GDPR has wrongly been blamed for many things since its introduction. It has been scapegoated by sceptics, and some illogical interpretations of the regulation have led to disproportionate responses. Various interpretations, propounded by some, have no basis in data protection law and are just wrong. Nevertheless, the GDPR continues to get the blame.
Some Examples
Our No.1 is the hairdresser who cited GDPR as the reason she could not tell a customer what particular dye colour she was using in the customer’s hair! At the time, the same customer was trying to get an appointment with another hairdresser, as her usual hairdresser could not fit her into her schedule. The customer wanted to be sure the correct dye would be used by the new temporary (perhaps to be the new permanent?) hairdresser. GDPR gets the blame! Very inventive, but nonsense, of course.
‘Over the top’.
On the disproportionate scale is the guy who claimed to Joe Duffy that at the time of the last election, voting cards should have been shredded in front of voters once they had been presented to the election officials. One could make an exaggerated technical argument to try to support this, but there has to be a commonsense approach taken. A, ‘verify and return’ approach is more practical and effective than a, ‘verify and destroy’ (shred) approach. How many shredding machines would have been needed in each polling station? Just think of the general layout in most polling stations. Certainly, in the larger ones, there are a lot of different sections and rooms.
Here is a case of getting the sledgehammer to crack the nut. Shredding the cards in front of voters is an example of an action that is disproportionate to the risk to voters. The sensible thing to do, which was done by officials, was to simply hand the voting card back to the voters. This is completely in line with the storage limitation principle from Art. 5 (1) (e), “ …kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed…” Therefore, ‘verify and return’ was the most logical and commonsense action.
Visitor Books at heritage sites
This example leads us to the story of the visitor books at certain heritage sites. Attention was first drawn to this story by an article in the Irish Times. Data protection consultants GDPRXpert are providing this link to you now. The general theme is that GDPR concerns led to the decision by the OPW to remove the visitor books from certain heritage sites. In most cases, visitors were signing their names and giving partial addresses. Some visitors included very short comments.
“The Office of Public Works observed that visitors were recording personal data, including names, addresses, etc, in visitor books at our sites which were out of view of the staff and completely unsecured,” an OPW spokesman said. A view was taken by someone at the OPW that the personal data in the books were insecure. For example, someone could take a photograph of some page or pages of the book. We don’t know who would want to do that or why, but that possibility certainly does exist. But removing the visitor books from the sites? Best to examine some of the aspects to this in more detail.
Issue 1…Personal Data in the Books.
GDPR and data protection consultants, GDPRXpert, have set out the definition of ‘personal data’ from Art.4 (1) on their homepage. GDPR has a wider definition of ‘personal data’ than under the old data protection acts. There is no doubt that, in accordance with the newer definition, a name or an address or both constitutes personal data.
Issue 2…Are personal data being processed?
Art.4(2) defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, consultation ,use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. It is clear that the personal data from the visitor books are being processed under several of the categories of processing outlined above, e.g. collection, use, recording, storage, etc. GDPR Art.4 (2) expressly states the processing does not need to be by automated means, and so the means can be manual.
Issue 3…Are the data part of a filing system?
The next question is if the manual entries of the visitors (names, addresses etc), which immediately become manual records, form part of a filing system? This is a requirement under the GDPR Art. 2(1), and if this criterion is not met then GDPR does not apply. In this context, personal data must “form part of a filing system or are intended to form part of a filing system”. The Regulation defines a filing system as, “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”. (Art.4 (6), GDPR.) In all likelihood, the details in the visitor books would fail to meet the criteria to fall under the ‘filing system’ definition.
One aspect that does not seem to have been considered or mentioned is whether the OPW viewed the personal data as data, “intended to form part of a filing system”. If so, that intent would bring the personal data under the filing system umbrella. At any time in the future the personal data in the books could be transferred into electronic form, and then would constitute, “part of a filing system”.
Only the OPW can say what the exact purposes of the visitor books were, and whether there ever were plans to transfer data to electronic form. Even at the busiest heritage sites, regularly transferring personal data from the books into electronic form would not be a taxing duty on staff. However, there is no diktat for entries in the visitor books, and many visitors simply put something brief like, ‘John, Idaho, U.S.’ Many visitors seem to concentrate on comments around their personal appraisal of the experience itself.
