Editor's letter
Health clubs and leisure centres have become some of the most data-intensive operations when it comes to customer records.
Every member relationship generates sensitive data, including things such as direct debit mandates, PAR-Q and medical screening records, access control logs and CCTV footage. There may also be marketing preferences, cancellation records and – for sites with junior programmes – children’s activity data. In addition, if the operator has an app, then activity in this could also be recorded.
This is a significant volume of information, much of it relating to highly sensitive areas including health, payments and family.
Every member interaction leaves a trail and that data typically sits across several systems: booking apps, CRM platforms, payment processors, access control systems, marketing tools, CCTV providers and head office platforms.
Managing data across that many systems is normal for operators in the sector, but problems arise if a member challenges how their data has been used and there is no clear process for handling their query.
This is no longer acceptable in the UK and under the Data (Use and Access) Act 2026 – a piece of legislation that received Royal Assent on 19 June (www.hcmmag.com/DUA) – organisations must now have a clear and robust process for handling data protection complaints.
Penalties have increased, with fines potentially reaching £17.5m, or 4 per cent of global turnover
Complaints may not look like complaints
A member doesn’t need to use the words ‘data protection complaint’ for the club to have a data protection issue to deal with. Members are far more likely to ask things such as why they’re still receiving marketing emails after cancelling their membership, who has access to their medical screening form, whether CCTV footage of them has been retained or why their details are still on file after they left.
Once a member has raised such a query, the responsibility sits with the health club to recognise whether the complaint relates to the handling of personal data. If it is, it must be acknowledged, investigated, recorded and answered through the club’s own data protection complaints process.
This is where the sector has a practical challenge. A complaint might arrive through reception, a club manager’s inbox, a membership team call, a customer service form or a social media message and the first person to receive it may have no reason to treat it differently from any other member query.
Medical screening records are a good example. They’re used routinely in the sector, but they can include health information, which is treated as special category data under UK GDPR and requires stronger protection.
If a member challenges how that information has been stored, who’s seen it, how long it’s been retained or whether it’s been shared, the operator needs to do more than give general reassurance that the information is secure. It needs to report on exactly what happened, who checked it, what decision was made and how the member was informed.
The challenge is rarely that health club operators don’t care about member data, because most do. The challenge is that responsibility can become blurred between reception, club managers, regional teams, head office, technology suppliers and external processors.
The Information Commissioner’s Office will expect to see evidence of how a complaint was handled if it’s escalated
What 19 June actually changes
The Data (Use and Access) Act 2026 marks a structural change, and the Information Commissioner’s Office now expects operators to handle data protection complaints themselves initially, before a member can escalate their case to the regulator. This means operators must adopt a complaints process that’s visible, documented and followed reliably, not just a general intention to deal with member queries fairly.
For example, complaints must be acknowledged within 30 days, and dealt with without undue delay and the Information Commissioner’s Office will expect to see evidence of how the complaint was handled if it’s escalated at a later date.
The commercial stakes are significant. Penalties relating to the Privacy and Electronic Communications Regulations have increased under the new Act, with fines potentially reaching £17.5m, or 4 per cent of a company’s global turnover, for serious breaches.
Failure to handle data complaints properly can also increase regulatory scrutiny, cause reputational damage and – in serious cases – create enforcement risk, particularly where the data involved relates to health, children, payments or surveillance.
Operators must now know where a data complaint can arrive, who recognises it, who investigates it, how suppliers are involved, how the response is recorded and how the member is kept updated throughout.
This is not a compliance exercise that sits separately from the business. It’s part of running a modern operation that members can trust with their health information, payment details and, in many cases, their family’s data.
Andy Chesterman is MD at Privacy Helper
Editor's letter
Feedback
HCM People
HCM People
Profile
Opinion
Sponsored
Data
Obituary
Healthspan
Liability
First person
Tech
Profile
Profile
Research
Health clubs and leisure centres have become some of the most data-intensive operations when it comes to customer records.
Every member relationship generates sensitive data, including things such as direct debit mandates, PAR-Q and medical screening records, access control logs and CCTV footage. There may also be marketing preferences, cancellation records and – for sites with junior programmes – children’s activity data. In addition, if the operator has an app, then activity in this could also be recorded.
This is a significant volume of information, much of it relating to highly sensitive areas including health, payments and family.
Every member interaction leaves a trail and that data typically sits across several systems: booking apps, CRM platforms, payment processors, access control systems, marketing tools, CCTV providers and head office platforms.
Managing data across that many systems is normal for operators in the sector, but problems arise if a member challenges how their data has been used and there is no clear process for handling their query.
This is no longer acceptable in the UK and under the Data (Use and Access) Act 2026 – a piece of legislation that received Royal Assent on 19 June (www.hcmmag.com/DUA) – organisations must now have a clear and robust process for handling data protection complaints.
Penalties have increased, with fines potentially reaching £17.5m, or 4 per cent of global turnover
Complaints may not look like complaints
A member doesn’t need to use the words ‘data protection complaint’ for the club to have a data protection issue to deal with. Members are far more likely to ask things such as why they’re still receiving marketing emails after cancelling their membership, who has access to their medical screening form, whether CCTV footage of them has been retained or why their details are still on file after they left.
Once a member has raised such a query, the responsibility sits with the health club to recognise whether the complaint relates to the handling of personal data. If it is, it must be acknowledged, investigated, recorded and answered through the club’s own data protection complaints process.
This is where the sector has a practical challenge. A complaint might arrive through reception, a club manager’s inbox, a membership team call, a customer service form or a social media message and the first person to receive it may have no reason to treat it differently from any other member query.
Medical screening records are a good example. They’re used routinely in the sector, but they can include health information, which is treated as special category data under UK GDPR and requires stronger protection.
If a member challenges how that information has been stored, who’s seen it, how long it’s been retained or whether it’s been shared, the operator needs to do more than give general reassurance that the information is secure. It needs to report on exactly what happened, who checked it, what decision was made and how the member was informed.
The challenge is rarely that health club operators don’t care about member data, because most do. The challenge is that responsibility can become blurred between reception, club managers, regional teams, head office, technology suppliers and external processors.
The Information Commissioner’s Office will expect to see evidence of how a complaint was handled if it’s escalated
What 19 June actually changes
The Data (Use and Access) Act 2026 marks a structural change, and the Information Commissioner’s Office now expects operators to handle data protection complaints themselves initially, before a member can escalate their case to the regulator. This means operators must adopt a complaints process that’s visible, documented and followed reliably, not just a general intention to deal with member queries fairly.
For example, complaints must be acknowledged within 30 days, and dealt with without undue delay and the Information Commissioner’s Office will expect to see evidence of how the complaint was handled if it’s escalated at a later date.
The commercial stakes are significant. Penalties relating to the Privacy and Electronic Communications Regulations have increased under the new Act, with fines potentially reaching £17.5m, or 4 per cent of a company’s global turnover, for serious breaches.
Failure to handle data complaints properly can also increase regulatory scrutiny, cause reputational damage and – in serious cases – create enforcement risk, particularly where the data involved relates to health, children, payments or surveillance.
Operators must now know where a data complaint can arrive, who recognises it, who investigates it, how suppliers are involved, how the response is recorded and how the member is kept updated throughout.
This is not a compliance exercise that sits separately from the business. It’s part of running a modern operation that members can trust with their health information, payment details and, in many cases, their family’s data.
Andy Chesterman is MD at Privacy Helper
Editor's letter
Feedback
HCM People
HCM People
Profile
Opinion
Sponsored
Data
Obituary
Healthspan
Liability
First person
Tech
Profile
Profile
Research