This site uses cookies to improve your experience and to provide services and advertising. By continuing to browse, you agree to the use of cookies described in our Cookies Policy. You may change your settings at any time but this may impact on the functionality of the site. To learn more see our Cookies Policy.
OK
Dublin: 8 °C Monday 9 December, 2019
Advertisement

Data Commission says banning visitor books is a 'disproportionate approach' to data privacy

The books were banned from heritage sites such as Kilmainham Gaol and Dublin Castle.

Visitor books have been banned from several heritage sites in Ireland including Dublin Castle and Kilmainham Gaol.
Visitor books have been banned from several heritage sites in Ireland including Dublin Castle and Kilmainham Gaol.
Image: Shutterstock/Brian A Jackson

BANNING VISITOR BOOKS from heritage sites in Ireland was a disproportionate approach to data privacy, according to the Data Protection Commission (DPC). 

Earlier today, it was reported that the Office of Public Works banned heritage sites such as Dublin Castle, Kilmainham Gaol and Muckross House from using visitor books due to data protection concerns. 

The DPC has since stated that this may not be a necessary move. The ban was introduced at the beginning of this year’s tourism season, according to The Irish Times. 

“The DPC advocates a ‘common sense’ and risk-based approach to data protection and it would appear that this practice may be a disproportionate approach to data protection principles,” a spokesperson for the DPC told TheJournal.ie. 

“GDPR only applies to the processing of personal data which form part of a filing system. It is not clear that a visitor book necessarily constitutes a ‘filing system’ as per Article 4 (6) of the GDPR.”

Article 4 (6) of the General Data Protection Regulation (GDPR) states that a filing system is “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”.

Low risk information

There is general consensus in the industry that the move by the OPW was excessive and unnecessary. 

Data protection consultant at Ambit Compliance, Gillian Traynor, told TheJournal.ie that banning visitor books seems like an unnecessary move. 

“The GDPR in no way forbids a visitor book. It is a risk-based framework which demands that organisations apply control measures to risks facing personal data controlled by them,” said Traynor.

She added that the personal data shared in visitor books is “generally very low risk” and other measures could be taken to protect this data by asking visitors not to include their address. 

She also noted that people are not obliged to share any data in visitor books as they are entirely optional to sign. 

“To come within the remit of the law, a paper-based record must be part of a relevant filing system,” Traynor said.

“So it is debatable whether it is a filing system or not. Whether one could find someone’s name in a legible fashion to identify them is not clear,” she added.

Hugh Jones, chief privacy officer at data protection solution company Sytorus, said removing visitor books is a “completely excessive” move.

“Adopting a solution that looks like an overcompensation undermines their credibility,” Jones said.

It would be depriving visitors of an opportunity to express their excitement or gratitude about a place.

He added that unless it is not optional to include a name and address when leaving a comment, there should be no risk of data privacy being breached. 

Clare Copas, founder of MonClare Data Protection Consultancy, said that this move was “a bit drastic”. 

“Instead of banning the visitor books, they could have put signs up to make people aware that by writing their name, they are making this information publicly available,” Copas said. 

“It was a bit drastic. I feel that they don’t have the full grasp of the legislation.”

The Office of Public Works was contacted for comment on this issue but had not responded by the time of publication. 

What is GDPR?

The General Data Protection Regulation (GDPR) was put in place in May 2018 in EU legislation. It is a set of rules aimed to give EU citizens more control over their personal data.

It requires a higher standard of data protection for EU personal data than was previously in place. Companies that process this data must abide by EU processing standards in order to avoid fines of up to €20 million.  

EU data is no longer permitted to be processed in countries outside of the EU that are not on the list of approved countries. Countries that are allowed include the US, Japan and Israel. 

Under the GDPR, personal data is data that relates to or can identify a living person such as your name, number, bank details and medical history.

This is not the first instance of over-cautiousness concerning GDPR. Last month, it was reported that the GPO had removed all of its public bins due to fears of breaching data privacy law. 

  • Share on Facebook
  • Email this article
  •  

Read next:

COMMENTS (31)

This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
write a comment

    Leave a commentcancel