. Processing must not be carried out by the organisation in breach of applicable privacy or data protection laws.8
It should also be noted that the Standard expressly forbids anti-doping organisations to collect unnecessary or irrelevant information from athletes or third-party individuals.9 This is worth considering - we have all become accustomed to providing so much personal data to third parties that people rarely question whether the third party actually needs the information they are requesting in order to carry out their service or function.
When are anti-doping organisations permitted to collect and process personal data?
Anti-doping organisations cannot collect and process personal data with no basis for doing so. They must either have consent from the individual, or they must have a valid legal reason for processing the personal data.10 If the anti-doping organisation needs to process sensitive personal data, they must obtain express written consent from the individual.11
The primary exceptions to this rule are that anti-doping organisations are permitted to processes personal data without consent, or when consent is withdrawn, if the personal data is required by the anti-doping organisation:12
- to commence or pursue anti-doping investigations involving the individual;
- to conduct or participate in proceedings regarding anti-doping rule violations involving the individual; or
- to establish, exercise or defend in legal proceedings.
The Standard is clear that that the anti-doping organisation must inform athletes that their personal data can be used in this way “regardless of any refusal to grant or subsequent withdrawal of consent”.13
The commentary provided in the Standard asserts that this is a necessary exception as, without it, a scenario could arise where such a refusal or withdrawal of consent could circumvent or evade anti-doping processes, including the detection of violations.
However, this provision seems contradictory; if a person is required to give consent before their personal data is processed, they should be able to withdraw their consent to prevent any further processing taking place. If the withdrawal of consent could have no effect, requesting consent, and contemplating withdrawal of consent both seem inappropriate and even misleading.
Indeed, the ICO's (Information Commissioner's Office, the UK's independent regulator of information rights) response to the suggestion that consent should be required before collecting DNA samples from individuals potentially exposed to the National DNA Database, for elimination purposes, concluded that:
"By asking for consent where it is not necessary, individuals may be misled into believing that they could withdraw their consent at any time when in fact they cannot."14
The ICO concludes that asking for consent in such circumstances is inappropriate – instead, anti-doping organisations and national agencies should rely on some other exception, such as legitimate interests, to collect the data.
What information should be provided to individuals by the anti-doping organisations?
Paragraph 7 of the Standard sets out the information that an anti-doping organisation is required to provide to individuals before or at the time the data is collected. The information that must be provided is considerable; when an anti-doping organisation collects information from an individual, it must inform them of the following:15
- The identity of the anti-doping organisation collecting the personal data;
- The types of personal data that may be processed and the purpose for which the data may be used;
- The length of time that the personal data will be retained by the anti-doping organisation;
- Who the personal data may be shared with;
- The possibility and circumstances in which the personal data may be publically disclosed;
- The individuals rights under the Standard; and
- Any other information necessary to ensure that the processing of the personal data is fair.
What measures are anti-doping organisations required to take to keep personal data secure?
In additional to compliance with local laws, anti-doping organisations are required under the Standard to apply:
“all necessary security safeguards, including physical, organizational, technical, environmental and other measures, to prevent the loss, theft, or unauthorised access, destruction, use, modification or disclosure (including disclosures made via electronic networks) of Personal Information”.16
Security of personal data is not taken lightly by the Standard, and anti-doping organisations are required to apply a higher level of security to ensure the protection of sensitive personal data. This additional safeguard reflects the greater risk to the individual if such information were to be unlawfully disclosed.17
The implementation and maintenance of security is an on-going responsibility. The anti-doping organisation is required to ensure that any third party agent or service provider gives sufficient guarantees as to the security of any data disclosed to them under any contract.18
In the event of a breach, the anti-doping organisation is required to inform the affected individuals of the breach as soon as reasonably possible. It must also inform the individuals of the nature of the breach, the potential negative consequences and any remedial action taken by the anti-doping organisation.19
A well-advised anti-doping organisation should seek immediate specialist legal advice in the event of a breach. A combined approach involving specialist technical and surveillance advice, injunction orders from the courts and nuanced reputation management will be necessary to secure the breach and manage the fallout.
Are anti-doping organisations allowed to share personal data with others?
Anti-doping organisations are not permitted to share personal data with any other anti-doping organisation, unless:
- the disclosure is necessary, legal and appropriate in all the circumstances, and
- the organisation is satisfied that the recipient of the data will comply with the minimum requirements for security and confidentiality set out in the Standard.
