Discussion:
DPA and not-for-profit organisations
(too old to reply)
Roland Perry
2017-10-23 10:15:22 UTC
Permalink
could I please have which section of the act specifically exempts
not-for-profit organisations...
If only there was a newgroup were such requests were on topic, eh.
Mark
--
Roland Perry
Mark Goodge
2017-10-23 10:57:35 UTC
Permalink
could I please have which section of the act specifically exempts
not-for-profit organisations...
If only there was a newgroup were such requests were on topic, eh.
Mark
The Data Protection (Notification and Notification Fees) Regulations
2000, Section 3 and Schedule, section 5.

Mark
Roland Perry
2017-10-23 11:18:46 UTC
Permalink
Post by Mark Goodge
could I please have which section of the act specifically exempts
not-for-profit organisations...
If only there was a newgroup were such requests were on topic, eh.
The Data Protection (Notification and Notification Fees) Regulations
2000, Section 3 and Schedule, section 5.
Which is limited to "processing appearing to the Secretary of State to
be unlikely to prejudice the rights and freedoms of data subjects" which
I have difficulty applying to the situation of non-members of the
organisation[1] wondering about when and why they were white-listed or
de-listed.

Yes, it's a useful exemption where it does in fact apply, but it's much
more an exemption based on a limited range of purposes for processing,
rather than the mere fact it's a not for profit.

[1] The organisation being "the moderating team".
--
Roland Perry
Mark Goodge
2017-10-23 13:27:28 UTC
Permalink
Post by Roland Perry
Post by Mark Goodge
could I please have which section of the act specifically exempts
not-for-profit organisations...
If only there was a newgroup were such requests were on topic, eh.
The Data Protection (Notification and Notification Fees) Regulations
2000, Section 3 and Schedule, section 5.
Which is limited to "processing appearing to the Secretary of State to
be unlikely to prejudice the rights and freedoms of data subjects" which
I have difficulty applying to the situation of non-members of the
organisation[1] wondering about when and why they were white-listed or
de-listed.
Yes, it's a useful exemption where it does in fact apply, but it's much
more an exemption based on a limited range of purposes for processing,
rather than the mere fact it's a not for profit.
[1] The organisation being "the moderating team".
The fact that the exemption appears in the Schedule means that The SoS
thinks it is unlikely to prejudice the rights and freedoms of data
subjects. That's how it got into the Schedule. The Schedule can,
therefore, be considered in solus, it isn't necessary to attempt to
reinterpret every part of it by reference back to Section 3 of the
Statutory Instrument.

As for the exemption itself, the key test here is whether moderating a
newsgroup meets all the criteria necessary. There are six tests, all
of which need to be met:

The Processing-

(a) is carried out by a data controller which is a body or
association which is not established or conducted for profit;

(b) is for the purposes of establishing or maintaining membership of
or support for the body or association, or providing or
administering activities for individuals who are either members
of the body or association or have regular contact with it;

(c) is of personal data in respect of which the data subject is-
(i) a past, existing or prospective member of the body or
organisation;
(ii) any person who has regular contact with the body or
organisation in connection with the exempt purposes; or
(iii) any person the processing of whose personal data is
necessary for the exempt purposes;

(d) is of personal data consisting of the name, address and other
identifiers of the data subject or information as to-
(i) eligibility for membership of the body or association; or
(ii) other matters the processing of which is necessary for the
exempt purposes;

(e) does not involve disclosure of the personal data to any third
party other than-
(i) with the consent of the data subject; or
(ii) where it is necessary to make such disclosure for the exempt
purposes; and

(f) does not involve keeping the personal data after the relationship
between the data controller and data subject ends, unless and for
so long as it is necessary to do so for the exempt purposes.

Of those, (a) is clearly true. Moderating a newsgroup is most
definitely a non-profit activity :-)

I think (b) is also true - moderation is carried out for the purposes
of those who have regular contact with the moderation team (by means
of submitting articles which may be subject to moderation).

(c) is true for the same reasons - it is data held related to a
"person who has regular contact with the body", and also meets the
third option that the data is "necessary for the exempt purposes".

