November 2018

Privacy issues

Collecting the personal information of participants registering to join a club, competition or event has become standard practice across sport.

But that practice could get you into hot water if you don’t comply with the Commonwealth Privacy Act 1988 (Act) which governs the way you must handle the information you collect, and report any privacy breaches.

Lawyer and Principal of Lex Sportiva, Ian Fullagar, says four of the biggest red flags for sport are:

  1. assuming that the Act doesn’t apply to your organisation; 
  2. assuming that the Act’s provisions around personal information apply only to written information;
  3. not recognising the distinction between ‘personal’ information and ‘sensitive’ information and the level of protection required for each;
  4. not realising that since February 2018, you are now compelled to report any serious data breach to the Australian Information Commissioner (AIC) and affected individuals. 

“In the focus on member protection policies as they apply to safeguarding children, sports may have lost some of the focus on the need to have robust constitutional documents and the broader, central tenets around privacy and protecting members’ information,” Ian said.

“I have seen different approaches at local, state and national level to collecting, storing and sharing information across different databases. I’ve also seen examples in sport where clubs and affiliates ‘tailor’ a national privacy policy.

“In an ideal model, one database and one privacy policy should cover a single sport and affiliates should all link to the same place.”
He said compliance with the Act could be improved by sports taking a few simple steps. 

Step 1: Assess whether the Act applies

The Act generally applies to organisations that have an annual turnover of $3 million or more. 

Even if you have a turnover of less than $3 million, the Act may still apply to you if:

  • your organisation falls under the umbrella of a larger state or national sporting organisation that has a turnover of more than $3 million; or
  • you collect and hold health information about a participant or member, such as whether they have an injury, illness or require medication; or
  • you provide a “health service” (as defined), even if you do not consider that your primary activity.

A health service under the Act includes any activity that involves:

  • assessing, maintaining, or improving a person’s physical or psychological health
  • diagnosing or treating a person’s illness, disability or injury
  • recording a person’s physical or psychological health for the purposes of assessing, maintaining, improving or managing the person’s health
  • dispensing a prescription drug or medicinal preparation by a pharmacist
  • where a person’s health cannot be maintained or improved – managing the person’s physical or psychological health.

If any of this applies to your organisation, you should take steps to comply with the Australian Privacy Principles under the Act which outline how you should handle, use and manage personal information. See the Office of the Australian Information Commissioner’s (OAIC) quick reference guide to the principles.

Step 2: Make sure you understand the type of information you collect

The Act distinguishes between ‘personal’ information and ‘sensitive’ information. There is a higher protection level required for ‘sensitive’ information.

Importantly, sports organisations should be aware that information which is collected and/or shared verbally, recorded or captured digitally may also be considered personal information.

Personal information

The Act considers ‘personal’ information as:

… information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.

Common examples are a person’s name, address, telephone number, date of birth and any commentary or opinion about that participant or member. One person’s information may also be the personal information of another individual, such as a parent who is filling in a form for a child. 

Sensitive information

The Act’s definition of ‘sensitive’ information includes, but is not limited to, information or an opinion about:

  • racial or ethnic origin
  • religious beliefs or affiliations
  • sexual orientation or practices
  • health information
  • genetic information that is not otherwise health information
  • criminal record
  • biometric templates

Step 3: Protect information

The Act requires that reasonable steps are taken to protect the personal information held from misuse, interference and loss, as well as unauthorised access, modification or disclosure.

You must also take reasonable steps to destroy or de-identify personal information once it is no longer needed.

When considering the security of personal information, you should also be aware of other obligations under the Act, including how and when you can use and disclose someone’s personal information to an overseas organisation, for example, an international competition organising body.

The OAIC has produced a guide to securing personal information.

Step 4: Report applicable information breaches

If you have personal information security obligations under the Act, you are now required to notify affected individuals and the AIC if an ‘eligible data breach’ occurs.

A data breach is an unauthorised access or disclosure of personal information or loss of personal information. A data breach may be considered ‘eligible’ for reporting if it is likely to result in serious harm to the people concerned.

Examples of data breaches include:

  • loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information
  • unauthorised employee access to personal information
  • inadvertent disclosure of personal information due to ‘human error’ such as an email to the wrong person.

Sports organisations should have robust systems and procedures in place to identify and respond effectively to data breaches. Failure to comply may result in a public and costly reprimand.

The OAIC has produced a guide to data breach preparation and response.

Sports organisations should carefully consider the information they collect, access, use and disclose in the course of providing services to participants and members.