(CNS): Gyms, sports clubs and fitness centres have been warned by the ombudsman that they must follow data protection legislation when they check that their clients have either been fully vaccinated or have a negative PCR test to enter their facilities as part of the new COVID-19 rules. The new regulations do not require these establishments to keep records of the checks they now must make or to retain copies of any medical records they are given. However, the ombudsman said operators must decide how they will comply with the new rules while abiding by the Data Protection Act.

The latest COVID control measures now require the owners of fitness centres to check that anyone other than staff coming into the facilities has a vaccination certificate or a PCR test result. But this type of information is considered sensitive medical data and must therefore be handled in compliance with the law, especially if it is being entered electronically or kept on customers’ files.

Ombudsman Sandy Hermiston said this information is “subject to stringent processing requirements”. Any processing of personal data must be done fairly and transparently, must have a legal basis and must not be considered excessive collection of data, she explained.

The ombudsman is advising such establishments to create written policies outlining how they will check vaccination/PCR test status and provide a privacy notice to the customer explaining who is collecting this data and why.