The Case of the Vanishing Visitors Book

Today’s Irish Times has an “interesting” story about the Office of Public Works ordering the removal of visitors books from various heritage sites around Ireland. I’m quoted in it. To summarise my comments in the article: It’s an illogical answer to a logical question.

I’ve been on the radio this morning twice (Newstalk FM and The Today Show with Miriam O’Callaghan) talking about this, and my colleagues from Castlebridge have been dealing with a range of media queries from other outlets around the country. I thought it would be helpful to document the various issues and why we believe the OPW’s actions are an illogical answer to a logical question.

So, let’s explore The Mystery of the Vanishing Visitor Books.

{Note: I’ve updated this on 24th July 2019 to address Article 4(6) GDPR. I would have discussed a CJEU case about Jehovah’s Witnesses and it’s relevance/irrelevance to this discussion, but even my eyes were glazing over, dear reader.}  

Does GDPR even apply to visitors books?

The first question we need to ask is if GDPR would even apply to visitors books. Arguably it might not, because GDPR only applies to manual records (non-electronic data) where those records are kept in a filing system or with the intent that they should form part of a filing system. The GDPR is very clear (in Recital 15) that

Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.

So.. are the visitor books “structured according to specific criteria” that would allow data to be cross referenced in a filing system? Because that is the requirement under Article 4(6) of GDPR where “filing system” is defined (my emphasis)…

‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

The second question we need to ask is whether a visitor book contains sufficiently detailed information to meet definition of “personal data” under Article 4(1) of GDPR.

‘personal data’ means any information relating to an identified or identifiable natural person

We know the OPW’s comments to the Irish Times that the OPW had “observed that visitors were recording personal data, including names, addresses, etc, in visitor books”. So there may indeed have been some personal data. However, people are free to leave what ever granularity of data they chose in a visitors book. The question then shifts to being what the OPW could have or should have done about it. (We’ll come to that later).

What was the purpose for processing data in a visitors book?

We need to unpack this slightly and differentiate between the purpose for processing personal data in a visitors book. We also need to distinguish between different kinds of visitors books.

• One category of visitors books have a primary purpose of allowing visitors to a building or heritage site to record their impressions and opinions about their experience there. In times past the visitors book was a tool to prevent people from marking buildings with graffiti (“Kilroy was here. The coffee shop was to die for”, that kind of thing). A good historical example of this is at an OPW site in Killarney.
• Another category of visitors book is the one that companies or organisations would have for people who are visiting in an “official” or work-related capacity in a company or workplace. These are primarily for health and safety and security purposes.

The OPW’s action relates to the former kind of visitors book.  Another purpose of visitors books is to provide qualitative information about the visitor experience. This is valuable as it spontaneously provided voluntarily by visitors, and can be extracted and analysed in an anonymous fashion. So, it’s a cheap and relatively effective way of market research. This paper published on Informal Science in 2013 looked at the visitor books of one National Museum of Ireland location (Turlough Park) and found that approximately 1% of visitors sign the visitors book and showed how museums often use visitor book feedback to help make things better from the visitor’s perpsective.

The OPW tells the Irish Times, correctly, that GPDR requires a purpose for processing, but go on to imply that they don’t have a purpose so they stopped doing it. Perhaps the OPW simply hadn’t considered the uses and purposes for visitor books as a service to their visitors or as a source of information to drive data-driven decisions about the management of heritage sites?

So what is the risk that the OPW is mitigating by removing the visitor books?

The OPW is mitigating the risk that people with cameras or camera phones might take photographs of information recorded in visitor books and disclose it online. So, Mrs Miggins from Kentucky might find her personal details posted on the Facebook page of Jurgen from Dortumund.

The OPW argues that Article 32 of GDPR requires them to do this. However, Article 32 of GDPR requires that the security measures implemented to protect against “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data” (Article 32(2)), and it requires that the measures applied should take into consideration the risks to fundamental rights and freedoms of individuals “and the nature, scope, context and purposes of processing” (Article 32(1)).

Arguably, by removing the visitor books, they are taking a nuclear bomb to crack a nut. However, this is the illogical answer to a logical question.

But what about that Romanian case?

Of course, we do need to take account of regulatory activity in other EU Member States. Romania recently fined a hotel chain for failing to ensure appropriate data security measures were in place when 3rd parties were able to photograph and publish lists of guests who were booked for breakfast in one of their hotels. The fine was €15000.

But hotel guest lists tend to be a lot more structured than visitors books as they contain the room number, the number of guests, and potentially the names of the guests. Therefore, they would tend to fall more directly into the definition of a “filing system” under Article 4(6) by the simple fact the list is usually searched by room number when you go to get your breakfast in a hotel. And simple security protocols in the hotel, such as not leaving the guest list unattended or shielding it from the view of guests could have mitigated the risk of unauthorised obtaining (by photographing) and unauthorised disclosure (publication online). (It’s still a worthwhile case to note however…)

What could have been done differently?

To consider what could have been done differently by the OPW, we need to start from the basis that there is a potential for personal data to be recorded in a visitors book, and that the purposes for the visitors book might have evolved through custom and practice and might not have been formally written down in the past.

At the risk of giving away free consultancy, there are a number of options the OPW could have considered. Given the stated fear that people could photograph the visitors books and disclose personal data of others in the event that full names addresses and other identifying information was recorded, they could have:

1. Moved the visitors book to an area where staff could keep an eye on it and minimise the risk that people might copy data from it either with a camera or a notebook.
2. They could have one page per person in the visitor book so only two comments would be visible at any time.
3. They could have put signs up beside the visitors book to inform visitors of the purposes the information written in the visitors book would be put to (archival records, analysis of comments to help improve visitor experience etc.), and recommend to people that they put the minimum amount of personal information necessary in when writing their comments – which is the “Data Minimisation Principle” in GDPR.
4. They could have put signs up requesting that people not take photographs of the visitor book out of respect of the privacy
5. Also, they could remind people that it’s not compulsory to fill out a visitors book (so processing is based on consent). As I said on the radio today: “Kilmainham Jail is an OPW site, but they do let you leave even if you haven’t signed the visitors book”.

It’s worth noting that cameras have been a feature of tourist attractions since the early days of photography and they have quite often been in proximity to visitor books. Also, protection of physical records was a feature of Data Protection law in Ireland pre-GDPR. So, the OPW’s new-found concern is perhaps a little late in coming.

PostScript..

These “funny GDPR” stories are all well and good, but they serve to distract from some key issues that exist which are worryingly under reported by the Irish media at the moment.

1. Dept of Social Protection remains under investigation by the DPC in respect of Public Service Card and MyGovID. Not enough has been made of the ICCL’s recent study that found significant concerns in the Public Sector about this ill-starred project or the Data Protection Commissioner’s recent interview where she expressed concerns about the Government’s Data Strategy (and she’s not the first DPC to express similar sentiments.
2. Reviews are ongoing of 31 Community CCTV projects to determine whether they comply with data protection laws.
3. Organisations of all types and sizes are getting data protection training and advice of varying degrees of quality and rigour. Which is a problem in a risk-based model for data governance and data protection.

+++

Links to the various media coverage from today will be added below as they become available:

• Daragh O Brien on Today with Miriam O’Callaghan (RTE Radio 1)
• Daragh O Brien on Newstalk Breakfast
• Daragh quoted on BreakingNews.ie (which was picked up here, here, and elsewhere).