Some of Ireland's best known heritage sites – such as Kilmainham Gaol, Dublin Castle and Muckross House – have been ordered to remove visitor books due to concerns they breach EU privacy and data protection rules.
The Office of Public Works (OPW) believes the books, in which visitors leave brief remarks along with their names and in some cases addresses, leave the State open to breaching the General Data Protection Regulation (GDPR).
The regulation is a set of privacy and data protection rules brought in by the European Union last year. The maximum fine for public bodies that fail to adhere to the rules is €1 million under the Data Protection Act.
The OPW introduced the ban on visitor books as this year's tourism season started. More than 8.5 million people visited OPW heritage sites last year which include the Hill of Tara visitor centre, Áras an Uachtaráin, Government Buildings, Kilkenny Castle, the Rock of Cashel and Skellig Michael.
“The Office of Public Works observed that visitors were recording personal data, including names, addresses, etc, in visitor books at our sites which were out of view of the staff and completely unsecured,” an OPW spokesman said.
“Anyone could use their phone to photograph and copy the data in order to remove it. This could lead to the OPW being at risk of failing to protect personal data.”
Daragh O Brien, a privacy and data protection expert who heads the Castlebridge consultancy, described the OPW move as "insanity" and "illogical". He said it was an "overly-literal" interpretation of the regulations.
“Technically, a visitor book has personal data and it is on display,” he said. “However, the level of information is quite small and also people don’t have to sign the visitor book at tourist attractions.”
Mr O Brien said the OPW should “just put a note up beside the books telling people it is their choice to sign the book, and to put the minimum amount of information about themselves in it.
“What we are seeing here is health and safety insanity caused by an overly-conservative and overly-literal interpretation of the legislation, without actually looking at the information being recorded,” he added. “Common sense needs to be applied.”
Books of condolences
Based on the logic being applied, Mr O Brien suggested, there could potentially be a ban on books of condolences being opened in public spaces in the aftermath of an international atrocity or the death of a high-profile figure.
The OPW cited article 32 of GDPR which, it says, requires it to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
“As a result, it was advised to discontinue their use,” the spokesman said of the visitor books. “As GDPR requires a purpose for processing data, this was another reason for not collecting it in the first place.”