Data PrivacyData Protection in Sports Medicine: A Comparative Global Analysis of Players’ Privacy

INTRODUCTION

The amount of data stored in medical information systems is growing as a result of the ongoing advancements in computer and network technologies. This increases the likelihood of privacy information leaks, which could cause irreversible damage.

A large amount of data regarding patients and hospitals is kept in the medical information system. Such information is extremely confidential. The potential leak of medical data of professional or competitive athletes becomes a particular point of concern. Data related to past injuries, genetic conditions, family history, sexually transmitted diseases, psychological disorders or conditions can cause financial loss to the players by way of affecting their contractual trade values.

On top of this performance data such as muscle conditions, body fat percentages, body proportions, etc. are worth their weight in gold in extremely competitive modern performance sports where the determinant factors have reduced to milliseconds of difference between competitors.

If such sensitive personal information is leaked, it can lead to loss to the data subjects and also damage the reputation of the Medical Institution or Doctor’s reputation and possibly interfere with daily operations; subsequently, for the patient, it could harm their reputation and possibly put their lives or job in jeopardy. The rapid development of sports medicine has been facilitated by cloud computing and data storage. The conventional data collection and current sports medicine technology, along with certain new data analysis and high-speed communication technologies, form the foundation of the Big Data (“BD”) technology used in the medical and sports industries.

WAYS OF DATA PRIVACY LEAKAGE

Athletes, players, and even the general public at large use wearable devices such as fitness trackers, smartwatches, etc. in their daily lives or use other  biological sign sensors to collect a huge number of physical and biological date and user related information. This is made possible by BD and mobile Internet technology, as well as the popularity related to wearable gadgets.

The network provides the continuous monitoring of health information by users anytime and anywhere, by obtaining real-time, continuous illness diagnosis or health services from the diagnosis platform or health service platform.

Certain companies intentionally gather personal information from networks or unlawfully access medical institution’s databases in order to steal data, even when the information is not used directly and results in losses for the parties involved, or even when the records are erased.

In a process for acquiring information, hackers find ways to manipulate data orientation, launch fishing assaults, and other methods in order to gain the obtained data and sell it through reselling and transferring. Another way of breach can be when a medical information collector links a Wi-Fi network and uploads data, which the attacker can use, by way of deception, to change the uploading server’s address, which will cause medical data to be sent directly to the attacker’s specified server.

IMPACT OF LEAKAGE OF SPORTS MEDICINE DATA

One of the primary disputes that stem in sports medicine data is uncertainty of ownership of personal information of the athletes. Some believe that such data reflect their health status and other personal information that  belongs to them.

The boundary of the right to fair use and keep the player/athlete’s medical record is vague and blurry. For example, “performance data” records an individual athlete’s performance through the use of a “wearable” gathering device and “competition data” covers the results of a sporting event. Therefore, it is pivotal to understand who “owns” the sports data.

Performance data encompasses not just monitoring metrics like speed and distance traveled, but also medical metrics like heart rates, recovery rates, fitness levels, and so forth. For example, when a “heat map” created from performance data is used to monitor a player’s declining rate of recovery, it can forecast a sporting event’s result, which could be used by opponent in the player’s disadvantage.

The question of who “owns” the “performance data” is relevant and good case can also be made for the athlete’s agency or the organization that represents them in competition. One argument in opposition is that the data belongs to the athlete and can be sold either individually or collectively, possibly through a collective bargaining agreement.

It is also pertinent to note that sports medical data have an effect on the value of a player in the transfer market. There are certain questions such as if the medical condition is detected, what obligations and liabilities does this create to the player’s welfare and in any subsequent trade/sale of that player? How can it be used against the player in a game if it is acquired by their opponents? These are all grey areas, and in need of due clarification by way of robust legal framework and regulatory guidelines.

COMPARATIVE ANALYSIS OF SPORTS MEDICINE DATA PROTECTION OF ATHLETES : USA AND INDIA

1. United States of America:

An athlete’s personal medical information is protected by laws such as the Health Insurance Portability and Accountability Act, 1996 (“HIPPA”) in the USA. The Act aims for establishing national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

The US Department of Health and Human Services (“HHS”) issued the HIPAA Privacy Rule (“Privacy Rule”) to implement the requirements of HIPAA. A major goal of the Privacy Rule is to make sure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality healthcare, and to protect the public’s health and well-being.

The Privacy Rule permits important uses of information while protecting the privacy of people who seek care and healing. Such rules are implemented by Office for Civil Rights within HHS.

The HIPAA Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called electronic protected health information, or e-PHI.

Under the given rules the covered entities must ensure confidentiality, integrity, and availability of all e-PHI. They are also obligated to detect and safeguard against anticipated threats to the security of the information. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information.

2. INDIA:

The case of K.S Puttaswamy vs. Union of India (2017) 10 SCC 1 the Right to Privacy to be embellished as there have been cases resolved by the same court in instances like telephone tapping in the case of People’s Union for Civil Liberties vs. Union of India (2003) 2 S.C.R. 113 (“PUCL”), disclosure of HIV patient status in the case of Mr X vs. Hospital Z AIR 1995 SC 495, rights of transgender in the National Legal Services Authority (Nalsa) Vs. Union Of India AIR 2014 SC 1863 case and others.

With the goal of ensuring healthcare data privacy, security, confidentiality, and standardization, the Government released the Digital Information Security in Healthcare Act of 2018 (“DISHA”), India’s counterpart of HIPAA.

Additionally, DISHA aims to create the National and State e-Health Authority (“NeHA” & “SeHA”) and Health Information Exchanges. The health information law is set to regulate generation, collection, access, storage, transmission and use of Digital Health Data (“DHD”) and associated personally identifiable information (“PII”). DISHA places a person squarely in control of his data and establishes considerable constraints on the usage of health data.

AMLEGALS REMARKS

Organizations looking to comply with the privacy requirements should think about conducting routine evaluations of their policies and procedures to make sure that they support the objectives of the team, and at same time are in best interest of the athletes.

In the Sports sector, all members should be aware of their responsibilities in gathering, using, transferring, or disclosing of medical information and that consent will need to be obtained for athlete health data to be collected, used and disclosed, even where this is used for the purpose of providing a health service to the individual.

A future trend of ‘fan data privacy’ is also growing in the sector of professional sports data protection. Through ticket purchases, item sales, and online interactions, sports organizations are receiving an increasing amount of personal data from fans, which is curated to get insights on target audiences and fandom of such athletes and players. As a result, it is critical for these organizations to protect sensitive data and information, and have clear regulations governing its usage.

– Team AMLEGALS assisted by Mr. Drishti Meena

For any queries or feedback feel free to reach out to mridusha.guha@amlegals.com or jason.james@amlegals.com