Much the same applies to (d) - it is data which is "necessary for the
exempt purposes". You can't moderate a newsgroup without processing
the email addresses of contributors.

(e) again, is fairly obviously true. The whole point of posting an
article to a newsgroup is for it to be published, so the poster has
clearly given permission for their personal data to be published as
part of that submission. And the moderators do not make any other use
of the data, so no non-exempt processing takes place.

The only one which might fail the test, IMO, is (f) - but only if the
moderators retain the records of their actions applied to personal
data (eg, whitelisting or blacklisting) for longer than is strictly
necessary. I think, though, that it would be relatively easy to avoid
any issues here simply by regularly purging the logs and removing any
personal identifiers (ie, email addresses) from the whitelist (and
blacklist, if there is one) if they are inactive for a certain period
of time.

That, however, is one of the main reasons why I suggested that this
group is a more suitable forum for this discussion than where it was
originally mooted. There are other people here with more direct
experience and knowledge of the DPA than you or I, and their comments
may be useful.

Mark
Roland Perry
2017-10-30 10:29:57 UTC
Permalink
Post by Mark Goodge
As for the exemption itself, the key test here is whether moderating a
newsgroup meets all the criteria necessary. There are six tests, all
The Processing-
(a) is carried out by a data controller which is a body or
association which is not established or conducted for profit;
(b) is for the purposes of establishing or maintaining membership of
or support for the body or association, or providing or
administering activities for individuals who are either members
of the body or association or have regular contact with it;
(c) is of personal data in respect of which the data subject is-
(i) a past, existing or prospective member of the body or
organisation;
(ii) any person who has regular contact with the body or
organisation in connection with the exempt purposes; or
(iii) any person the processing of whose personal data is
necessary for the exempt purposes;
(d) is of personal data consisting of the name, address and other
identifiers of the data subject or information as to-
(i) eligibility for membership of the body or association; or
(ii) other matters the processing of which is necessary for the
exempt purposes;
(e) does not involve disclosure of the personal data to any third
party other than-
(i) with the consent of the data subject; or
(ii) where it is necessary to make such disclosure for the exempt
purposes; and
(f) does not involve keeping the personal data after the relationship
between the data controller and data subject ends, unless and for
so long as it is necessary to do so for the exempt purposes.
Of those, (a) is clearly true. Moderating a newsgroup is most
definitely a non-profit activity :-)
I think (b) is also true - moderation is carried out for the purposes
of those who have regular contact with the moderation team (by means
of submitting articles which may be subject to moderation).
(c) is true for the same reasons - it is data held related to a
"person who has regular contact with the body", and also meets the
third option that the data is "necessary for the exempt purposes".
Much the same applies to (d) - it is data which is "necessary for the
exempt purposes". You can't moderate a newsgroup without processing
the email addresses of contributors.
Their email address is not the only data type which is processed.
Post by Mark Goodge
(e) again, is fairly obviously true. The whole point of posting an
article to a newsgroup is for it to be published, so the poster has
clearly given permission for their personal data to be published as
part of that submission. And the moderators do not make any other use
of the data, so no non-exempt processing takes place.
I'm not 100% convinced that every contributor has given sufficiently
informed consent to the publication of their data here:

http://www.chiark.greenend.org.uk/ucgi/~webstump/l.ulm
Post by Mark Goodge
The only one which might fail the test, IMO, is (f) - but only if the
moderators retain the records of their actions applied to personal
data (eg, whitelisting or blacklisting) for longer than is strictly
necessary. I think, though, that it would be relatively easy to avoid
any issues here simply by regularly purging the logs and removing any
personal identifiers (ie, email addresses)
probably "eg" rather than "ie".
Post by Mark Goodge
from the whitelist (and blacklist, if there is one) if they are
inactive for a certain period of time.
That would at least demonstrate a degree of good faith, were the Modbot
to have such a facility.

On balance I think the MODBOT's activity is unlikely to fall foul of
enforcement action, but SARs of things like the moderators' mailing list
are going to be "interesting" to say the least.
Post by Mark Goodge
That, however, is one of the main reasons why I suggested that this
group is a more suitable forum for this discussion than where it was
originally mooted.
The whole debate has been coloured by the red herring of "exempt
registration", when what everyone really wants to know is what kinds of
*processing* (and SAR) might be exempt [by exempt-from-registration
not-for-profits].

