Do WADA’s International Standards sufficiently protect athletes’ personal data?
Following the reports earlier this year regarding the acquisition of personal data belonging to athletes by unauthorised persons, including the Sunday Times (as discussed in our article of October 20151), many athletes are genuinely concerned with the protection of their private health information entrusted to the World Anti-Doping Agency, National Anti-Organizations and/or International Federations.
This high profile leak raises important questions over sufficiency of the safeguards in place to protect athletes’ personal information (such as blood samples) since athletes must provide such confidential information to comply with the strictures of the World Anti-Doping Code 2015 (the “Code”).
This article examines the safeguarding policy that is designed to ensure that such information is kept safe: the World Anti-Doping Agency International Standard for the Protection of Privacy and Personal Information,2 and looks at why significant leaks are still occurring.
The International Standard for the Protection of Privacy and Personal Information (the “Standard”)
The Standard is a mandatory framework that applies to all anti-doping organisations globally. An anti-doping organisation is defined as a signatory to the Code:3
"responsible for adopting rules for initiating, implementing or enforcing any part of the Doping Control process”.4
The first version of the Standard came into effect in June 2009 in recognition of the fact that anti-doping organisations are required to collect and process personal data belonging to athletes; a responsibility that should not be taken lightly. The Standard has recently been updated, and the latest version came into effect in January 2015.
Data protection and privacy legislation varies significantly between nations and, as such, the Standard sets out the rules with which an anti-doping organisation must comply to meet a minimum level of protection. This set of rules must be adhered to by all organisations worldwide.
Compliance with the Standard obliges anti-doping organisations to ensure that “appropriate, sufficient and effective privacy protections” are implemented,6 irrespective of the level of protection offered by national legislation.
The Standard Uncovered
What is personal data, and what personal data can an anti-doping organisation collect and process?
The Standard relates to the protection of data collected as a result of "anti-doping activities" carried out by the anti-doping organisations to identify any violations of anti-doping rules. These activities include conducting testing and carrying out investigations.
Much like our national data protection legislation (the Data Protection Act 1998), the Standard separates personal data into two categories:7
- Personal Information: including the athlete’s name, date of birth, contact details, sporting affiliations, anti-doping test results, and results management. The use of the general term 'personal information' includes 'sensitive personal information' (see below). Information collected about other individuals connected to the athletes, such as their doctor or physiotherapist, would also fall into this category; and
- Sensitive Personal Information: including personal data such as the racial or ethnic origin of the athlete, whether they have any convictions, and information about their health and genetic makeup (including information obtained from specimens or samples).
The Standard applies to anti-doping organisations that "process" personal data. The term “process” is broad and means the collection, use, storage, filing, analysis, storage etc. of data. However the Standard makes it clear that 'processing' should only be carried out in relation to personal data when required for anti-doping activities, or in order to engage effectively in the fight against doping. Processing must not be carried out by the organisation in breach of applicable privacy or data protection laws.8
It should also be noted that the Standard expressly forbids anti-doping organisations to collect unnecessary or irrelevant information from athletes or third-party individuals.9 This is worth considering - we have all become accustomed to providing so much personal data to third parties that people rarely question whether the third party actually needs the information they are requesting in order to carry out their service or function.
Get access to this article and all of the expert analysis and commentary at LawInSport
Already a member?
Articles, webinars, conference videos and podcast transcripts
This work was written for and first published on LawInSport.com (unless otherwise stated) and the copyright is owned by LawInSport Ltd. Permission is granted to make digital or hard copies of this work (or part, or abstracts, of it) for personal use provided copies are not made or distributed for profit or commercial advantage, and provided that all copies bear this notice and full citation on the first page (which should include the URL, company name (LawInSport), article title, author name, date of the publication and date of use) of any copies made. Copyright for components of this work owned by parties other than LawInSport must be honoured.
- Tags: Anti-Doping | Court of Arbitration for Sport (CAS) | Data Protection | Data Protection Act 1998 | European Data Protection Directive | Information Commissioners Office (ICO) | National DNA Database | Russia | United Kingdom (UK) | World Anti-Doping Agency (WADA) | World Anti-Doping Code (WADC)
- The IAAF blood test data leak - was publishing the data lawful?
- A recap of the WADA Independent Commission’s mandate for reporting on IAAF and ARAF
- WADA receives Independent Commission Report Part 2 concerning allegations of widespread doping in international athletics
- Should doping in sport be criminalised? A review of Germany's new Anti-Doping Act
Abby Brindley is a solicitor in Mishcon de Reya's Private department where she works on a wide range of commercial disputes for both companies and individuals. She has specialist knowledge and interest in the evolving area of data protection and regularly advises on rights and obligations under the Data Protection Act 1998, acting for both individuals and companies. She also provides training on data protection issues for the firm and its clients