29 September 2021

The government’s latest COVID regulations require the owners or operators of fitness establishments to check either vaccination certificates or PCR test results for any person, other than an employee, who enters the business. 

The Ombudsman would like to remind those companies that their handling of that sensitive medical data for individuals must be done in compliance with the Data Protection Act (DPA), particularly if the vaccination or PCR test records are to be entered electronically or kept on file. 

“Someone’s vaccination status or medical test result is considered sensitive personal data under the DPA and, therefore, subject to stringent processing requirements,” said Ombudsman Sandy Hermiston. 

Any processing of personal data must be done fairly and transparently, must have a legal basis and must not be considered excessive collection of data. The Ombudsman advises fitness establishments to create written policies outlining how they will check vaccination/PCR test status and provide a privacy notice to the customer explaining who is collecting this data and why.  

The regulations do not require these establishments to keep records of the checks they have made, nor retain copies of medical records they are given. Owners or operators must decide how they will comply with the new requirements and the requirements under the DPA regarding sensitive personal data.  Please see the link to our office’s guidance note for more details: https://ombudsman.ky/images//pdf/pol_guide/DP_Vaccination_Status_Guidance_for_Fitness_Establishments_Sept_2021.pdf

Please visit the Ombudsman website for more information including FAQs, guidance and other resources to help you understand your data protection rights and obligations: www.ombudsman.ky/data-protection or send your questions to: [email protected]