Ban on visitor books at tourist sites could have been avoided, watchdog says
Data Protection Commissioner responds to OPW move to remove books over GDPR fears
Kilmainham Gaol in Dublin. File photograph: Frank Miller
A ban on visitor books at well-known heritage sites over fears about EU privacy rules could have been avoided with a new note on the books warning the public, the State’s privacy watchdog has said.
Responding to the decision of the Office of Public Works (OPW) to remove the books from visitor attractions such as Dublin Castle and Kilmainham Gaol, Data Protection Commissioner Helen Dixon described the issue of publicly available information in visitor books at tourist attractions as a “low-risk area”.
The State’s data protection regulator, who polices breaches of the EU privacy rules under the General Data Protection Regulation, said visitors leave comments along with their name and address on a voluntary basis in visitor books so they are “essentially consenting” to providing their data.
A visitor book is “not likely” to meet the definition of a “structured filing system” containing accessible personal data under the terms of the EU’s wide-ranging data protection rules introduced last year, she said.
The OPW introduced the ban on visitor books at the start of the tourism season over concerns that it could breach the section of the rules that requires the State body to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
Public bodies that fail to adhere to the rules face a maximum fine of €1 million under the rules.
“[The] OPW seems to indicate it is security issues around books that led to their action. If that’s their concern, [then they] could add a note in the header of the visitor book to indicate full addresses and phone numbers should not be included as the book is not supervised,” Ms Dixon said.
Damien Cassidy, chairman of the Kilmainham Gaol Board of Visitors, said it was “absolutely ludicrous” to remove visitor books from a tourist site that attracts three million visitors a year and “nonsense” to suggest the visitor books could be in breach of data protection rules.
“We would regard the visitors’ book as an important part of their tour. It is a personal comment by people who come, some of whom are Irish. It is closing the book and the door on their thoughts. Why should we do that?” he said.
Mr Cassidy said visitors like to be able to sign a book at an important historical site given that some have travelled long distances and sign their names out of respect to the people who were held and died at the jail including the leaders of the 1916 Rising.
He found it difficult to believe how the tourist attraction could be in breach of data protection rules when they were just being asked to sign their name and to make a comment.
“We don’t ask for a name and address – no contact details,” he said.
Ms Dixon said the EU rules applied to the processing of personal data wholly or partly by automated means or by other means which form part of – or are intended to form part of – a filing system.
She has previously criticised the “over zealous” interpretation of the GDPR requirements, including the decision by An Post to remove public bins in the GPO in Dublin because of concerns that the rubbish might contain personal details that could breach the EU law.
“It is very hard to fathom that one but there was an absence of common sense there,” she told The Irish Times in May of An Post’s decision in that case.