The publication by ‘Fancy Bears’ (a group of international hackers) of the Word-Anti Doping Agency's (WADA) database serves as a reminder to large organisations to be vigilant of the importance of effective cyber security to ensure compliance with Data Protection laws.
This hack has seen private medical records of Olympic athletes, including the cyclist Bradley Wiggins and tennis star Serena Williams, brought into the public eye. Serious questions have consequently been raised about WADA's data protection policies, their processing and storage of personal information and their procedures surrounding data protection generally.
The hack revealed information relating to Therapeutic Use Exemption Approvals (TUEs), which allow athletes to take drugs for specific medical circumstances which would otherwise be prohibited uses. WADA's guidelines state that TUEs will only be retained for 8 years. The oldest of Bradley Wiggins' TUEs that was leaked is from June 2008. While it is not known when the hack took place, it was possibly outside of this 8 year retention period and accordingly concerns have been raised about WADA's adherence to their own guidelines.
In addition, the athletes themselves will obviously be concerned about the leak, many of whom have had their sensitive personal information published in contravention of their fundamental right to privacy. The right to privacy is protected by both the Irish Constitution and the European Convention for Human Rights.
The hacks have impacted on the reputation of many athletes and could potentially reduce their brand value. Taking these concerns together it could give rise to future litigation as athletes seek monetary compensation for the damage to their reputation.
It has been reported that the hacks occurred as a result of phishing emails into user accounts of the Anti-Doping Administration and Management System. This highlights the necessary attention that must be paid to effective cyber security procedures, training and risk management within organisations.
As WADA and other large sporting organisations are now required to retain substantial amounts of personal data about athletes it is of critical importance that internal procedures are reviewed on an ongoing basis in this increasingly regulated area of law.