Collecting the personal information of participants registering to join a club, competition or event has become standard practice across sport.
But that practice could get you into hot water if you don’t comply with the Commonwealth Privacy Act 1988 (Act) which governs the way you must handle the information you collect, and report any privacy breaches.
Lawyer and Principal of Lex Sportiva, Ian Fullagar, says four of the biggest red flags for sport are:
“In the focus on member protection policies as they apply to safeguarding children, sports may have lost some of the focus on the need to have robust constitutional documents and the broader, central tenets around privacy and protecting members’ information,” Ian said.
He said compliance with the Act could be improved by sports taking a few simple steps.
The Act generally applies to organisations that have an annual turnover of $3 million or more.
Even if you have a turnover of less than $3 million, the Act may still apply to you if:
A health service under the Act includes any activity that involves:
If any of this applies to your organisation, you should take steps to comply with the Australian Privacy Principles under the Act which outline how you should handle, use and manage personal information. See the Office of the Australian Information Commissioner’s (OAIC) quick reference guide to the principles.
The Act distinguishes between ‘personal’ information and ‘sensitive’ information. There is a higher protection level required for ‘sensitive’ information.
Importantly, sports organisations should be aware that information which is collected and/or shared verbally, recorded or captured digitally may also be considered personal information.
The Act considers ‘personal’ information as:
… information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.
Common examples are a person’s name, address, telephone number, date of birth and any commentary or opinion about that participant or member. One person’s information may also be the personal information of another individual, such as a parent who is filling in a form for a child.
The Act’s definition of ‘sensitive’ information includes, but is not limited to, information or an opinion about:
The Act requires that reasonable steps are taken to protect the personal information held from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
You must also take reasonable steps to destroy or de-identify personal information once it is no longer needed.
When considering the security of personal information, you should also be aware of other obligations under the Act, including how and when you can use and disclose someone’s personal information to an overseas organisation, for example, an international competition organising body.
The OAIC has produced a guide to securing personal information.
If you have personal information security obligations under the Act, you are now required to notify affected individuals and the AIC if an ‘eligible data breach’ occurs.
A data breach is an unauthorised access or disclosure of personal information or loss of personal information. A data breach may be considered ‘eligible’ for reporting if it is likely to result in serious harm to the people concerned.
Examples of data breaches include:
Sports organisations should have robust systems and procedures in place to identify and respond effectively to data breaches. Failure to comply may result in a public and costly reprimand.
The OAIC has produced a guide to data breach preparation and response.
Sports organisations should carefully consider the information they collect, access, use and disclose in the course of providing services to participants and members.