The two concepts were confusingly entwined in your opening remark in
unnm, especially the last line below which implies that if processing is
of a kind which will exempt the organisation from notification(sic)
processing will also be exempt from the DPA for all purposes:

" >> Moderators have a private mailing list. They can very easily tell
Post by Mark Goodge
the others "I've removed X from the whitelist because of his
recent post" or "I've added "shitbag" to the trigger words
list".
- Is this covered as personal data under the DPA?
The trigger words list is not. The whitelist status of any
identifiable individual is. But the exemption from registration for
non-profit organisations applies, as the processing falls entirely
within the boundaries of the exemption."
--
Roland Perry
Handsome Jack
2017-10-23 14:14:19 UTC
Permalink
could I please have which section of the act specifically exempts
not-for-profit organisations...
If only there was a newgroup were such requests were on topic, eh.
Mark
Exempts them from what? The DPA? There isn't one. Non-profit orgs are
definitely caught by the DPA, as several charities have found to their
great cost within the past 12 months.

https://www.gov.uk/government/news/regulators-issue-joint-alert-about-com
pliance-with-data-protection-law
--
Jack
pamela
2017-10-23 14:56:36 UTC
Permalink
Post by Handsome Jack
could I please have which section of the act specifically
exempts not-for-profit organisations...
If only there was a newgroup were such requests were on topic, eh.
Mark
Exempts them from what? The DPA? There isn't one.
This follows a discussion you may have missed about NFP
organisations being exempt from registration under the DPA.

See also:

https://ico.org.uk/media/for-organisations/documents/1567/exemption
-from-registration-for-not-for-profit-organisations.pdf
Post by Handsome Jack
Non-profit orgs are definitely caught by the DPA, as several
charities have found to their great cost within the past 12
months.
https://www.gov.uk/government/news/regulators-issue-joint-alert-a
bout-com pliance-with-data-protection-law
Mark Goodge
2017-10-23 16:38:28 UTC
Permalink
Post by Handsome Jack
could I please have which section of the act specifically exempts
not-for-profit organisations...
If only there was a newgroup were such requests were on topic, eh.
Mark
Exempts them from what? The DPA? There isn't one. Non-profit orgs are
definitely caught by the DPA, as several charities have found to their
great cost within the past 12 months.
Exempt from registration with the ICO.
Post by Handsome Jack
https://www.gov.uk/government/news/regulators-issue-joint-alert-about-com
pliance-with-data-protection-law
Most charities have to register, because they use data in ways that
the non-profit exemption doesn't apply to. The non-pofit exemption
from registration is aimed primarily at things like small clubs and
societies that only process data for their internal purposes connected
with the organisation. It doesn't exempt them from compliance with the
DPA itself, but it does exempt them from the cost and bureaucracy of
registering.

Mark
Roland Perry
2017-10-24 09:37:24 UTC
Permalink
It doesn't exempt them from compliance with the DPA itself, but it does
exempt them from the cost and bureaucracy of registering.
To help put the issue into context and allow me to better answer your
other much longer posting, is it your view that complying with the DPA
as an exempt not-for-profit includes (or does not include) the
requirement to satisfy SARs?

s7 of the Act talks about "any data controller" if that helps.

ps It's called "Notifying", which leads to "becoming registered" (noting
the lack of grammatical symmetry between 'registering->becoming
registered' and 'notifying->becoming notified'.
--
Roland Perry
Mark Goodge
2017-10-24 10:33:39 UTC
Permalink
Post by Roland Perry
It doesn't exempt them from compliance with the DPA itself, but it does
exempt them from the cost and bureaucracy of registering.
To help put the issue into context and allow me to better answer your
other much longer posting, is it your view that complying with the DPA
as an exempt not-for-profit includes (or does not include) the
requirement to satisfy SARs?
"Subject Access Request" isn't a term found in the legislation. It's
merely a convenient and widely-used shorthand for a request for
information made under the auspices of the DPA section 7. Section 7
itself refers to all relevent personal data, not merely to data held
by an organisation which is subject to the requirement to notify the
ICO. So an organisation which is exempt from notification is still
subject to the requirement to fulfil a valid request for information
about a person's personal data (aka a Subject Access Request),
provided of couse that it holds any data on that person whch is not
itself exempt from the DPA.