If the organisation is not satisfied, they must withhold the personal data and inform the recipient organisation and WADA of its concerns as soon as possible.20
Anti-doping organisations are only permitted to disclose personal data to third parties in the following circumstances:
- Where it is required by law, regulation or compulsory legal process;
- Where the anti-doping organisation has received the informed, express and written consent from the individual to whom the personal data relates; or
- Where the disclosure is necessary to assist in law enforcement, or assist governmental or other authorities in the detection, investigation, or prosecution of a criminal offence or breach of the Code.21
It should be noted that that c) is not a catch-all clause. Disclosure should only occur where the personal information requested by the authority is “reasonably relevant” to the offence in question, and then only where the authority cannot obtain the information by other reasonable means.22 However, anti-doping organisations must comply with national laws and regulations in this regard23 (as in all others).
Are anti-doping organisations allowed to keep personal data?
Anti-doping organisations are only permitted to retain personal data for a limited period, and the retention of sensitive personal data requires "stronger or more compelling reasons and justifications" to keep it.24
Additionally, anti-doping organisations can only keep personal data where it remains relevant to fulfill their obligations as an anti-doping organisation, or where it is required by law.
A schedule of the relevant retention periods for different types of data is appended to the Standard (Annex A). After the retention period has passed, or in circumstances where the data in question is no longer relevant for the anti-doping organisations purposes, it must be deleted, destroyed or permanently anonymised.25
Can an individual find out what personal data is held about them by an anti-doping organisation?
The Standard requires the organisation processing personal data to provide information to the individuals to whom the personal data relates. These provisions mirror certain elements of the UK Data Protection Act 1998, and the European Data Protection Directive,26 and set out the rights of an individual that must be complied with by all anti-doping organisations globally.27 If an individual requests it, the anti-doping organisation must inform the individual whether it holds personal data about them, provide them with the information described at 3 above, and provide copies of the personal data in an intelligible format.28 For example, where the personal data is a set of numerical figures, the anti-doping organisation must explain what those figures mean.
The Standard also expects the organisation to provide this information to the individual “no later than 6 to 8 weeks” from receipt of the request.29 It should be noted, however, that where the national law requires a response in a shorter period of time, such as in the UK where a response should be provided within 40 days, the organisation must respond within the period stipulated in national legislation.
In exceptional circumstances, where, for example, provision of the personal data would prejudice an investigation, or where it would be disproportionately expensive to comply with the provisions of the Standard, the organisation is permitted to withhold the data.30 However, if the anti-doping organisation decides not to provide the information to an individual who requests it, the organisation must write to the individual and explain the reasons for which their personal data has not been disclosed to them.31
What if there is a problem?
Anti-doping organisations are required to have a fair and impartial complaints procedure in place. If an individual has concerns about the organisations practices, procedures or decisions, a complaint should be made to the organisation.32 If the organisation is unwilling or unable to resolve the complaint in a satisfactory manner, the complaint should then be escalated to WADA or The Court of Arbitration for Sport. Where the organisation in question appears to be in breach of legislation, a complaint or notification can also be made to the relevant local or national regulatory or government body.33
The Standard should give individuals the peace of mind that anti-doping organisations are required to adhere to a minimum set of obligations regarding the protection of personal data, whilst allowing anti-doping organisations to enforce anti-doping rules.
The Standard also imposes these standards on countries where basic principles of data protection are not met by national legislation. Any personal data put into the hands of an anti-doping organisation should be secure, correct and accessible to the individuals concerned.
The protection and security of personal data is challenging and changes every day. Although the Standard cannot provide individuals with watertight solution, it does provide athletes with some comfort that, wherever they may be required to compete, their personal data should in the hands of an organisation that is aware of the importance of protecting the personal data it holds.
This work was written for and first published on LawInSport.com (unless otherwise stated) and the copyright is owned by LawInSport Ltd. Permission to make digital or hard copies of this work (or part, or abstracts, of it) for personal use provided copies are not made or distributed for profit or commercial advantage, and provided that all copies bear this notice and full citation on the first page (which should include the URL, company name (LawInSport), article title, author name, date of the publication and date of use) of any copies made. Copyright for components of this work owned by parties other than LawInSport must be honoured.
- Tags: Anti-Doping | Court of Arbitration for Sport (CAS) | Data Protection | Data Protection Act 1998 | European Data Protection Directive | Information Commissioners Office (ICO) | National DNA Database | Russia | United Kingdom (UK) | World Anti-Doping Agency (WADA) | World Anti-Doping Code (WADC)
- The IAAF blood test data leak - was publishing the data lawful?
- A recap of the WADA Independent Commission’s mandate for reporting on IAAF and ARAF
- WADA receives Independent Commission Report Part 2 concerning allegations of widespread doping in international athletics
- Should doping in sport be criminalised? A review of Germany's new Anti-Doping Act
Abby Brindley is a solicitor in Mishcon de Reya's Private department where she works on a wide range of commercial disputes for both companies and individuals. She has specialist knowledge and interest in the evolving area of data protection and regularly advises on rights and obligations under the Data Protection Act 1998, acting for both individuals and companies. She also provides training on data protection issues for the firm and its clients