News and Publications

GDPR in sport: trying wearables on for size

Posted: 04/05/2020

Whether you’re an elite athlete or putting on running shoes for the first time, many of us are turning to wearable technology to achieve our sporting and exercise goals. From Fitbits to Garmin to the more advanced Kinexon and Catapult technologies, there is a wearable that fits us all.

At the elite level, electronic performance and tracking devices worn during training and games incorporate technologies such as GPS, magnetometers, gyroscopes and accelerometers. Some systems can measure more than 1,000 data points per second, recording heart rate, distance covered, speed, power, body temperature and other key performance stats, such as a cricketer’s backlift and bat speed. Not only are these connected devices monitoring performance, they are also assessing tactics, examining the opposition and providing crucial feedback for training, injury prevention and rehabilitation. Combining data from training sessions and games with nutrition and sleep data enables coaches to analyse every 24 hour cycle of an athlete’s life. Such a wealth of information can improve efficiency, accuracy and profitability in sports and as such, data is a valuable asset to any club, coach, athlete or team.

At the other end of the spectrum, wearable technology has made fitness data increasingly accessible for the everyday athlete. Feedback on distance and speed is ideal for the aspirational runner to understand gains in fitness. It can also improve motivation by creating graphs and stats to share with the online sports community in return for ’kudos’ and positive comments.

But who does all this collected data and analysis belong to? And how does it sit with data protection law, the Europe-wide General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018?

Basis for processing data

The European Convention on Human Rights provides us with the right to enjoy a reasonable expectation of privacy. To that end, the GDPR protects our personal data, and how it is used. While the monitoring of an amateur runner’s heart rate as they slog their way up a hill on a run-commute or weekend jog may seem relatively innocuous, the GDPR puts in place safeguards to ensure that, when a company collects personal data from an individual, it is handled fairly, lawfully and securely.

Fundamentally, a company must have a valid lawful basis for collecting or using that data (ie processing). There are six lawful bases set out in the GDPR, and these include: consent from the individual; that the processing is necessary for a contract with the individual; and that the processing is necessary to fulfil a legal obligation. In addition, the company processing the personal data must have provided information to the individual concerned about how and why they are processing their information. In the wrong hands, the personal data collected by a wearable device could allow an unsettling insight into the user’s health, habits, location and activities. In addition, personal data collected through tracking systems and wearable devices may include information concerning an individual’s health which, under the GDPR, is categorised as special category personal data. Such data has a higher level of legal protection, and requires one of the special conditions of processing set out in the GDPR to be met before processing can take place, such as that the data subject has given their explicit consent.

Processing of data for an everyday athlete

Where a pavement plodder is choosing what data to collect about their run and upload through a training app, the legal basis for processing any special category data is likely to be explicit consent. Other personal information, such as GPS location or contact details, are often justified on the grounds of contract or legitimate interest. The bases for processing all personal data will need to be set out in the company’s privacy policy or the app’s terms and conditions, accessible to the individual at the time the data is collected.

For consent to be valid under the GDPR it must be freely given, specific to the use it is collected for, and be clear and unambiguous. In addition, where explicit consent is required (ie for special category data), it must be provided separately in a clear and specific statement, and cannot be inferred from the individual’s conduct. In any case, the GDPR places the onus on the controller of the data to demonstrate that consent was validly given.

However, what happens when an athlete or player climbs the ranks from a recreational to a professional level? Do they still get a say in the collection and processing of their personal data or, like their diet and training plan, is it analysed and controlled by a team of sports scientists?  

Processing of data for an elite athlete

Sports teams and organisations will often want to monitor the performance and fitness of their players and athletes, which may involve the collection of health data: for example, information about a player’s heart rate, levels of lactic acid in their blood after interval training sessions, or an athlete’s iron levels. For clubs, teams, coaches or governing bodies to lawfully process an individual’s health data they will need to identify not only a lawful basis for processing, but also one of the special conditions for processing special category data set out in the GDPR. This is complicated further in employment contexts, and clubs should be very careful about relying on explicit consent in order to legitimise the processing of their athlete’s data. Although consent was one of the most commonly relied on grounds for processing employee data under the old data protection regime, under GDPR consent must be freely given and can be withdrawn at any time by an individual. Given the power imbalance between employees and employers, it will be difficult to argue that consent is freely given. Guidance from the UK's data protection authority, the Information Commissioner’s Office (ICO), states that "if for any reason you cannot offer people a genuine choice over how you use their data, consent will not be an appropriate basis for processing. This may be the case if, for example, you are in a position of power over the individual.” Employers will need to be confident that consent is freely given and that they are able to demonstrate that athletes are presented with a real choice as to whether they wish to participate in a surveillance programme, without any negative consequences if they opt out.

