Transgender athlete participation — navigating data protection laws when collecting sensitive personal data

For athletes to compete in organised national and international sport competitions, they may have to satisfy certain eligibility criteria and adhere to any participation policies. The requirements for competition can include athletes being asked to provide their testosterone levels and chromosomal sex — which are of course highly sensitive forms of personal data.

If you’re collecting such data, you must be mindful of the relevant data protection laws that are designed to safeguard athletes’ privacy. Here, Catherine Forshaw and Eleanore Beard outline the key issues to be aware of as well as how to implement secure and legally compliant data collection processes.

Collecting special category data

All athletes have rights under data protection legislation around how their personal data is collected, processed and protected. This includes sensitive information like sexual orientation, medical data and health data (such as hormone and testosterone levels). Alongside other forms of sensitive information like race and ethnic origin, such data is referred to as ‘special category’ personal data, which requires a higher level of protection and can only be processed under strict conditions.

Athletes’ rights under data protection legislation should provide control over both personal data and special category personal data, as well as protection from unnecessary or excessive data collection. This means that organisations collecting such data must balance the need for fairness in competition with athletes’ rights to privacy and compliance with data protection legislation.

While a person’s gender, sex and chromosomal sex can be used to identify or describe an individual, they’re not classified as special category personal data. However, such data should still be treated very carefully, as this information could be sensitive to that individual. If a person’s gender, sex and chromosomal sex also reveal specific details about an individual’s health, medical care or sexual orientation, it will then constitute special category personal data.

It’s therefore important for organisations to be clear about what types of information they should be collecting from athletes and whether it’s necessary to collect more sensitive data for a particular level of competition.

GDPR & lawful basis

Your governing sporting organisations should provide guidance on the collection of personal data and special category personal data — including information about which lawful basis justifies collection — when requesting its eligibility criteria. 

Article 6 of the UK General Data Protection Regulation (UK GDPR) provides a list of lawful bases that can be used to collect and process personal data. 

These are consent, the performance of a contract, to comply with a legal obligation, to protect the vital interests of a data subject, where it’s in the public interest or where it’s necessary for the legitimate interests of the entity collecting the data. 

Article 9 of the UK GDPR provides the list of lawful bases which can be used (in conjunction with Article 6) to collect and process special category personal data. 

The lawful grounds under Article 9 of the UK GDPR include:

• where the individual provides explicit consent
• it’s necessary for employment, social security and social protection (if authorised by law) 
• to protect the vital interests of an individual 
• for the legitimate activities of a foundation, association or not-for-profit body with appropriate safeguards and with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or former members
• where the information has been made public by the data subject
• defending legal claims or judicial acts
• where there are reasons of substantial public interest (with a basis in law)
• in health or social care (with a basis in law)
• in public health (with a basis in law)
• for archiving, research and statistics (with a basis in law).

Competition rules & public interest

The rules of competition will vary and in some circumstances you could rely on the conditions set out within schedule 1 of the Data Protection Act 2018 to collect special category personal data where there’s a substantial public interest condition with a basis in law. 

The most relevant conditions for sporting competitions are clauses 27 and 28, which cover anti-doping and standards of behaviour in sport. 

These stipulate that: 

“27(1)This condition is met if the processing is necessary—

(a)for the purposes of measures designed to eliminate doping which are undertaken by or under the responsibility of a body or association that is responsible for eliminating doping in a sport, at a sporting event or in sport generally, or

(b)for the purposes of providing information about doping, or suspected doping, to such a body or association.

(2)The reference in sub-paragraph (1)(a) to measures designed to eliminate doping includes measures designed to identify or prevent doping.

(3)If the processing consists of the disclosure of personal data to a body or association described in sub-paragraph (1)(a), or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).

[and]

28(1)This condition is met if the processing—

(a)is necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event,

(b)must be carried out without the consent of the data subject so as not to prejudice those purposes, and

(c)is necessary for reasons of substantial public interest.

(2)In sub-paragraph (1)(a), the reference to measures designed to protect the integrity of a sport or a sporting event is a reference to measures designed to protect a sport or a sporting event against—

(a)dishonesty, malpractice or other seriously improper conduct, or

(b)failure by a person participating in the sport or event in any capacity to comply with standards of behaviour set by a body or association with responsibility for the sport or event.”