On a wider note, exemption from notification under Part III of the DPA
is entirely separate to exemption of data under Part IV. Confusing the
two is a common error.

Mark
pamela
2017-10-24 18:01:21 UTC
Permalink
On Tue, 24 Oct 2017 10:37:24 +0100, Roland Perry
17:38:28 on Mon, 23 Oct 2017, Mark Goodge
It doesn't exempt them from compliance with the DPA itself, but
it does exempt them from the cost and bureaucracy of
registering.
To help put the issue into context and allow me to better answer
your other much longer posting, is it your view that complying
with the DPA as an exempt not-for-profit includes (or does not
include) the requirement to satisfy SARs?
"Subject Access Request" isn't a term found in the legislation.
It's merely a convenient and widely-used shorthand for a request
for information made under the auspices of the DPA section 7.
That's interesting. I mistakenly thought the term "Subject Access
Request" had been coined in s.7 but when I took another look I see
it's not there.

The statutory instruments use "subject access modification" and
"subject access exemption". I wonder if they helped create the
phrase.
Section 7 itself refers to all relevent personal data, not
merely to data held by an organisation which is subject to the
requirement to notify the ICO. So an organisation which is
exempt from notification is still subject to the requirement to
fulfil a valid request for information about a person's personal
data (aka a Subject Access Request), provided of couse that it
holds any data on that person whch is not itself exempt from the
DPA.
On a wider note, exemption from notification under Part III of
the DPA is entirely separate to exemption of data under Part IV.
Confusing the two is a common error.
Mark
Roland Perry
2017-10-25 08:13:29 UTC
Permalink
Post by pamela
Post by Mark Goodge
"Subject Access Request" isn't a term found in the legislation.
It's merely a convenient and widely-used shorthand for a request
for information made under the auspices of the DPA section 7.
That's interesting. I mistakenly thought the term "Subject Access
Request" had been coined in s.7 but when I took another look I see
it's not there.
The statutory instruments use "subject access modification" and
"subject access exemption". I wonder if they helped create the
phrase.
As far as I know, the ICO has always used the phrase (which appears 48
times on this page):

<https://ico.org.uk/for-organisations/guide-to-data-
protection/principle-6-rights/subject-access-request/>
--
Roland Perry
Judith
2017-10-31 23:54:59 UTC
Permalink
Post by pamela
On Tue, 24 Oct 2017 10:37:24 +0100, Roland Perry
<snip>
Post by pamela
Post by Roland Perry
To help put the issue into context and allow me to better answer
your other much longer posting, is it your view that complying
with the DPA as an exempt not-for-profit includes (or does not
include) the requirement to satisfy SARs?
"Subject Access Request" isn't a term found in the legislation.
It's merely a convenient and widely-used shorthand for a request
for information made under the auspices of the DPA section 7.
That's interesting. I mistakenly thought the term "Subject Access
Request" had been coined in s.7 but when I took another look I see
it's not there.
The statutory instruments use "subject access modification" and
"subject access exemption". I wonder if they helped create the
phrase.
I agree with you - and thanks to Mark for the excellent clarification - it
appears that he knows what he is talking about.

