BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
 |
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | |
Irish Data Protection Commission Case Studies |
||
|
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> Case study 1: Leisure centre requests excessive personal data from patrons. [2011] IEDPC 1 (2011) URL: http://www.bailii.org/ie/cases/IEDPC/2011/[2011]IEDPC1.html Cite as: [2011] IEDPC 1 |
||
[New search] [Help]
In October 2010 I received a complaint from an individual in relation to a leisure centre, Swan Leisure in Rathmines, refusing him and his child entry to its swimming pool because he declined to complete its Guest Registration Form. The complainant provided a copy of the Guest Registration Form. The first page of the form requested details such as the individual's name, address, date of birth, email and mobile phone number. The second page consisted of a list of medical-related questions such as the person's family medical history of heart disease, respiratory disease and diabetes, the extent to which they may be overweight, and details of their lifestyle. The complainant refused to complete the registration form because he considered it to be too intrusive as it required him to divulge sensitive, personal medical information. He said that he should be able to take his child for a swim without having to provide sensitive personal information.
Section 2(1)(c) of the Data Protection Acts, 1988 and 2003 provides that data "shall be adequate, relevant and not excessive" in relation to the purpose for which it is kept. My Office informed Swan Leisure that we considered its practice of requesting the aforementioned information to be excessive. In addition we pointed out that medical data is deemed to be sensitive personal data and its processing is subject to additional safeguards under the Acts. We asked the leisure centre to outline to us the basis on which medical data was sought and how the processing of that information complied with its obligations under the Acts.
In its reasoning for asking guests who attend the facility to provide their name and contact information, Swan Leisure referred to its Child Protection Policy. It indicated that in order to safeguard children attending its facilities it was imperative that it take a record of everyone that came onto the premises. It was not clear to us how having the name and address of every person attending the facility was relevant to child protection. In relation to the medical screening forms, the leisure centre informed us that the reason for requesting guests' medical data was to help prevent injuries or medical issues arising from the use of its facilities. It also referred to advice given by the American College of Sports Medicine (1976) stating that anyone who has risk factors for heart disease (a family history of heart disease, a history of smoking, high blood pressure or high blood fat levels) should be given a full medical examination before exercising in a health club. The leisure centre informed us that it was collecting medical information under Section 2(B)1 of the Acts which, among other things, allows the processing of sensitive personal data where the processing is necessary to prevent injury or other damage to the health of the data subject or another person.
Having reviewed its response, we told Swan Leisure that its policy of recording the name, contact details and medical information of all of its patrons was unacceptable. We acknowledged the importance of protecting children and safeguarding the health and well-being of patrons during the use of the leisure facilities. However, we informed it that from a data protection perspective, the systematic recording of patrons' information was a disproportionate response to the aims it sought to further, i.e. health promotion and the protection of children. We further informed the leisure centre that the request for such information could not be justified by reference to the policy guidelines and academic commentary it had cited.
In its response, the Centre referred to the Institute of Leisure and Amenity Management (ILAM) facility standards. Following further communications with my Office, the leisure centre subsequently confirmed that in order for it to meet both ILAM's guidelines and the Data Protection Guidelines it had changed its policy so that it now offers a guest register form. However, the completion of this form is no longer a condition of entry to the leisure centre and the right of patrons not to provide the personal information requested is respected. In relation to the forms already completed prior to the introduction of this change, it informed us that guests would be given the option to have their data deleted at any point during or after their time with the centre. As a result of this complaint, members of the public may now use the swimming pool at the leisure centre on an anonymous basis and that is as it should be.
