GDPR for UK Gyms: Are You Storing Member Health Data Correctly?

GDPR for UK Gyms: Are You Storing Member Health Data Correctly?

Health information is classified as "special category data" under UK GDPR. That includes PAR-Q answers, injury records, medical notes, allergy information — anything about a member's physical or mental health. The law requires you to handle it with the same care as a medical practice.

Most independent gyms I've seen aren't doing this. Not because they don't care, but because nobody told them what "properly" actually looks like.

What GDPR Actually Requires

The practical requirements for gyms storing health data are:

1. A lawful basis for collecting it. For health data, this is usually "explicit consent" or "vital interests" (e.g., knowing about a heart condition before prescribing exercise). You need to record that consent — when it was given, what for, and by whom.

2. Restricted access. Only staff who need to see health data should have access. A front-desk person doesn't need to know a member's medical history. A personal trainer writing a programme does.

3. Encryption. If you store health data digitally, it must be encrypted. That means no unencrypted spreadsheets, no Google Drive folders shared with the whole team, no USB sticks.

4. A retention policy. You can't hold data indefinitely. Set a clear period (e.g., 3 years after a member leaves) and delete it when that period expires.

5. The right to erasure. If a member asks you to delete their data, you need to do it — unless there's a legal requirement to keep it (e.g., for insurance purposes).

Where Most Gyms Slip Up

The most common problems I see:

Health data in spreadsheets. A Google Sheet with member medical info is a breach waiting to happen. It's not encrypted, access is hard to control, and there's no audit trail.

No access controls. Everyone on the team can see everything. In a small gym that feels friendly, but it's not compliant.

No consent records. The PAR-Q was signed on paper and filed. There's no record of what the member consented to, or when, or what they were told about how their data would be used.

Data held forever. Former member records sitting in a drawer or a hard drive indefinitely. GDPR requires you to delete data you no longer need.

Encryption Matters Here

Health data encryption isn't a "nice to have" — it's a legal requirement under Article 32 of UK GDPR (security of processing). If you store health information digitally, you need to show you've taken appropriate technical measures to protect it.

ClearGym encrypts health data at rest using AES-256-CBC with per-tenant keys. That means each gym's data is encrypted separately, and the decryption keys are derived from organization-specific secrets. It's not the simple "encrypt everything with one key" approach you see in most off-the-shelf software.

Practical Steps for Your Gym

If you're storing member health data, here's what to do this week:

1. Audit what you hold. Where is health data stored? Paper files, spreadsheets, email attachments, cloud storage? Make a list.

2. Identify who has access. Every person who can see health data should have a legitimate reason. Remove access for anyone who doesn't.

3. Check encryption. If data is stored digitally, confirm it's encrypted. If you're not sure, assume it isn't.

4. Set a retention period. Decide how long you keep former member data. 3 years is common. Add it to your privacy policy.

5. Document consent. Make sure you have a clear record of each member's consent to store their health data, including when it was given and what they agreed to.

Don't Put It Off

GDPR enforcement for UK gyms is rare, but when it happens the cost is significant — both in fines and reputational damage. The actual requirements aren't complicated. Most gyms just haven't prioritised them. A few hours of work to get your data handling in order is cheap insurance.

ClearGym stores all health data with AES-256-CBC encryption and role-based access controls. Start a free 30-day trial to see how it works.