Sign in. It’s quick, free and it’s up to you.
An account is an optional way to support the work we do. Find out more.
BANNING VISITOR BOOKS from heritage sites in Ireland was a disproportionate approach to data privacy, according to the Data Protection Commission (DPC).
Earlier today, it was reported that the Office of Public Works banned heritage sites such as Dublin Castle, Kilmainham Gaol and Muckross House from using visitor books due to data protection concerns.
The DPC has since stated that this may not be a necessary move. The ban was introduced at the beginning of this year’s tourism season, according to The Irish Times.
“The DPC advocates a ‘common sense’ and risk-based approach to data protection and it would appear that this practice may be a disproportionate approach to data protection principles,” a spokesperson for the DPC told TheJournal.ie.
“GDPR only applies to the processing of personal data which form part of a filing system. It is not clear that a visitor book necessarily constitutes a ‘filing system’ as per Article 4 (6) of the GDPR.”
Article 4 (6) of the General Data Protection Regulation (GDPR) states that a filing system is “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”.
Low risk information
There is general consensus in the industry that the move by the OPW was excessive and unnecessary.
Data protection consultant at Ambit Compliance, Gillian Traynor, told TheJournal.ie that banning visitor books seems like an unnecessary move.
“The GDPR in no way forbids a visitor book. It is a risk-based framework which demands that organisations apply control measures to risks facing personal data controlled by them,” said Traynor.
She added that the personal data shared in visitor books is “generally very low risk” and other measures could be taken to protect this data by asking visitors not to include their address.
She also noted that people are not obliged to share any data in visitor books as they are entirely optional to sign.
“To come within the remit of the law, a paper-based record must be part of a relevant filing system,” Traynor said.
“So it is debatable whether it is a filing system or not. Whether one could find someone’s name in a legible fashion to identify them is not clear,” she added.
Hugh Jones, chief privacy officer at data protection solution company Sytorus, said removing visitor books is a “completely excessive” move.
“Adopting a solution that looks like an overcompensation undermines their credibility,” Jones said.
It would be depriving visitors of an opportunity to express their excitement or gratitude about a place.
He added that unless it is not optional to include a name and address when leaving a comment, there should be no risk of data privacy being breached.
Clare Copas, founder of MonClare Data Protection Consultancy, said that this move was “a bit drastic”.
“Instead of banning the visitor books, they could have put signs up to make people aware that by writing their name, they are making this information publicly available,” Copas said.
“It was a bit drastic. I feel that they don’t have the full grasp of the legislation.”
The Office of Public Works was contacted for comment on this issue but had not responded by the time of publication.
What is GDPR?
The General Data Protection Regulation (GDPR) was put in place in May 2018 in EU legislation. It is a set of rules aimed to give EU citizens more control over their personal data.
It requires a higher standard of data protection for EU personal data than was previously in place. Companies that process this data must abide by EU processing standards in order to avoid fines of up to €20 million.
EU data is no longer permitted to be processed in countries outside of the EU that are not on the list of approved countries. Countries that are allowed include the US, Japan and Israel.
Under the GDPR, personal data is data that relates to or can identify a living person such as your name, number, bank details and medical history.
This is not the first instance of over-cautiousness concerning GDPR. Last month, it was reported that the GPO had removed all of its public bins due to fears of breaching data privacy law.
Hows about signing a book of condolences. Are we still ok with this you daft bunch in the OPW?
@Paul Furey: Agree – we need to call out daft decision making in civil service and govt bodies , this is just daft daft daft nonsense – creating a solution when there is no problem – GDPR is designed to protect how our personal data could be abused – simply idiotic to try say theres a problem with a visitor book – at most they could have suggested they only ask for name -where from -comment but still the fact they wen t looking for this as a problem shows the mentality – when are going to reform our civil service and public sector quangoes – cost us a fortune in taxes to fund – but increasingly obvious they are not fit for purpose in so many cases – not a day passes in ireland when there isnt a father ted story of buffonery
@Paul Furey: Not so daft… clever ploy to get assigned to training course on ” visitor book data compliance and procedures”. Then there will be the mandatory train the trainer sessions, 6 monthly refresher training and the amended guidelines process review after year 1 evaluation workshops. And start the process all over again.