Roland Perry
2017-10-30 10:09:37 UTC
Permalink
Post by Mark Goodge
Post by Roland Perry
To help put the issue into context and allow me to better answer your
other much longer posting, is it your view that complying with the DPA
as an exempt not-for-profit includes (or does not include) the
requirement to satisfy SARs?
"Subject Access Request" isn't a term found in the legislation. It's
merely a convenient and widely-used shorthand for a request for
information made under the auspices of the DPA section 7. Section 7
itself refers to all relevent personal data, not merely to data held
by an organisation which is subject to the requirement to notify the
ICO. So an organisation which is exempt from notification is still
subject to the requirement to fulfil a valid request for information
about a person's personal data (aka a Subject Access Request),
provided of couse that it holds any data on that person whch is not
itself exempt from the DPA.
In the context of the proceedings of a moderated group, and the data
processed by the Modbot on behalf of the Mods, what data types might
potentially be exempt?
Post by Mark Goodge
On a wider note, exemption from notification under Part III of the DPA
is entirely separate to exemption of data under Part IV. Confusing the
two is a common error.
The latter including the contentious "domestic exemption" of course.
--
Roland Perry
Mark Goodge
2017-10-30 15:52:55 UTC
Permalink
Post by Roland Perry
Post by Mark Goodge
Post by Roland Perry
To help put the issue into context and allow me to better answer your
other much longer posting, is it your view that complying with the DPA
as an exempt not-for-profit includes (or does not include) the
requirement to satisfy SARs?
"Subject Access Request" isn't a term found in the legislation. It's
merely a convenient and widely-used shorthand for a request for
information made under the auspices of the DPA section 7. Section 7
itself refers to all relevent personal data, not merely to data held
by an organisation which is subject to the requirement to notify the
ICO. So an organisation which is exempt from notification is still
subject to the requirement to fulfil a valid request for information
about a person's personal data (aka a Subject Access Request),
provided of couse that it holds any data on that person whch is not
itself exempt from the DPA.
In the context of the proceedings of a moderated group, and the data
processed by the Modbot on behalf of the Mods, what data types might
potentially be exempt?
Dunno. I don't think there is any. I only included that last clause
for completeness, lest someone accuse me of omitting an important part
of the legislation (and it makes a difference in some contexts; I'm
just not sure that it does here).
Post by Roland Perry
Post by Mark Goodge
On a wider note, exemption from notification under Part III of the DPA
is entirely separate to exemption of data under Part IV. Confusing the
two is a common error.
The latter including the contentious "domestic exemption" of course.
I don't think there's anything particularly contentious about the
exemption itself. It's very obviously essential, as not having it
would create lots of easily predictable undesirable consequences. The
contentious aspects of it are the boundaries of it, particularly when
people try to push those boundaries outwards in order to cover their
hobbies and home-based businesses.

Mark
Roland Perry
2017-10-31 09:48:25 UTC
Permalink
Post by Mark Goodge
Post by Roland Perry
Post by Mark Goodge
On a wider note, exemption from notification under Part III of the DPA
is entirely separate to exemption of data under Part IV. Confusing the
two is a common error.
The latter including the contentious "domestic exemption" of course.
I don't think there's anything particularly contentious about the
exemption itself. It's very obviously essential, as not having it
would create lots of easily predictable undesirable consequences. The
contentious aspects of it are the boundaries of it,
exactly
Post by Mark Goodge
particularly when people try to push those boundaries outwards in order
to cover their hobbies and home-based businesses.
And the current law is somewhat restrictive when it comes to (eg) social
media presences being regarded as a part of domesticity, and some people
worry about the legal uncertainty regarding blogging[1] and social media
being covered by a journalistic or literary expression exemptions. An
oft-overlooked aspect is that the domestic exemption only applies to
individuals acting alone, and not in concert with other individuals in
other households - so in theory joint moderators of a Facebook group are
not exempt.

All change soon, and GDPR is rather terse on the matter in article 2.2:

"This Regulation does not apply to the processing of personal data:
...
by a natural person in the course of a purely personal or household
activity;"

And recital 18 includes little of this text recommended by the Article
29 committee:

"This Regulation should not apply to processing of personal data by a
natural person, which is exclusively personal or domestic, such as
correspondence, the holding of addresses of personal contacts or the use
of social network sites that is outside the pursuit of a commercial or
professional objective. In determining whether the processing falls
within the exemption, consideration should be given to whether the
personal data is disseminated to an indefinite number of persons,
rather than to a limited community of friends, family members or
acquaintances; whether the personal data is about individuals who have
no personal or household relationship with the person posting it;
whether the scale and frequency of the processing of personal data
suggests professional or full-time activity; and whether there is
evidence of a number of individuals acting together in a collective and
organised manner. The application of the exemption is constrained by the
need to guarantee the rights of third parties, particularly with regard
to sensitive personal data. In this connection, account should
be taken of the extent to which a natural person might be liable
according to the provisions of other, relevant national civil or
criminal laws, e.g. defamation. The exemption should not apply to
controllers or processors which provide the means for processing
personal data for such personal or domestic activities."