Issue 4…Lawful basis for processing personal data
We have stated it time and time again, that just because you can process personal data does not mean you should. You must have a lawful basis. So if we conclude from the foregoing that personal data are being processed, then we must look for a lawful basis. It is likely that every visitor is aware that the act of writing a name or an address or leaving some comments is entirely voluntary. In other words, they are consenting. OPW could use the consent of the visitors as a lawful basis for personal data processing.
Under the GDPR it is not quite as simple. People whose personal data are being processed (data subjects) need to be aware of the context of the consent. Consent to what? The definition of consent is that it is an ‘ …unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action signifies agreement to the processing of personal data relating to him or her’. As part of a normal personal data processing operation, information on the purposes of the processing and a whole host of other information has to be given to the data subject at the time the data are collected. Data controllers need to know if GDPR applies to the processing operation in the first place.
It is not possible to use ‘legitimate interests’ as a lawful basis. For example, it is a legitimate interest of the OPW to conduct market research to make the visitor experience more enjoyable. Comments in visitor books would be helpful in this regard. A problem with this is that it may be helpful or useful to the OPW, but not, ‘necessary for the purposes of the legitimate interests pursued’, as required under GDPR. In this instance, the OPW had stated the office had no purpose or use for the visitor books at all. This begs the question, why have them at all? OPW surely has some use for them. What does it do with them when they are full? Bear in mind, ‘storage’ qualifies as a processing operation. If there is an intention to use the personal data as part of a filing system, then the OPW should be transparent about it. Where the policy is to wait until they are full and then put them in storage, the OPW should say this.
This relates directly to the purpose of any processing. So, if the OPW does intend to do something with the personal data at a later stage, they should let visitors know as soon as they know themselves. It is inconceivable that no one later goes through the books to see what visitors had to say. These books offer a tool for valuable market research on visitor experiences. There are many reasons to carefully examine the visitor books. Do they want to get statistical data on visitor country of origin? What they did and did not like? Comments left in the books could positively influence the management decisions around operational practices at the sites. Somewhat strangely, in the opinion of data protection specialists GDPRXpert, the OPW told the Irish Times that they didn’t really have a purpose for processing the personal data. Therefore, as they did not have a purpose, and a purpose is required under GDPR, they discontinued the practice of placing visitor books at heritage sites.
On balance, it is unlikely that the visitor books would fall under GDPR because of the ‘filing system’ definition. There are strict requirements before something falls under the definition. It is clear visitors are giving their personal data freely. Perhaps visitors do it unthinkingly or instinctively, but in the belief, the entries will be useful in some way. They are volunteering helpful feedback for the OPW.
At the least, even if GDPR is not applicable, OPW should display a short notice beside the visitor books. This should inform visitors that they may if they wish to do so, leave entries in the book, but advise them to keep personal details to a minimum. After all, the comments are potentially more valuable to OPW than personal details. At this time visitors should be made aware of the uses, if any, the OPW has in mind for the data. Who is going to make any entries if the notice says ‘we destroy the books every Friday at 5?’
A recommended policy is to be transparent and say something on a notice,such as, ‘we go through the comments for feedback to help improve visitor experience’. If that is the plan, it can further state that when this is done the books are archived. If the OPW is worried about people taking photographs of entries in the books they should place a sign beside the first notice stating, ‘NO PHOTOS HERE’. Ideally, the books could be placed at an exit point where there is normal security or staff presence.
Visitors do presume that by making an entry in the books it will be of some value to the management. They also presume that someone will, in some way, extract this value. Removing the books for data protection concerns was a complete overreaction to any potential risks. Even GDPR Art 32 made it clear that in ensuring … “a level of security appropriate to the risk …the nature, scope, context, and purposes of the processing as well as the risk…” be taken into account. Proportionality is a central concept embedded in the GDPR. GDPRXpert, along with many data protection consultants, agreed with the DPC view that it was disproportionate. The whole affair was an unnecessary storm in a teacup. Thankfully, reason prevailed and the books were later restored.
Patrick Rowland, GDPRXpert.ie.
We are GDPR & Data Protection Consultants with bases in Carlow/ Kilkenny and Mayo, offering a nationwide service.