Donate to Remove ads

Got a credit card? use our Credit Card & Finance Calculators

Thanks to johnstevens77,Bhoddhisatva,scotia,Anonymous,Cornytiv34, for Donating to support the site

Data protection

including wills and probate
toofast2live
Lemon Slice
Posts: 494
Joined: November 4th, 2016, 2:24 pm
Has thanked: 2 times
Been thanked: 98 times

Data protection

#115893

Postby toofast2live » February 5th, 2018, 4:39 pm

I have just formed a small club. To date I have about 100 members, and was about to circulate contact details for all members to all the members.

However someone mentioned "data protection" and that I should email each member asking him/her if they want their phone and/or email details circulated. Going forward I will have a tick box on the application form, but can anyone tell me the legal situation of distributing a member contact list to all members.

didds
Lemon Half
Posts: 5244
Joined: November 4th, 2016, 12:04 pm
Has thanked: 3244 times
Been thanked: 1018 times

Re: Data protection

#115897

Postby didds » February 5th, 2018, 4:50 pm

Unless its a real requirement/neccessity for the nature of your organsation I just wouldn;t go there. let individuals give each other details as and when etc.

How will you cover those that subsequently request their details not now be provided far and wide? having said yes - maybe in error etc?

didds

didds
Lemon Half
Posts: 5244
Joined: November 4th, 2016, 12:04 pm
Has thanked: 3244 times
Been thanked: 1018 times

Re: Data protection

#115898

Postby didds » February 5th, 2018, 4:52 pm

AIUI virtually every organsation/business etc will now/soon have to register with some DP thing, if they hold anybody else's details eg email address.

didds

JonE
Lemon Slice
Posts: 398
Joined: November 11th, 2016, 11:35 am
Has thanked: 25 times
Been thanked: 97 times

Re: Data protection

#115913

Postby JonE » February 5th, 2018, 5:25 pm

toofast2live wrote:I have just formed a small club. To date I have about 100 members, and was about to circulate contact details for all members to all the members.


Sending an email to a significant number of recipients is likely to be a problem in several regards. For example, it's the sort of thing that spammers do so you could get identified as a spammer such that your emails may not get through. Similarly, your email provider may refuse to process an email with more than a certain number of recipients.

If you do send an email to batches/groups consisting of a number of people (the committee, for example) then please, please use bcc rather than supply everyone with the email address of every other intended recipient as would be the case if using cc. Even if each of you is acquainted with every other club-member that doesn't mean that everyone will be happy for the email address they've given you to be handed over to the machine of every other current or future member.

The club can maintain a register of members for its own administrative purposes but taking it upon yourself to publish that list is not a good plan.

On a different topic, whenever creating, say, a word-processed document for others to view then regard yourself as the document 'owner' and send only pdf versions of the document so that only you can amend the 'master' and spurious variants don't come into being.

Cheers!

didds
Lemon Half
Posts: 5244
Joined: November 4th, 2016, 12:04 pm
Has thanked: 3244 times
Been thanked: 1018 times

Re: Data protection

#115917

Postby didds » February 5th, 2018, 5:41 pm

what JonE says!

didds

jdlemon
Posts: 27
Joined: November 14th, 2016, 12:37 pm
Has thanked: 1 time
Been thanked: 1 time

Re: Data protection

#115923

Postby jdlemon » February 5th, 2018, 6:03 pm

It's unlikely that your club will need to register with the Information Commissioner, unless you're running a CCTV system.

More importantly you DO need to take account of the new General Data Protection Regulations that come into effect in May.

You will probably need to have some kind of sign-up form which includes opt-in(s) to the use of personal data. This is no longer dependent on whether this data is held on a computer system or not.

dionaeamuscipula
Lemon Quarter
Posts: 1095
Joined: November 4th, 2016, 1:25 pm
Has thanked: 101 times
Been thanked: 374 times

Re: Data protection

#116043

Postby dionaeamuscipula » February 6th, 2018, 9:39 am

For GDPR purposes, the general view is that you should *not* use opt-ins. You should process and keep data only as and for as long as required. But if you are administering members of a club you *need* to process their data, and you are therefore offering a false choice if you ask permission or offer an opt in. You should just say something like: "As a member of this club we will need to process your personal data for the purposes of administering your membership." and leave it like that. If the club is such that you have to keep sensitive data such as health, then the requirements are a bit stronger.

It is definitely worth reading up on the requirements.

DM

Meatyfool
Lemon Slice
Posts: 313
Joined: November 4th, 2016, 11:43 am
Has thanked: 2 times
Been thanked: 55 times

Re: Data protection

#116056

Postby Meatyfool » February 6th, 2018, 10:08 am

It is the nightmare scenario for someone holding people's email addresses when they unthinkingly send the email "to" rather than "bcc".

The thought just occurred to me that a standalone email client that only permits bcc would be a boon to said user.

