Data protection Act

IAC General Discussions
Post Reply
Peter Copestake
Posts: 296
Joined: Sun Feb 11, 2007 2:23 am
Location: Colne, Lancashire

Data protection Act

Post by Peter Copestake » Sun Feb 18, 2018 11:59 am

Does keeping a list of 15 members of a movie -making club, their addresses, phone numbers and email addresses come under the Act?
Peter Copestake

User avatar
John Roberts
Posts: 297
Joined: Wed Mar 27, 2013 8:42 am

Re: Data protection Act

Post by John Roberts » Sun Feb 18, 2018 3:40 pm

Hot topic at the moment!

I do believe so, virtually everything apart from domestic lists of names and addresses of family, friends etc falls under the act. There are some changes in the pipeline that come into force from 25 May 2018 and Council are currently looking into those as well as the existing revised act, with the intention of producing information for clubs and regions.

Many of the changes appear to affect large databases of information and those which are heavily and constantly processed, so the majority of clubs and regions should not be unduly worried. Any data held will of course need to comply with the 8 Data Protection Principles no matter how small the amount of data held and processed, but they are just 'common sense' measures and probably nothing that clubs and regions are not already doing.

The main issue appears to revolve around an individual's consent, which in club cases might be more of an implicit agreement and not necessarily given in writing. A short line or two on renewal forms, club directories or club programmes explaining how data is held and processed, a 'consent' tick box on the renewal form and a statement regarding the new General Data Protection Regulation handed out with the membership renewal forms and/or displayed on the club website might be all that is required. Better to be safe than sorry, although I doubt anyone from Her Majesty's Government will be knocking on anyone's door.

However, it's early days and I'll try and keep an eye on what's happening and update as soon as I know more.
"My vision often exceeds my capabilities" (me, 2015)
My views are purely my own and don't necessarily reflect those of any body I might represent :P

Peter Copestake
Posts: 296
Joined: Sun Feb 11, 2007 2:23 am
Location: Colne, Lancashire

Re: Data protection Act

Post by Peter Copestake » Sun Feb 18, 2018 6:09 pm

Very clear, John, thank you.
Peter.
Peter Copestake

Michael Slowe
Posts: 596
Joined: Mon Jan 29, 2007 4:24 pm

Re: Data protection Act

Post by Michael Slowe » Wed Feb 28, 2018 5:40 pm

What about the 'spying' that can take place on anyone with a 'smart' TV and the weird and wonderful Alexa'? With the smart TV, connected to the web you can be watched in your home and every action and word recorded. Also, Alexa, which my daughter demonstrated to me last week, is also on the web and can be used for observation?

All this doesn't worry me very much but makes a mockery of this Data Protection business. What's retention of names and addresses compared to being observed 24 hrs in your own home?

Peter Copestake
Posts: 296
Joined: Sun Feb 11, 2007 2:23 am
Location: Colne, Lancashire

Re: Data protection Act

Post by Peter Copestake » Wed Feb 28, 2018 6:13 pm

Entirely agre, Michael. I was brought up invillages of a few hundred people where everyone knew everyone and what they were up to.
So I am not worried by CCTV but I wondered if the Act was to make sure that everyone who held other people's data had to have barriers in place to stop the lists being accessed by 'baddies'.
Peter Copestake

User avatar
Dave Watterson
Posts: 1621
Joined: Sun Jan 28, 2007 11:11 pm
Location: Bath, England
Contact:

Re: Data protection Act

Post by Dave Watterson » Wed Feb 28, 2018 6:39 pm

You will not be surprised to know that exceptions to the normal Data Privacy laws are made for governments and security agencies.

I await the advice from IAC Council with interest, but just note that "implicit consent" will no longer be good enough. The person giving you their data (in our case usually name, postal address and email address) must have a clear explanation of what you want to do with the information and must positively signify their agreement.

On a website you can do that with a "Privacy Statement" page and a check-box ... though this box must start empty and must be ticked by the person concerned so that they show that they positively agree. On a form it is easier to add a couple of sentences (as suggested) and ask them to sign.

You must keep their data safe. You must not share it with anyone else or sell it to anyone else without their permission. You have to be very wary of storing it in the cloud ... since many of the cloud storage facilities are based in the USA where they do not match the required privacy standards.
You must keep the data accurate ... and you must explain clearly how the person can see and check your record of them, and how they can make you delete it if they wish.
You must not keep it longer than necessary.
As John says much of this is good practice anyway.

Overall
Aaargh! The idea is good. It is to control the companies which process their information about you to create a "profile" adding information they glean from elsewhere. (If they find you drive a Ferrari a charity will reckon it is worth making a special approach to you for a BIG donation.) It should reduce the buying and selling of our addresses etc.

