Readers like you keep news free for everyone.

More than 5,000 readers have already pitched in to keep free access to The Journal.

For the price of one cup of coffee each week you can help keep paywalls away.

Support us today
Not now
Monday 2 October 2023 Dublin: 11°C
Shutterstock/Brian A Jackson Visitor books have been banned from several heritage sites in Ireland including Dublin Castle and Kilmainham Gaol.
# Data privacy
Data Commission says banning visitor books is a 'disproportionate approach' to data privacy
The books were banned from heritage sites such as Kilmainham Gaol and Dublin Castle.

BANNING VISITOR BOOKS from heritage sites in Ireland was a disproportionate approach to data privacy, according to the Data Protection Commission (DPC). 

Earlier today, it was reported that the Office of Public Works banned heritage sites such as Dublin Castle, Kilmainham Gaol and Muckross House from using visitor books due to data protection concerns. 

The DPC has since stated that this may not be a necessary move. The ban was introduced at the beginning of this year’s tourism season, according to The Irish Times. 

“The DPC advocates a ‘common sense’ and risk-based approach to data protection and it would appear that this practice may be a disproportionate approach to data protection principles,” a spokesperson for the DPC told 

“GDPR only applies to the processing of personal data which form part of a filing system. It is not clear that a visitor book necessarily constitutes a ‘filing system’ as per Article 4 (6) of the GDPR.”

Article 4 (6) of the General Data Protection Regulation (GDPR) states that a filing system is “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”.

Low risk information

There is general consensus in the industry that the move by the OPW was excessive and unnecessary. 

Data protection consultant at Ambit Compliance, Gillian Traynor, told that banning visitor books seems like an unnecessary move. 

“The GDPR in no way forbids a visitor book. It is a risk-based framework which demands that organisations apply control measures to risks facing personal data controlled by them,” said Traynor.

She added that the personal data shared in visitor books is “generally very low risk” and other measures could be taken to protect this data by asking visitors not to include their address. 

She also noted that people are not obliged to share any data in visitor books as they are entirely optional to sign. 

“To come within the remit of the law, a paper-based record must be part of a relevant filing system,” Traynor said.

“So it is debatable whether it is a filing system or not. Whether one could find someone’s name in a legible fashion to identify them is not clear,” she added.

Hugh Jones, chief privacy officer at data protection solution company Sytorus, said removing visitor books is a “completely excessive” move.

“Adopting a solution that looks like an overcompensation undermines their credibility,” Jones said.

It would be depriving visitors of an opportunity to express their excitement or gratitude about a place.

He added that unless it is not optional to include a name and address when leaving a comment, there should be no risk of data privacy being breached. 

Clare Copas, founder of MonClare Data Protection Consultancy, said that this move was “a bit drastic”. 

“Instead of banning the visitor books, they could have put signs up to make people aware that by writing their name, they are making this information publicly available,” Copas said. 

“It was a bit drastic. I feel that they don’t have the full grasp of the legislation.”

The Office of Public Works was contacted for comment on this issue but had not responded by the time of publication. 

What is GDPR?

The General Data Protection Regulation (GDPR) was put in place in May 2018 in EU legislation. It is a set of rules aimed to give EU citizens more control over their personal data.

It requires a higher standard of data protection for EU personal data than was previously in place. Companies that process this data must abide by EU processing standards in order to avoid fines of up to €20 million.  

EU data is no longer permitted to be processed in countries outside of the EU that are not on the list of approved countries. Countries that are allowed include the US, Japan and Israel. 

Under the GDPR, personal data is data that relates to or can identify a living person such as your name, number, bank details and medical history.

This is not the first instance of over-cautiousness concerning GDPR. Last month, it was reported that the GPO had removed all of its public bins due to fears of breaching data privacy law. 

Your Voice
Readers Comments
This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
Leave a Comment
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.

    Leave a commentcancel