Post by Roland PerryPost by Mark Goodgecould I please have which section of the act specifically exempts
not-for-profit organisations...
If only there was a newgroup were such requests were on topic, eh.
The Data Protection (Notification and Notification Fees) Regulations
2000, Section 3 and Schedule, section 5.
Which is limited to "processing appearing to the Secretary of State to
be unlikely to prejudice the rights and freedoms of data subjects" which
I have difficulty applying to the situation of non-members of the
organisation[1] wondering about when and why they were white-listed or
de-listed.
Yes, it's a useful exemption where it does in fact apply, but it's much
more an exemption based on a limited range of purposes for processing,
rather than the mere fact it's a not for profit.
[1] The organisation being "the moderating team".
The fact that the exemption appears in the Schedule means that The SoS
thinks it is unlikely to prejudice the rights and freedoms of data
subjects. That's how it got into the Schedule. The Schedule can,
therefore, be considered in solus, it isn't necessary to attempt to
reinterpret every part of it by reference back to Section 3 of the
Statutory Instrument.
As for the exemption itself, the key test here is whether moderating a
newsgroup meets all the criteria necessary. There are six tests, all
of which need to be met:
The Processing-
(a) is carried out by a data controller which is a body or
association which is not established or conducted for profit;
(b) is for the purposes of establishing or maintaining membership of
or support for the body or association, or providing or
administering activities for individuals who are either members
of the body or association or have regular contact with it;
(c) is of personal data in respect of which the data subject is-
(i) a past, existing or prospective member of the body or
organisation;
(ii) any person who has regular contact with the body or
organisation in connection with the exempt purposes; or
(iii) any person the processing of whose personal data is
necessary for the exempt purposes;
(d) is of personal data consisting of the name, address and other
identifiers of the data subject or information as to-
(i) eligibility for membership of the body or association; or
(ii) other matters the processing of which is necessary for the
exempt purposes;
(e) does not involve disclosure of the personal data to any third
party other than-
(i) with the consent of the data subject; or
(ii) where it is necessary to make such disclosure for the exempt
purposes; and
(f) does not involve keeping the personal data after the relationship
between the data controller and data subject ends, unless and for
so long as it is necessary to do so for the exempt purposes.
Of those, (a) is clearly true. Moderating a newsgroup is most
definitely a non-profit activity :-)
I think (b) is also true - moderation is carried out for the purposes
of those who have regular contact with the moderation team (by means
of submitting articles which may be subject to moderation).
(c) is true for the same reasons - it is data held related to a
"person who has regular contact with the body", and also meets the
third option that the data is "necessary for the exempt purposes".
Much the same applies to (d) - it is data which is "necessary for the
exempt purposes". You can't moderate a newsgroup without processing
the email addresses of contributors.
(e) again, is fairly obviously true. The whole point of posting an
article to a newsgroup is for it to be published, so the poster has
clearly given permission for their personal data to be published as
part of that submission. And the moderators do not make any other use
of the data, so no non-exempt processing takes place.
The only one which might fail the test, IMO, is (f) - but only if the
moderators retain the records of their actions applied to personal
data (eg, whitelisting or blacklisting) for longer than is strictly
necessary. I think, though, that it would be relatively easy to avoid
any issues here simply by regularly purging the logs and removing any
personal identifiers (ie, email addresses) from the whitelist (and
blacklist, if there is one) if they are inactive for a certain period
of time.
That, however, is one of the main reasons why I suggested that this
group is a more suitable forum for this discussion than where it was
originally mooted. There are other people here with more direct
experience and knowledge of the DPA than you or I, and their comments
may be useful.
Mark