But *does* mention Social media in passing, especially noting that those
who "provide the means" are *not* exempt.

"18 This Regulation does not apply to the processing of personal data by
a natural person in the course of a purely personal or household
activity and thus with no connection to a professional or commercial
activity. Personal or household activities could include correspondence
and the holding of addresses, or social networking and online activity
undertaken within the context of such activities. However, this
Regulation applies to controllers or processors which provide the means
for processing personal data for such personal or household activities.

[1] Under which for this discussion I'll include Usenet.
--
Roland Perry
Robin
2017-10-23 20:41:06 UTC
Permalink
Post by Handsome Jack
could I please have which section of the act specifically exempts
not-for-profit organisations...
If only there was a newgroup were such requests were on topic, eh.
Mark
Exempts them from what? The DPA? There isn't one. Non-profit orgs are
definitely caught by the DPA, as several charities have found to their
great cost within the past 12 months.
https://www.gov.uk/government/news/regulators-issue-joint-alert-about-com
pliance-with-data-protection-law
I don't know - or care - precisely how it tracks through to registration
but it may help those who do to go back to first principles (pun
intended) and look at the condition in para. 4 of Schedule 3 which
applies to the first principle in Schedule 1 for the purposes of the
sensitive personal data.
--
Robin
reply-to address is (intended to be) valid
Ian Jackson
2017-10-24 11:38:01 UTC
Permalink
Post by Robin
Post by Handsome Jack
Exempts them from what? The DPA? There isn't one. Non-profit orgs are
definitely caught by the DPA, as several charities have found to their
great cost within the past 12 months.
https://www.gov.uk/government/news/regulators-issue-joint-alert-about-com
pliance-with-data-protection-law
I don't know - or care - precisely how it tracks through to registration
but it may help those who do to go back to first principles (pun
intended) and look at the condition in para. 4 of Schedule 3 which
applies to the first principle in Schedule 1 for the purposes of the
sensitive personal data.
I think we are still talking about how the DPA affects newsgroup
moderators ? As regards the passlists, modbot logs, etc. etc., I
doubt that any of it is _sensitive_ personal data. So Sch3 doesn't
seem very relevant. Are the newsgroup postings themselves "data" ?
--
Ian Jackson <***@chiark.greenend.org.uk> These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
Robin
2017-10-24 14:50:49 UTC
Permalink
Post by Ian Jackson
Post by Robin
Post by Handsome Jack
Exempts them from what? The DPA? There isn't one. Non-profit orgs are
definitely caught by the DPA, as several charities have found to their
great cost within the past 12 months.
https://www.gov.uk/government/news/regulators-issue-joint-alert-about-com
pliance-with-data-protection-law
I don't know - or care - precisely how it tracks through to registration
but it may help those who do to go back to first principles (pun
intended) and look at the condition in para. 4 of Schedule 3 which
applies to the first principle in Schedule 1 for the purposes of the
sensitive personal data.
I think we are still talking about how the DPA affects newsgroup
moderators ? As regards the passlists, modbot logs, etc. etc., I
doubt that any of it is _sensitive_ personal data. So Sch3 doesn't
seem very relevant. Are the newsgroup postings themselves "data" ?
Fair point. My concern was simply to link the exemption from
notification for not-for-profit bodies back to the specific provision in
the Act for them to process sensitive data which AIUI was the model for
the exemption from notification. (And - though my memory of them is
pretty well rusted through - I think was promised in the debates when
some wanted more for them by way of exemptions. I doubt they'll get
support for that in the current Bill after recent behaviour.)
--
Robin
reply-to address is (intended to be) valid
pamela
2017-10-24 18:03:08 UTC
Permalink
Post by Robin
Post by Ian Jackson
Post by Robin
Post by Handsome Jack
Exempts them from what? The DPA? There isn't one. Non-profit
orgs are definitely caught by the DPA, as several charities
have found to their great cost within the past 12 months.
https://www.gov.uk/government/news/regulators-issue-joint-aler
t-about-com pliance-with-data-protection-law
I don't know - or care - precisely how it tracks through to
registration but it may help those who do to go back to first
principles (pun intended) and look at the condition in para. 4
of Schedule 3 which applies to the first principle in Schedule
1 for the purposes of the sensitive personal data.
I think we are still talking about how the DPA affects
newsgroup moderators ? As regards the passlists, modbot logs,
etc. etc., I doubt that any of it is _sensitive_ personal data.
So Sch3 doesn't seem very relevant. Are the newsgroup
postings themselves "data" ?
Fair point. My concern was simply to link the exemption from
notification for not-for-profit bodies back to the specific
provision in the Act for them to process sensitive data which
AIUI was the model for the exemption from notification. (And -
though my memory of them is pretty well rusted through - I think
was promised in the debates when some wanted more for them by
way of exemptions. I doubt they'll get support for that in the
current Bill after recent behaviour.)
What's the situation if the newsgroup's data passes through servers
phyically located in other countries. Is it subject to their data
protection regulations?
Martin Brown
2017-10-26 09:07:12 UTC
Permalink
Post by Ian Jackson
Post by Robin
Post by Handsome Jack
Exempts them from what? The DPA? There isn't one. Non-profit orgs are
definitely caught by the DPA, as several charities have found to their
great cost within the past 12 months.
https://www.gov.uk/government/news/regulators-issue-joint-alert-about-com
pliance-with-data-protection-law
I don't know - or care - precisely how it tracks through to registration
but it may help those who do to go back to first principles (pun
intended) and look at the condition in para. 4 of Schedule 3 which
applies to the first principle in Schedule 1 for the purposes of the
sensitive personal data.
What is sensitive personal data in this context and does it vary with
subject or is it defined more clearly in the act?

