It was during the middle of playoffs last year when I glanced at my phone and saw an email I should never have received: a professional sports team’s medical department had accidentally cc’d me on an email thread – one containing a complete breakdown of its players’ health and injury data. The sender meant to include someone who shared my first name, but my email address had been auto-populated.
Every one of us has a story like this. Of course, I deleted the email and notified the sender, but I was still horrified – not only at the error, but also that information so sensitive was ever shared in such an unsecure way. I later learned this was standard practice for that particular team and for so many others desperate for a fast, efficient way to share information, align staff, and improve performance. The irony is a group email thread does none of those things. Worse, it is wildly irresponsible. It is a breach of trust with the athletes who own their medical data and whose careers and livelihoods depend upon its absolute privacy.
At a surface level, elite sport seems to confront a dual challenge: how to harness oceans of data to reduce athletes’ risk of injury and improve performance, while also protecting their privacy at the same time. But a decade of helping teams unify their data and gain insights for competitive edge has convinced me these are not divergent goals at all. In reality, protecting athlete data is essential to athlete protection, and it’s time for private companies to lead this change. Essential to this work is understanding that point solutions, even those custom-built, are obsolete and simply not up to the task that athletes deserve and which trust requires.
‘The wild west’
In April, the Australian Academy of Science published Getting ahead of the game: athlete data in professional sport – capturing a challenge that affects elite sport worldwide:
“Australian professional sports are collecting more personal information about athletes than they can meaningfully deal with. Concerningly, this data—which is personal, unique, and intimately revealing about individual athletes—amounts to excessively more information than has been proven to be useful. What are the stakes of exponential and unregulated growth in human monitoring for the workplace of professional sport, and beyond?”
One of the authors called the current landscape ‘the wild west.’ And while I believe there are vast legitimate and effective uses for much of this data, I fundamentally agree with that characterization. Far too often, I’ve sat down with a club’s strength and conditioning staff to discuss their goals, when someone across the table opens up a laptop and casually mentions they used to work for the team they’re scheduled to play next, and that they’ve got data on its athletes going back years. In another instance, someone at a major university team exposed an athlete’s private health information to a league, which impacted its salary offer to that player.
Do staff hang onto this data out of malice? Are universities willfully handicapping their players? Maybe, in some cases, but I think a vast majority of the time the real reason is that completely inadequate and porous point solutions or homegrown technology allow breaches of the most private and sensitive of information. Organizations are using bad tools to manage their data. In addition, the crushing daily pace of elite sport means people simply download data, run their analysis, and move on as quickly as possible to the next in a never-ending torrent of time-sensitive tasks.
It’s time to do data differently
When we founded Kitman Labs nearly a decade ago, we chose to invest in world-class security.
We were just a small company back then – only 20-30 employees – but we chose to become ISO 27001-certified to significantly enhance the security of athlete information we’re trusted to protect. Put simply, we wanted the gold standard in global information security and risk management. We welcomed external third parties auditing every aspect of what we do – not just digital security, but also how we build our software, our office environment, our decision-making. We resolved never to allow our partners or their athletes become vulnerable as a result of their relationship with us.
The cost to get certified at the time was close to half a million dollars – a huge investment for a company as small as we were. (We also knew it would cost us several hundreds of thousands of dollars per year just to maintain that certification.) At the same time, we also invested in a significant risk data management and private security team for a mature, sophisticated approach. From our earliest beginnings, we have treated athlete privacy as sacred.
Ten years and almost 200 employees later, we regard these decisions as among the best we’ve ever made. You cannot protect athletes without protecting their data. We believed that then. We believe that now.
Further, we also believe every piece of information collected is part of an athlete’s digital biometric data. It should be treated as confidential health data. Information that falls under these categories is protected under HIPAA in the U.S. and Article 7 EU General Data Protection Regulation (GDPR) in Europe. The policies are somewhat looser for data that aren’t in these buckets, but we at Kitman Labs again made the conscious decision to treat all our partners’ information as if it does hold that degree of sensitivity.
Why have we taken this approach to athlete privacy and information security? Because we believe it’s our responsibility as a business and because we know data can be used against athletes (just as it was in the university example I mentioned). We wanted a level of transparency that showed our partners that everything we do is with and for athletes. Having the right procedures in place shows that commitment. It lets them see exactly how we’re leveraging their information – to improve health and performance.
The problem is not everyone in the industry does this – in fact, far too few. Elite sport’s data analytics industry can grow and keep trust – and its license to operate – by demonstrating world-class protection of data and athlete health. We believe it must.
The Australian Academy of Science report has elevated the public conversation on athlete privacy and digital information security. Private companies must lead on it. We call upon our peers across the industry to take data, privacy and security seriously and join us in protecting athletes at the forefront of information and risk management practices for global elite sport. And while it’s grossly unfair to put the onus on them, we encourage athletes themselves to echo this call. Their voices and platforms can swell the chorus and drive the changes elite sport needs and which they deserve. In the meantime, we’ll continue doing our part, just as we’ve done the last decade, just as we plan to do for the next.