Ombudsman Sandy Hermiston has issued a statement reminding owners and operators of gyms and other fitness centres that the handling of information about their clients’ COVID vaccination and test results must meet data-protection requirements.
The government last week issued COVID-19-related regulations that require all fitness establishments to check either vaccination certificates or PCR test results of customers using the facilities.
Hermiston noted that the collection and treatment of sensitive medical data must be done in compliance with the Data Protection Act, particularly if the vaccination or PCR test records are to be entered electronically or kept on file.
“Someone’s vaccination status or medical test result is considered sensitive personal data under the DPA and, therefore, subject to stringent processing requirements,” Hermiston said in the statement.
Any processing of personal data must be done fairly and transparently, must have a legal basis, and must not be considered excessive collection of data, the data protection legislation stipulates.
Hermiston is advising fitness establishments to create written policies outlining how they will check vaccination/PCR test status and provide a privacy notice to the customer explaining who is collecting this data and why.
The regulations do not require these establishments to keep records of the checks they have made, nor retain copies of medical records they are given. Owners or operators must decide how they will comply with the new regulations and the requirements under the Data Protection Act regarding sensitive personal data.
The Ombudsman notes that if operators decide to only conduct a visual examination of the certificate or test results, then the Data Protection Act would not likely apply because there would be no physical record of the data.
However, if the check is done electronically – for example, by scanning the QR code displayed on the Health Services Authority health app – it would fall under the Data Protection Act, even if no record is kept of it. However, if the establishment is not retaining a record, it would only be required to explain why it is processing the customer’s data and what it will be used for.
The Office of the Ombudsman has issued a guidance note on how fitness centres should handle the gathering and retention of customers’ medical information.
Related Videos
