Another in the Let’s Blame Data Protection series, in which I waste a lot of energy on something not really worth the effort
The Bournemouth Daily Echo reports that
Hundreds of disgruntled runners who took part in the inaugural Bournemouth Marathon Festival have accused event organisers of withholding information by failing to provide full race results.
and, with rather dull predicability, there’s a familiar apparent culprit
GSi Events Ltd, the team behind the BMF, has published the top ten runners in the various age categories, but is refusing to publish all the results on the grounds of data protection.
But does data protection law really prevent publication of this sort of information? The answer, I think, is “no”, and the reason for this is tied to issues of fairness and consent
The first data protection principle, in Schedule One of the Data Protection Act 1998 (DPA) says that personal data (broadly, information relating to an identifiable individual) must be “processed” (publication is one form of processing) fairly and lawfully.
The concept of fairness is not an easy one to grasp or define, but helpfully the DPA provides a gloss on it, which, to paraphrase, is that if people are properly informed about how their data is going to be processed (who is doing the processing, and for what purpose) then a key element of “fairness” is met. The Information Commissioner’s Privacy Notices Code of Practice explains
A privacy notice should be genuinely informative. Properly and thoughtfully drawn up, it can make your organisation more transparent and should reassure people that they can trust you with their personal information
The first data protection principle goes on to say that (in particular) personal data shall not be processed at least one of the conditions in Schedule 2 of the Act is met (and Schedule 3, in the case of higher-category sensitive personal data). One of those conditions is
The data subject has given his consent to the processing.
“Consent” is not defined in the DPA, but it is given a definition in the EC Data Protection Directive, to which the DPA gives domestic effect. The Directive says that consent
shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed
“Specific” and “signifies” are generally taken to mean that implied consent is not valid in this context, (although the practice of implying consent to processing is widespread). Nonetheless, it seems clear that, with a privacy notice, sensibly drafted, the organisers of the Bournemouth Marathon could easily have said to those registering to race “your race result/time will be published, unless you object”. When one looks at the actual privacy notice, however, such a term is absent.
I suppose that means one could argue that, under the current privacy notice, publishing the race details would be in breach of the DPA. I suppose I could also construct a counter-argument to that to the effect that publication is necessary in pursuance of legitimate interests of the race organisers (for instance to show that it was a real flipping race) when balanced against the legitimate interests of the racers.
But ultimately, come on, it’s just silly to blame data protection: the vast, vast majority of people take part in a marathon knowing that it’s a public event, where they’ll gather plaudits or attract ridicule. Any expectation of privacy of race results is effectively non-existent.
Publish the damn race results, take the infinitesimal risk of someone complaining (a complaint which no one, i.e. the Information Commissioner and the courts, will take seriously or be able to offer a remedy to) and sort your privacy notice out for next year.