PIPEDA Report of Findings #2018-006: Breach of the World Anti-Doping database
This investigation examined a breach of WADA's Anti-Doping Administration and Management System (ADAMS) database, which resulted in the public disclosure of athletes' personal information, including health details. The OPC found that WADA's security safeguards were insufficient, contravening PIPEDA principles. While WADA committed to implementing recommendations, including enhanced security measures, the matter was resolved conditionally pending compliance.
- Sufficiency of security safeguards for sensitive personal information
- Access controls and authentication mechanisms for the ADAMS database
- Monitoring, logging, and incident response capabilities
- Policies, procedures, and training related to information security
Complaint well-founded and conditionally resolved
WADA failed to implement security safeguards appropriate to the sensitivity of the data, including insufficient access controls and a lack of robust authentication, leading to unauthorized access and disclosure of athletes' personal information.
AI-generated summary for reference only. Always verify against the official decision ↗
WADA agreed to implement recommendations to augment its security safeguards, including developing a comprehensive Information Security framework, implementing mandatory two-factor authentication for non-athlete users, updating contractual arrangements with ADOs, and employing encryption at rest for ADAMS data.
- Principles 4.7 PIPEDA
- Principle 4.7.1 PIPEDA
- Principle 4.7.2 PIPEDA
- Principle 4.7.3 PIPEDA
- Principle 4.1.4 PIPEDA
- subsection 11(2) PIPEDA
- subsection 4(1.1) PIPEDA
- Schedule 4 PIPEDA
This summary is informational only and not legal advice.