In the UK, 850 footballers have threatened legal proceedings against 17 big firms in betting, entertainment and sports data collection organisations for the alleged misuse of the players’ personal data over the last 6 years, which could have wide-ranging implications. But how were those players able to find out exactly what personal data those big firms held on them in order to make their legal claims and claim compensation?
Naturally, companies collecting and processing sports-related data do so through systems that comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The corollary of those processes is that an individual has a fundamental right to know what data a company, team, sports body or organisation holds about them. They can obtain this from any UK organisation—no matter how large or small—by making a cheap and very easy data subject access request (DSAR).
Failure to deal with DSARs promptly and efficiently may lead to serious reputational damage, as well as incurring considerable time and costs on dealing with an investigation by the Information Commissioner’s Office (ICO) if a complaint is filed.
The ICO has wide-ranging powers to issue an organisation warnings, reprimands, compliance orders, and large fines for breach of GDPR. In addition, the ICO can issue an enforcement notice requiring the organisation to take certain action in the event of a breach of the law, as failure to comply or ignoring DSARs is a criminal offence. One high profile example of such prosecution was the ICO’s prosecution of SCL Elections, or Cambridge Analytica.
Sports data collectors and processors must have sufficiently robust systems and processes in place not only to collect sports data, but to deal with DSARs. For example, imagine that you have thousands of tech users or run a large marketing fan base: if you were the victim of a data hack and your users wanted to know what of their personal data may have been stolen, or you athletes wanted to know what medical/biometric/sensitive health data you or their coaches hold about them, would you be able to do so without much fuss and expense?
A DSAR can be submitted by anyone for whom you hold personal data at any time. There is no prescribed written form of DSAR and an individual can, among other things, request to be provided with their personal information, as well as details of why and on what basis you are processing their data. Additionally, the request for data might not explicitly state that it is a DSAR. So it is probably wise to treat any request for personal data from an individual to your organisation as a DSAR.
On receipt of a DSAR:
- You should verify the person’s identity by asking for photographic and home address documentation. You should also clarify the contents of the DSAR if any part of it is unclear.
- Whilst there are limited circumstances in which the period to respond to a DSAR can be longer, DSARs must be dealt with and generally answered within one month of their receipt. Generally, you cannot charge to reply to a DSAR.
- Identify, search and collate the requested personal data.
- You do not need to provide every document that your organisation holds that refers to a subject, only information prescribed by the legislation. Essentially, this would be any personal data you have from which the individual can be identified. This personal data can be extracted from documents and shared or copies of actual documents can be provided. It is permissible and appropriate to redact copied documents where they contain other people’s personal data or confidential information about your organisation if it is not a subject’s personal data.
- Whatever ulterior motives an individual or class of individuals may have for requesting the personal data that you hold on them—even if it might be for tactical gain or pre-action disclosure—you absolutely must comply and disclose this data to them. In practice, the exceptions to disclosure are very limited and it is very difficult to challenge a DSAR even when you can identify an ancillary purpose to it, unless it is obviously very excessive.
- Finally, you should carefully review the data before sending it out to the subject, ensuring it only holds their data. It would be unfortunate to fall at the final hurdle and be in breach of GDPR by disclosing the personal data of a third party to the sender of a DSAR.
Responding to a DSAR or multiple ones (say from a class of disgruntled athletes of a professional sports body) might be problematic for businesses in the sports sector for a number of reasons. First, personal data may be held in different repositories or on different platforms. Such businesses must ask: Do I have a data map plotting who in my sports organisation holds personal data and what it comprises, so I can easily collate it upon receiving a DSAR? Do I have a clear policy for dealing with DSARs? Who leads and oversees that policy? Do I have a Data Protection Officer? If not, should I appoint one?
GDPR makes it a duty for organisations to appoint a Data Protection Officer (DPO) if they are a public authority or body, or if they carry out certain types of processing activities. Those processing activities are when:
- Core activities consist of processing activities, which, by virtue of their nature, scope and/or their purposes, require the regular and systematic monitoring of individuals on a large scale; or
- Core activities consist of processing on a large scale of special category data, or data relating to criminal convictions and offences.
Although these are the categories that obligate hiring a DPO, in my experience, if you are receiving many DSARs a month, it would be prudent for you to appoint an internal or external DPO as well. Preparation is the key to dealing with the collection and use of sports data and dealing with DSARs, and having a DPO is one of the best ways to ensure you are staying compliant and safely managing your data.
As the threatened action of these 850 footballers has shown, it’s crucial for any organisation holding sports data to review its personal data collection, processing and answering DSARs regimes. Those who do not pay heed and properly prepare run the risk of facing dire consequences.