@Paul Furey: it is very unlikely to be in scope of the GDPR
Data protection….it’s as useful as an ashtray on a motor bike
@brian reid: some Harley Davidson motorcycles come with ashtrays you put cigarettes ends into them
Lunatics – Asylum – Takeover.
PC gone crazier than usual
@Roger Kennington: you need to check the definition of PC I think
Just waiting for GDPR to be included in a wedding ceremony. Sign registry and GDPR.
@John Horan: not in scope: household activity
Maybe make them iPads and give them that annoying “cookies allowed” pop up box?
Due to all of this GDPR hyperactivity, members of the public have contacted the Data Commissioner complaining about patient charts being visible at all anywhere within a hospital (for example at an outpatient clinic), patient names being called out at clinics and members of staff walking around hospitals with patient charts visible in their hands. People have lost the run of themselves.
@Sirius: pople have lost the run of themselves -but a lot of people are just idiots and need to told as much – the political correctness / waiting to be outraged need to told they are being idiots when they are being idiots – when somebody says -but GDPR you can sure they haven’t a rats what they actually mean and need to be told where to go…..honestly some of the nonsense ya hear —–just tell people to suck it up and let them get offended and outraged – as Bais Fawlty says – we should let them all burn..
It amazes me that our civil service do not understand GDPR, a signature or name alone does not create a data subject therefore there is no need stop visitor books or books of condolences
Ridiculous.
The problem is the DPC can’t even give a straight answer. “It is not clear”, “it may not be” etc, etc,. This would have to go to a Court for a decision. No wonder some are taking a cautious approach, they’re afraid of being sued and they can’t get a clear, unequivocal answer from the DPC. This is what gives the EU a bad name.
@Symbolism: right. And the fine is 20 million. And ‘it’s not clear’ if you could appeal it.
@Symbolism: idiotic decisions from our Irish public sector cannot be passed off as something that ‘gives the EU a bad name’ – jesus wept
@Symbolism: it probably depends on the question they were asked and the journalist understanding the answer based on their GDPR knowledge
The muppets who signed this off should be sacked. Common sense must prevail.
@Martin Conway: Sacking someone for removing a visitors book is hardly common sense.
@Martin Conway: Why would you want to collect people’s names and addresses, though?
This says it all!!!! What utter rubbish this misuse of GDPR is
GDPR is going to be a gold mine for the legal profession in the coming years.
At some point people have to take responsibility for their own actions. We cannot legislate for every possible situation, and by trying to keep people safe from themselves, we are making them dependent on an all seeing and all knowing legislature, hmm..
Society should be enabling critical thinking, the capacity to ask oneself, when signing a visitors book, why am I doing this? What is enough information?
So before doing something ask yourself:
Why am I doing this? (To help tourist board accumulate data on tourism)
What is the purpose of the activity? (To gather data)
How much information do they need? (Town or Province Country)
Am I willing to make that information available publicly, (in the case of a visitors’ book open for anyone to read through)
Used by people to hide something from others.
Well this problem is not just with the civil service.
I was checking into a hotel a while ago. The receptionist pushed the room key across the counter to me and told me that under GDPR that she couldn’t tell me my room number in case someone else heard it.
When I asked where this idea came I was told that a GDPR trainer told them. It makes me wonder what other sort of nonsense came out of these courses.
@Shay Bourke: That sounds like discreet and sensible advice to me. Have you never noticed anyone putting a round of drinks on a bill and giving your room number? Although I imagine the main problem is drunks at a wedding trying to get into the wrong room.
It will be rolled out for dignatarys though!
Hey very cool site!! Man .. Excellent .. Amazing .. Ill bookmark your web site and take the feeds alsoI am happy to find so many useful info here in the post, we need work out more strategies in this regard, thanks for sharing. .
have your say