If you could get into the habit of using the standalone tool for all communications to the membership, you negate the risk. Whether "remembering to use the tool" is more difficult to "remember to use bcc", you decide.

It seems such a client doesn't exist?

Perhaps existing email clients, if emailing to more than say X addresses could ask "Mailing to many people may be better done with bcc? Would you like to use bcc?".

Meatyfool..

production100
2 Lemon pips
Posts: 117
Joined: November 7th, 2016, 10:58 am
Has thanked: 47 times
Been thanked: 59 times

Re: Data protection

#116075

Postby production100 » February 6th, 2018, 11:02 am

If you have Word you can just use the mail merge feature to automatically create individual emails to each address. Create the email address list in an Excel spreadsheet, with one on each line, and use that for the Word addresses. Then each person only gets their address on the email.

On recent Office versions it is 'Mailings', 'start mail merge', 'Email messages' and write the email. Then 'Select recipients', 'use an existing list' and select the Excel email file. Then 'Finish and merge', 'send email messages' and add a subject for the email. Click OK and it creates and sends the same email to each email address on the list. (I use Outlook for my emails and with that I switch it to work offline. That way you can check one of the emails to ensure it is what you want before you go online and all the emails are sent. No doubt you can do this with most other email clients).

It saves a lot of worrying about people being able to see other addresses.

Chris

killergorilla
Posts: 39
Joined: November 14th, 2016, 5:52 pm
Has thanked: 3 times
Been thanked: 18 times

Re: Data protection

#116120

Postby killergorilla » February 6th, 2018, 1:25 pm

Mine field. Don't do it.
Why not set up a forum online or a live group within Facebook or WhatsApp (assuming most people have the platform).
This way by joining and engaging with the forum they consent for others to contact them without giving away any specific detail...much like the forum you're on now :-)
KG

melonfool
Lemon Quarter
Posts: 2939
Joined: November 4th, 2016, 11:18 am
Has thanked: 1365 times
Been thanked: 793 times

Re: Data protection

#116209

Postby melonfool » February 6th, 2018, 8:36 pm

I recommend calling the Information Commissioner's Office for advice - there are conflicting comments on here and actually some are not correct.

I had to call the ICO yesterday and they were helpful, I have spoken to them before.

Under GDPR you have to ask specific consent (NOT an 'opt in') specific to the use you will be using the data for, and then you can ONLY use the data for the reason the consent was requested (or a closely associated reason - so, if someone applies for a job, you can't then use their data to send marketing updates). You cannot just *say* someone has consented by agreeing to a contract, it has to be specific and specific to the type of data and the use being made of it.

You can, however, use data under other 'exclusions' which do not need consent, but you need to read those exclusions carefully to see if any apply (if you have a contract in place with members then there is an exclusion there - something about 'to ensure the proper execution of a legitimate contract' which is what we HR people are using).

You also need to be aware of the PECR - The Privacy and Electronic Communications Regulations - which also govern how you use people's electronic data (and an email address is indeed 'data' under the Act and holding it is 'processing' under the Act - Data Protection Act I mean, the definitions are largely the same in GDPR).

Though you may also like to consider what the actual risk is and keep a note of how you assessed that, what decision you made and the reasoning. GDPR is all about organisations being made accountable and taking decisions based on good information (internal audit - very like H&S Risk Assessments).

Call the ICO - that's your best bet.

This is useful for breaking down the consent myth:

https://iconewsblog.org.uk/2017/08/16/c ... nt-page-1/

Mel

Greg872
Posts: 1
Joined: March 6th, 2018, 3:42 pm

Re: Data protection

#122636

Postby Greg872 » March 6th, 2018, 3:53 pm

Hi There,

I have been reading up on the GDPR and PECR which are the new regulations coming into force in May this year, if breached the fines imposed could ruin a business which is a main concern for me because we store a lot of customer data and transact with customers from abroad as well.

I have decided to ensure that our compliance manager and staff are fully abreast of the new regulations as I can't possibly risk any problems or potential breaches, so instead of insisting they read the heavy document (which i dont think they will and cause resource strain) I appointed a firm to train them and support them,

Moderator Message:
promotion of third party removed pending clarification by poster (chas49)
- i figured the cost for the training was a small price to pay for the major risk.

didds
Lemon Half
Posts: 5244
Joined: November 4th, 2016, 12:04 pm
Has thanked: 3244 times
Been thanked: 1018 times

Re: Data protection

#122763

Postby didds » March 6th, 2018, 11:01 pm

I have a very very small local IT support business. It amounts to just a couple of K per year (if that!) and on the whole probably little more than a couple of jobs per month (though some of them can be sizeable with repeat customers etc relatively).

I don't keep any specific records as such of customer's details expect

* digital storage of invoices, which do include a name and address
* email addresses which are automagically stored by my email client/gmail webmail.