The question on whether consent should be relied upon is particularly pertinent where monitoring hardware has been built into club kit, such as the smart compression shirts used by rugby teams to enable coaches to monitor the workload of the players. Does a player have the opportunity to opt out of this monitoring when it is an integral part of their team kit? Given the difficulties of obtaining and relying on valid explicit consent, sports teams and organisations will likely look to rely on other conditions set out in the GDPR to justify processing the special category data of its players and athletes. In particular, Article 9 of the GDPR allows the processing of special category data that is “necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment [...].” Since the Health and Safety at Work etc 1974 Act requires employers to maintain a healthy and safe working environment for its employees, it may be possible to argue that processing of certain aspects of an athlete’s health data is required to identify health issues that need to be considered when designing a safe training regime. Otherwise, sports teams and organisations might seek to rely on the condition set out in Article 9 of the GDPR, which allows processing that is necessary “…for the assessment of the working capacity of the employee […].” For this condition to apply, the data must be “…processed by our under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies…” Consequently, the processing would need to be carried out by or under the supervision of an appropriate health professional, such as a doctor or physiotherapist.

Purpose for processing of data

Companies processing personal data must be clear from the outset about the purpose for which they process the data. Data analysts will need to be alert to any new changes in purposes or uses of personal data collected from tracking devices that arise over time. Clubs that collect data must be careful not to use it for any ulterior, unrelated purpose such as selling it to a broadcast partner or sponsor to improve fan engagement. Care must also be taken to ensure that the sports team or organisation is not processing more personal data than is necessary and that personal data is only processed for as long as is necessary to meet the purpose. If any additional purpose for the data is required, a lawful basis for such processing will need to identified and communicated to data subjects. If the original basis for processing the personal data was consent, further valid GDPR consents will be needed from the data subject to the new processing.

Designing a data process

The GDPR requires that, from the outset, companies implement appropriate technical and organisation measures to safeguard individual rights. This means integrating GDPR compliant processes from the grass-roots design phase of a system, service or product, right the way through its life cycle until its boots are hung up for the final time. To that end, only the minimum amount of data necessary to achieve the specific purpose (which must be clearly set out) may be collected.

A useful way to identify the risks associated with processing personal data is to complete a Data Protection Impact Assessment (DPIA). Impact assessments are always required where there is a likelihood of high risk to the individual, but are best practice in any case. ‘High risk’ could be a high probably of some harm, or a lower possibility of serious harm. Coaches and clubs that process a significant volume of special category personal data on their players should undertake an impact assessment. A DPIA has three primary objectives: (1) to describe the nature and scope of the collecting the data; (2) to assess necessity and compliance measures needed; and (3) identify the risks to individuals, as well as the measures that could be taken to mitigate those risks. As part of this process, the individuals themselves and key stakeholders and experts should be consulted.

Should a sportsman ever blame their tools?

Developers of health and wellness apps are encouraged to utilise the tools available to them to ensure the end product is as safe and useful as possible. In particular, Innovate UK and the British Standards Institution teamed up to produce agreed guidelines and good practice for health and wellness apps in the form of a publicly available specification (PAS). The BSI’s PAS 277 aims to improve both clinical accuracy and usability through the development, testing and production stages.

In addition, the UK Government has produced guidance on evaluating digital health products. In the same way that non-digital healthcare products are routinely evaluated to assess their safety and effectiveness, so should digital products. The guidance provides a number of approaches to product developers, including when and how to undertake their evaluation. While all digital health products should be evaluated, the extent to which this is required will depend on factors such as the risk of harm to users and any economic risk.

Finally, where wearables and/or health apps are used, the manufacturer or developer will have needed to consider whether it constitutes a ‘medical device’ for the purposes of the EU’s Medical Devices Regulation. In particular, where an app or device is used for the purposes of diagnosing, preventing, monitoring or treating an injury or disease, it would be considered a medical device, and subject to extensive governance. When making this assessment, the app’s functionality, the intention of the developer or manufacturer, and any claims about health benefits should be taken into account. Generally, off-the-shelf recreational wearables, such as Fitbits and smart watches, are not considered medical devices. However, devices used to monitor, develop and treat elite athletes may be another story.

Warming up for data protection compliance

Clubs, teams, coaches and governing bodies should be carefully reviewing their collection and processing of personal data from athletes and players, particularly where health data is involved, to ensure continued compliance with data protection requirements. As technology develops and accelerates our understanding of individual sporting performances, all involved need to re-evaluate their collection and processing of data and make necessary updates to stay on the right side of their data protection obligations.

This article has been co-written with trainee solicitor Laurence Nelson.

Arrow GIFReturn to news headlines

Penningtons Manches Cooper LLP

Penningtons Manches Cooper LLP is a limited liability partnership registered in England and Wales with registered number OC311575 and is authorised and regulated by the Solicitors Regulation Authority under number 419867.

Penningtons Manches Cooper LLP