Many sports facilities (associations, clubs) wish to implement appropriate measures to limit the spread of the virus and ensure the resumption of sporting activities and events in complete safety (training sessions, tournaments, friendly matches, etc.).
In this perspective, they question the conditions under which the personal data of athletes, coaches, referees or supervisors can be used, particularly in relation to health: systematic temperature detection before access to sports equipment, organisation of virological tests. before the organisation of a sporting event, communication of a negative virological test if the athlete is absent from training, filling in a health questionnaire specifically dedicated to the risks of exposure to COVID-19, etc.
To answer these questions, the CNIL refers to the principles for the protection of privacy and personal data applied to the practice of sport.
Note: for persons exercising a paid activity within sports facilities (e.g. a coach), the framework applicable to the collection of personal data by employers should be applied.
What is health data?
It is data relating to a person’s physical health (physical condition, pathology, medical history, etc.) or mental health (cognitive, psychiatric, etc.), past, present or future, and therefore reveals information about their health. This data also includes the provision of health services (e.g. admission to a specialised department of a hospital such as cardiology, neurology, etc.).
Information obtained during the testing or examination of a body part or a body substance (e.g. medical biology analysis) or information about a disease, physiological state, etc. health data are also considered.
In this respect, any temperature reading, any result of a virological test, any medical certificate sent to sports facilities to assess a risk of exposure to COVID-19, constitutes health data within the meaning of the GDPR.
Can a sports facility collect health data to limit the spread of the virus?
Due to their sensitive nature, health data from people involved in sports facilities or during sports events are subject to very specific legal protection. Therefore, the processing of this data, whether for collection, recording, transmission, use of temperatures or the results of virological tests performed, is in principle prohibited (Art. 9.1 of the RGPD and 6-1 of the Data Protection Act).
In the context of COVID-19, health data may, exceptionally, be processed by sports facilities, if they are in one of the following cases:
- Hypothesis n 1: sports facilities obtain the consent of the persons concerned (athletes, coaches, referees, etc.) before collecting health data.
In practice, obtaining consent from those concerned can be difficult since, to be valid, consent must be free, specific, unequivocal and informed. However, if an athlete’s refusal to take a virological test or to record his or her temperature has the consequence of prohibiting him or her from practising an activity, participating in a tournament or accessing equipment (e.g. gym, stadium, dojo, swimming pool, etc.) or, for a referee, to referee a match, the choice cannot be considered free. Therefore, the consent cannot be considered valid.
- Hypothesis No. 2: The collection of health data is justified for reasons of overriding public interest.
Sports facilities can rely on this assumption as soon as a specific text authorises the collection of health data from the persons concerned for sporting activity, within the framework of the COVID-19. To do so, they will have to identify the provisions of the sports regulations defined by the Ministry of Sport and the sports bodies (in particular the federations) on which they can rely to justify such collection.
Unless free, specific, unequivocal and informed consent can be obtained from the persons concerned (athletes, coaches, referees, etc.) or dedicated sports regulations regulate the collection of health data within the specific framework of the COVID-19, sports facilities:
- cannot keep records of body temperature measurements;
- may not decide to perform virological tests prior to the organisation of sporting events;
- may not require the athlete to produce a medical certificate if the athlete is absent from training.
a sport is practised (e.g. observance of the rules of physical removal in accordance with the sport concerned, frequent washing of hands with soap and alcohol gel, individual management of the snack and hydration of athletes wearing masks in the changing rooms, etc.). These measures are described in detail in various guides written by the Ministry of Sport, including the return to sports driving which incorporates a health protocol to determine the rules to be followed with regard to the management of suspicions and positive cases of COVID-19.
The rules on the protection of personal data apply to automated processing (in particular computer databases) and non-automated processing (e.g. “paper” register) which allow the establishment of archives. Furthermore, the mere verification of temperature by means of a manual thermometer (e.g. non-contact infrared thermometer) at the entrance to sports equipment (e.g. gym, stadium, dojo, swimming pool, etc.), without any data being stored or any other operation being performed (such as reading these temperatures, feedback, etc.), is not covered by the rules on personal data protection.
In its guide to the start of the sporting season, concerning the organisation of sporting events, the Ministry of Sport states that “temperature measurement is not recommended by the High Council for Public Health in its opinion of 28 April, as an access control. This measure may, at the organiser’s discretion, be implemented if he decides that it is complementary and that he has the means to implement it under satisfactory conditions”. SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FRANCIA