In practice it will just be a nuisance for small clubs and groups like us.

An interesting question: if someone uses their right to be deleted from your records, do you have to delete any emails to and from them as well as edit your address list? Those emails will all have a record of their email address ...

Brian Saberton
Posts: 334
Joined: Fri Apr 27, 2007 7:00 pm
Location: Scotland

Re: Data protection Act

Post by Brian Saberton » Fri Apr 27, 2018 6:09 pm

Re Data Protection I came across an article in the Sunday Times last Sunday concerning the new "General Data Protection Regulation" which comes into force on 25th May. The objective of this new piece of EU Legislation is to protect individuals from having their personal details misused by large companies. Unfortunately it appears that the way the regulations have been written, and then implemented into UK law, has had the unexpected consequence of requiring every membership organisation, no matter how small, to comply with the regulations and this includes clubs etc. I've had a look at the web site of the Photographic Alliance of Great Britain (PAGB) and see that they have already revised their own data protection policy, and have published guidance for all affiliated photographic clubs. You can find all the details on their web-site: www.thepagb.org.uk
Brian Saberton

Jill Lampert
Posts: 46
Joined: Tue Apr 26, 2011 7:04 pm

Re: Data protection Act

Post by Jill Lampert » Sat May 19, 2018 5:51 pm

It's disappointing that the IAC hasn't provided any guidance to clubs on the new data protection regs. I heard a rumour that they were going to, but my club hasn't received anything and I can't see anything on the IAC website, and the rules come into force on Friday!

On a creative arts website ("Voluntary Arts" which promotes participation in creative cultural activities across the UK and Ireland) I found this useful explanation of what we need to do and why. It's in language I can understand:

https://www.voluntaryarts.org/Handlers/ ... e7ef9b0835

It doesn't deal with the question of disclosing members' email addresses to other members, but I found this example of a policy (written for a choir) which includes getting permission to do that:

http://www.monmouthchoralsociety.co.uk/ ... Policy.pdf

In this example the email addresses are only disclosed if requested by another member, but I think for our clubs we'd want all members' email addresses to be disclosed to all other members (with consent) as a matter of course, because communication is part of the fun of being in a club.

User avatar
TimStannard
Posts: 872
Joined: Fri Feb 11, 2011 5:20 pm
Location: Surrey

Re: Data protection Act

Post by TimStannard » Mon May 21, 2018 7:22 am

I agree it is disappointing that the IAC has not provided some general guidelines, but, as with copyright issues, they would require a "consult a lawyer" caveat. Perhaps some of the money we are sitting on could be used to fund a general purpose set of guidelines and a template policy which could be adopted by clubs if they so desire?

I was listening to a discussion this weekend which suggests why this may not be so straightforward. GDPR has several grey areas. There is lots of wriggle room for what is "reasonable" and, according to the discussion I listened to, everyone is awaiting the first test cases and hoping against hope that their own situation is not one of those test cases as these are likely to become very costly very quickly.

The mail address list appears to me to be a perfect example of one of these grey areas. In the policy for Monmouth Choral Society to which Jill linked, they cover themselves by requesting the consent of members for their contact details to be shared among members. This is fine, but it does create a layer of administration - someone, somewhere has to record who has given this consent.

If one of the aims of the organisation is to share information among members (as one might imagine is the case with most clubs) then it is arguable that consent is not necessary as sharing contact information is necessary in order to carry out the legitimate business of the club.

Grey areas.
Tim
Proud to be an amateur film maker - I do it for the love of it

User avatar
John Roberts
Posts: 297
Joined: Wed Mar 27, 2013 8:42 am

Re: Data protection Act

Post by John Roberts » Tue May 22, 2018 1:14 pm

Unfortunately I could not attend the last Council meeting due to family issues, so I'm not able to shed any light on progress that has been made on the GDPR matter. I do believe however that something is to be presented in the next FVM regarding GDPR although I suspect it might fall short of 'advice' which would in fact make the IAC liable for any transgressions.

I know there has been a tremendous amount of work put into the revised IAC Privacy Policy from a legal wording point of view, and with Council also taking on the responsibilities of the recent BIAFF, organising UNICA for the UK, plus implementing considerable changes to the future BIAFF Award Winner's Show along with the day-to-day running of the organisation, there is only a limited amount of time a decreasing number of volunteers have to deal with an increasing number of complex issues.

I'm a little out of date with Council issues, so I apologise for not being able to give any further information at this stage :?

Best wishes - John
"My vision often exceeds my capabilities" (me, 2015)
My views are purely my own and don't necessarily reflect those of any body I might represent :P

Post Reply