• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

GDPR question

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    GDPR question

    A website I subscribe to has a chat room which is mostly full of tulipe, has a few arguments/other popcorn, the odd racist outburst, and the occasional gem etc etc. It's basically just a linear log going back to 2009 to the present day. The chat archive isn't searchable, but you can go to any given point in time and read that page, so in theory, a determined person with sufficient time could start at the beginning and copy and paste to make their own local copy of the log.

    The site owner is proposing clearing the log down to the last 30 days - he's said if anyone wants a copy of the archive he could provide one.

    Given that most people are using their real name (and some are/were minors too) is that a data protection issue? The end result is no different to someone paging through it and making a copy, but it feels different to me?

    Was gonna stick my oar in to the discussion (as is my wont) but would be good to get some expert opinion so I'm not talking complete crap

    #2
    Originally posted by mudskipper View Post
    Was gonna stick my oar in to the discussion (as is my wont) but would be good to get some expert opinion so I'm not talking complete crap
    And you're asking here?

    Comment


      #3
      Originally posted by HoofHearted View Post
      And you're asking here?
      Yes because at least 1 poster earns his money from being a GDPR expert.
      merely at clientco for the entertainment

      Comment


        #4
        The reason they are clearing the log maybe to comply with GDPR? Sounds like they are making things better?

        Comment


          #5
          I'd say it depends on the information and T&Cs the users signed up to, but unless those explicitly state that information could be given out, then the owner providing the details to anyone who asked would be falling foul of digital privacy laws.

          Would the log contain information that could be regarded as identifiable details about individuals?

          I have experience of another website forum where the owner fell out with many contributors and gave notice of it closing. In that case, contributors set up a new site, but their recommended approach of getting content over to the new site was that each individual had to re-create their posts on the new site, or specifically give authority for someone else to do so.

          Comment


            #6
            It's a chat log. So if I wish you a "happy birthday" that's personal info. If I say "John lives in the next road to me" and a year later give my street name etc etc...

            I suppose it would be like admin providing a copy of CUK (if we were using real names) to someone - we've all chosen what personal info to publish, some of us may have put stuff about others which they may or may not know about - it's all publicly accessible already - but is that the same as allowing us to download it all?

            Comment


              #7
              Real name isn't sensative data as it doesn't identify the person due to many other people having the same name so I think its fine.

              If it was linked to an address, dob or any other secondary information which made thst person identifiable then that's an issue for sure.
              Last edited by northernladuk; 18 January 2021, 10:31.
              'CUK forum personality of 2011 - Winner - Yes really!!!!

              Comment


                #8
                Originally posted by northernladuk View Post
                Real name isn't sensative data as it doesn't identify the person due to many other people having the same name so I think its fine.
                Yep from The GDPR: What exactly is personal data? - IT Governance Blog En

                Names aren’t always considered personal data

                You might think that someone’s name is as clear an example of personal data as it gets; it is literally what defines you as you. But it’s not always that simple, as the UK’s Information Commissioner’s Office explains:
                “By itself the name John Smith may not always be personal data because there are many individuals with that name.
                “However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.”
                However, the ICO also notes that names aren’t necessarily required to identify someone:
                “Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.”
                merely at clientco for the entertainment

                Comment


                  #9
                  Originally posted by mudskipper View Post
                  A website I subscribe to has a chat room which is mostly full of tulipe, has a few arguments/other popcorn, the odd racist outburst, and the occasional gem etc etc. It's basically just a linear log going back to 2009 to the present day. The chat archive isn't searchable, but you can go to any given point in time and read that page, so in theory, a determined person with sufficient time could start at the beginning and copy and paste to make their own local copy of the log.

                  The site owner is proposing clearing the log down to the last 30 days - he's said if anyone wants a copy of the archive he could provide one.

                  Given that most people are using their real name (and some are/were minors too) is that a data protection issue? The end result is no different to someone paging through it and making a copy, but it feels different to me?

                  Was gonna stick my oar in to the discussion (as is my wont) but would be good to get some expert opinion so I'm not talking complete crap
                  There are a few things to worry about.

                  User Generated content such as forum posts is tricky. A personal name alone is not PII, but if that could be combined with other data from the site to identify an individual then it is. So if a user has used their real name and posted information about where they live / go to school / sports teams they play for etc. then there may be an issue. This also applies if another user has posted personal data about that individual.

                  As the data processor you must be able to support the rights of data subjects under the regulations. This includes removal of PII data etc on request (Right to be Forgotten), including data about them posted by other members. If they have archived the site and then shared copies of that archive they can no longer meet their obligations as the data is now out of their control. It could also be seen as an unauthorised disclosure unless all affected users (past and present) have consented to their data being shared in this way.

                  If children are involved then there are additional requirements around the provision of consent to process or share data as well. The base line in the regulations is 16, below this age you must get parental or other guardian consent. However, this age can vary depending on where the data is being processed as member states are allowed to reduce it as low as 13. You must also take specific action to ensure that their rights and the process for consent are clearly explained in simple language. You can't just hide it in the small print, it has to be clear, easily understood and readily available.

                  Fundamentally I'd say sharing the archive is a bad idea. They would be better off either leaving it up in it's entirety, they can make a strong argument that historic posts are a fundamental part of the service being provided and as such should be retained for the life of the forum, or deleting it completely.

                  There are a bunch of other things they need to be aware of as well around processing data as part of the functioning of the site through user accounts, email addresses etc. but they may already have this in hand.
                  "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

                  Comment


                    #10
                    for me there are two areas of interest.

                    1) the individuals information was provided by those individuals for a specific use case
                    2) providing the historical logs to interested parties is outside the use case that the individuals submitted the information for.

                    Unless the data protection officer explains clearly to the individuals, and gets their permission, they cannot provide the information to another person or organisation without breaching GDPR.
                    See You Next Tuesday

                    Comment

                    Working...
                    X