eg.
My address, landline and mobile number is personal but unremarkable.
But the Prime Ministers direct phone number is qualitatively different.
(even though her physical address is widely know).

Where is the threshold for having to register with the ICO?
Would a listserver running on a UK host have to be registered if all it
holds about people is their subscription email address. What if it
included their real world address and contact phone number?
(I'm sure plenty of amateur groups inadvertently breach the DPA)

Newcastle seem to have put their foot in it with a very damaging data
breach involving foster children allocation - which it seems to me is
very different in terms of damage done.

http://www.silicon.co.uk/security/authentification/newcastle-data-breach-217659?inf_by=59f1a463671db8d30b8b467f
Post by Ian Jackson
I think we are still talking about how the DPA affects newsgroup
moderators ? As regards the passlists, modbot logs, etc. etc., I
doubt that any of it is _sensitive_ personal data. So Sch3 doesn't
seem very relevant. Are the newsgroup postings themselves "data" ?
I guess they are but in the public domain (for a moderated group once
they are approved). It does beg a question regarding "publication"
though - are the moderators liable if they let something through that
turns out to be libellous or in some way incitement?
--
Regards,
Martin Brown
Roland Perry
2017-10-30 10:06:06 UTC
Permalink
Post by Martin Brown
What is sensitive personal data in this context and does it vary with
subject or is it defined more clearly in the act?
2 Sensitive personal data.

In this Act "sensitive personal data" means personal data consisting of
information as to-

(a)the racial or ethnic origin of the data subject,

(b)his political opinions,

(c)his religious beliefs or other beliefs of a similar nature,

(d)whether he is a member of a trade union (within the meaning of the
Trade Union and Labour Relations (Consolidation) Act 1992),

(e)his physical or mental health or condition,

(f)his sexual life,

(g)the commission or alleged commission by him of any offence, or

(h)any proceedings for any offence committed or alleged to have been
committed by him, the disposal of such proceedings or the sentence of
any court in such proceedings.
--
Roland Perry
Roland Perry
2017-10-30 10:06:41 UTC
Permalink
Post by Ian Jackson
Are the newsgroup postings themselves "data" ?
Yes; and see in particular s2(b) "his political opinions", of which many
postings are redolent.
--
Roland Perry
Loading...