Where you rely on a substantial public interest condition to collect and process personal data, you must also provide the athlete with an appropriate policy document. This is a short document that outlines your compliance frameworks and retention policies for special category personal data, as well as your privacy policy. 

Where you’re unable to rely on a public interest condition or another lawful basis and seek instead to rely on explicit consent to collect personal data and/or special category personal data, you may struggle to obtain valid consent. That’s because consent must be a choice with an unambiguous and clear affirmative action (an opt-in) made by the athlete. Relying on consent as a lawful basis therefore comes with risks of non-compliance with the data protection legislation.

Article 7 of the UK GDPR states that you must ensure you’re offering individuals a real choice and control over the decision and you should be able to demonstrate that the data subject has consented to the processing. You should also be able to evidence that the consent was presented in a manner that was clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. 

If you’re running a sporting competition, you’re considered to be in a position of power. This means that you’ll find it more difficult to prove that athletes are offered real choice and control over their data. This is especially apparent where an athlete must consent and provide personal data to be considered eligible to participate in competitions. Where such an imbalance of power exists, athletes could be ‘disadvantaged’ if they don’t consent to the collection and processing of their special category personal data. It’s therefore unlikely that ‘consent’ is the correct lawful basis to use. 

Completing a DPIA (data protection impact assessment)

We’d recommend that any organisation running a sports competition should conduct a DPIA to assess the collection of personal data, the lawful basis used and any potential risks associated with processing special category personal data as well as identify measures to mitigate these risks. All relevant stakeholders — including athletes, data protection officers and legal advisors — should be involved in the DPIA process.

Where you collect personal data, those athletes should be informed about the purpose of the data collection (for example, to determine eligibility to compete or compliance with sports regulations) and how the data will be used, stored and shared. You must also ensure that your privacy policy has sufficient information to reflect the processing undertaken and that personal data is processed in-line with the data protection principles.

Eight steps to comply with data protection legislation

To comply with the data protection principles, you must ensure that you have:

1.    A lawful basis for processing personal data and special category personal data

This could include obtaining explicit consent from individuals, fulfilling a legal obligation or necessity for the performance of a contract. Remember — if you’re relying on ‘consent’, you must ensure that this is freely given and that athletes can opt out after providing the data. 

2. Transparency

Inform individuals about the purpose of collecting personal data and special category personal data, as well as how it’ll be used and their rights regarding its processing. Provide clear and easily understandable explanations in privacy notices or consent forms.

3. Data minimisation 

Only collect the data that’s necessary for your intended purpose. Avoid collecting excessive or irrelevant personal information.

4. Security measures

Implement robust security measures to protect collected personal data and special category personal data from unauthorised access, disclosure or alteration. This may include encryption, access controls and regular security assessments to identify and address vulnerabilities.

5. Accuracy & updates

Ensure the accuracy of collected personal data and special category personal data and establish procedures for updating or rectifying inaccuracies. Implement measures to verify the quality of the data at the point of collection and periodically throughout its lifecycle.

6. Storage limitations

Define retention periods for collecting personal data and special category personal data based on the purposes for which it was collected. Regularly review and securely delete or anonymise data once it’s no longer necessary or if individuals withdraw their consent.

7. Access & erasure processes

Athletes must be able to access their data, request corrections or erasures and object to its processing in certain circumstances. 

8. Audit procedures

Continuous monitoring is required to ensure compliance with data protection legislation. This may include conducting regular audits to assess the effectiveness of security measures, data handling practices and adherence to individuals' rights.

Talk to us

If you’re an organisation or national governing body that needs advice on how to establish a compliant process for collecting personal data or an athlete looking to understand and protect your rights, our expert sport and data protection lawyers are ready to support you. 

Our specialists regularly provide data protection management and GDPR compliance training to guide your journey to compliance.

Talk to us by giving us a call, sending us an email or completing our contact form below.

You can also find out more about the UK’s approach to transgender athletes’ participation in sport and explore our practical considerations for transgender policies and procedures.