I fear that this new DP requirement means I now have to register for something and keep all sorts of secure encrypted records just because an address that can be googled ordinarily is "stored" via these two.

?

didds

melonfool
Lemon Quarter
Posts: 2939
Joined: November 4th, 2016, 11:18 am
Has thanked: 1365 times
Been thanked: 793 times

Re: Data protection

#122946

Postby melonfool » March 7th, 2018, 4:40 pm

Greg872 wrote:Hi There,

I have been reading up on the GDPR and PECR which are the new regulations coming into force in May this year, if breached the fines imposed could ruin a business which is a main concern for me because we store a lot of customer data and transact with customers from abroad as well.

I have decided to ensure that our compliance manager and staff are fully abreast of the new regulations as I can't possibly risk any problems or potential breaches, so instead of insisting they read the heavy document (which i dont think they will and cause resource strain) I appointed a firm to train them and support them,

i figured the cost for the training was a small price to pay for the major risk.


PECR is not new, it came into force in 2003!

I have been running our internal GDPR project for about 6m now and we're nearly ready. Luckily we hold very little consumer data and do very little direct marketing, so most of our issues are around staff data.

Didds - I recommend you speak to the ICO, they are very helpful and have a special number for small businesses.

Part of the project I have done is to assess risk - if 'a' happened what would be the outcome and how bad is that outcome for us. The risk of anything like the fines being bandied about is incredibly low (as long as you have plans, audits and risk assessments in place - the Act is all about compliance and checking, doing your best to avoid issues etc) and, for us, it would all be about reputational damage. This should not, obviously, be underestimated but the ICO doesn't care about your reputation so that's an internal issue.

Mel

dionaeamuscipula
Lemon Quarter
Posts: 1095
Joined: November 4th, 2016, 1:25 pm
Has thanked: 101 times
Been thanked: 374 times

Re: Data protection

#123124

Postby dionaeamuscipula » March 8th, 2018, 11:07 am

didds wrote:I have a very very small local IT support business. It amounts to just a couple of K per year (if that!) and on the whole probably little more than a couple of jobs per month (though some of them can be sizeable with repeat customers etc relatively).

I don't keep any specific records as such of customer's details expect

* digital storage of invoices, which do include a name and address
* email addresses which are automagically stored by my email client/gmail webmail.

I fear that this new DP requirement means I now have to register for something and keep all sorts of secure encrypted records just because an address that can be googled ordinarily is "stored" via these two.

?

didds


You should almost certainly already be registered under the DPA.

There is a self assessment tool on the ICO website.

DM

didds
Lemon Half
Posts: 5244
Joined: November 4th, 2016, 12:04 pm
Has thanked: 3244 times
Been thanked: 1018 times

Re: Data protection

#123129

Postby didds » March 8th, 2018, 11:19 am

I tried thats self assessment tool - it says I needn't be registered, as whilst I have names and address stored digitally in digital invoices, i have nothing on a PC that processes those details.

Ditto email addresses held in automagic contact lists in an email client - the email client "knows" about them, but nothing actually processes that "database".

Unless of course what the ICO means by "processes" is something different to what i think a sensible interpretation of that is. ie another program that automatically trawls that info and uses it for some other purpose.

The invoices are only "accessed" by Excel when i choose to open them. And then except doesn't "do" anything with them except show the text. All these people are within walking distance and I know where they live in my head anyway!

The email addresses are only accessed by me if/when i need to send an email. Nothing else "uses" them.



didds

melonfool
Lemon Quarter
Posts: 2939
Joined: November 4th, 2016, 11:18 am
Has thanked: 1365 times
Been thanked: 793 times

Re: Data protection

#123161

Postby melonfool » March 8th, 2018, 1:23 pm

didds wrote:Unless of course what the ICO means by "processes" is something different to what i think a sensible interpretation of that is. ie another program that automatically trawls that info and uses it for some other purpose.


didds


'Process' just means 'hold' or 'have' in this context. Any data in a relevant filing system counts as being 'processed'.

I think you should stop guessing and speak to the ICO.

I've just delivered a half day GDPR training and was told it was "not boring at all, quite interesting really", which I consider to be high praise indeed for such a topic.

Mel

didds
Lemon Half
Posts: 5244
Joined: November 4th, 2016, 12:04 pm
Has thanked: 3244 times
Been thanked: 1018 times

Re: Data protection

#123195

Postby didds » March 8th, 2018, 2:31 pm

I eventually got through :-)

I am told if the information held is PURELY for accounts and records then I do NOT have to register.

The person I spoke to confirmed that

* invoices containing names and address, and
* an email program containing any saved email addresses

are indeed purely accounts and records and I do not have to register.

Thanks for the push Mel :-)

Happy Didds.


Return to “Legal Issues (Practical)”

Who is online

Users browsing this forum: No registered users and 4 guests