Wearable technologies and the Australian privacy principles

Whilst somewhat in its infancy, over the past decade wearable technology in professional sport has grown to become a large global industry. As the technology has developed at a rapid pace, so too have the challenges for stakeholders with an interest in performance data, including athletes, sporting clubs, governing bodies, broadcasters, sponsors and agents.

In this article, we explore the initial considerations which entities that collect or use performance data should have in respect of Australia’s federal privacy legislation.

Wearable technologies are able to capture, process and share large amounts of personal, and potentially sensitive, data about athletes. Whilst performance data, including an athlete’s distance covered, acceleration, heart rate and sleep patterns, have greatly improved performance analysis, injury prevention and spectator experience, this data has been shown to be quite lucrative for those companies who seek to commercially exploit it.

Australian Privacy Principles

There are a number of legal issues which those stakeholders with an interest in such data need to consider. Whilst this post cannot consider all legal issues in detail, any entity that collects, stores, processes or uses personal information[1] in connection with wearable technologies should be across the requirements of the Privacy Act 1988 (Cth) (Privacy Act)[2] and the Australian Privacy Principles (APPs), which outline how all “APP Entities” must handle, use and manage personal information.

All parties that collect, use or disclose performance data should ensure they understand their rights and obligations under the Privacy Act and APPs,[3] including:

1. Certain performance data may be classified as “health information” under the Privacy Act. Health information, as a subset of sensitive information under the Privacy Act, includes information or an opinion about the health of an individual, including an athlete’s illness, disability or injury. Entities which collect, use or disclose health information should ensure they are familiar with the additional obligations that apply under the APPs in respect of the collection, use and disclosure of health information. In addition to the obligations under the Privacy Act in respect of health information and sensitive information, entities that collect and hold such information should be aware of the various State-based privacy laws in respect of health information.
2. When collecting health information about an athlete, the collecting entity must ensure that the athlete consents to the collection of the information and the information is reasonably necessary for, or directly related to, one or more of the organisation’s functions or activities. Clubs should take care to ensure that appropriate consent wording is incorporated into their player contracts prior to the personal information being collected.
3. An athlete is entitled to request access to their personal information which is held by an APP Entity, and is entitled to require the collecting APP Entity to correct any inaccurate, misleading, out-of-date, incomplete or irrelevant personal information held about them.
4. Personal information about an athlete must only be collected directly from an athlete, unless the athlete consents to the collection of personal information from a third party, or another exception under APP 3.6 applies. Clubs, governing bodies and other collecting entities should ensure that relevant consents are obtained before collecting an athlete’s personal information from a third party.
5. An organisation that holds personal information about an athlete that was collected for a primary purpose must not use or disclose such personal information for a secondary purpose without the consent of the athlete, unless an exception under APP 6.2 applies. Where an entity holding personal information no longer needs such personal information for any lawful purpose, the holding entity must take reasonable steps to destroy the information or ensure that it is de-identified. Any entity collecting or holding any personal information should ensure its Privacy Policy clearly identifies the primary purposes for which performance data is collected and the associated uses and disclosures of such performance data.
6. Those entities that hold personal information must take such steps as are reasonable in the circumstances to protect such information from:
   
   (a) misuse, interference and loss; and
   
   (b) unauthorised access, modification or disclosure.
7. Entities holding personal information should also be familiar with the requirements to notify affected athletes, and the Office of the Australian Information Commissioner, in the event of an “eligible data breach”. That is, a data breach which is “likely to result in serious harm” to the affected individual. Short time limits kick in from the date an eligible data breach is suspected and it is recommended that legal advice is urgently obtained if any entity holding personal information suspects an eligible data breach.
8. Clubs and sporting bodies that transfer personal information outside Australia without the athlete’s express informed consent must take all steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs (other than APP 1), unless an exception under APP 8.2 applies, and the disclosing entity may remain accountable for any acts and practices of the overseas recipient which breach the APPs.

As the wearable technology market continues to grow, further legal challenges and issues are likely to arise. Stakeholders with an interest in such technologies and performance data should ensure they understand the relevant legal issues and data privacy considerations brought by continuing technological developments in the sports sector.

Footnotes

[1] It is important to note that “personal information” is defined broadly under the Privacy Act, as information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

[2] Whilst many States and Territories have also enacted their own legislation in respect of personal information, such legislation has not been considered in the preparation of this blog post.

[3] This is not an exhaustive list of the relevant considerations under the Australian Privacy Principles.