data protection and event entries

[frankly frankie]

Francis, I have no idea of the internal workings of AUK, ...
I'm only responding to questions raised on this thread based on my experience and knowledge of the DPA and data privacy.

Of course Mark - your knowledge of DPA is clearly considerable* and your comments in this thread very useful, IMO.

The point I was trying to make was about what Phil describes as the 'disconnect' between AUK and Organisers.  I would suggest this disconnect is there by design - AUK is always keen to make the point that Events 'belong to' organisers and are merely run according to principles laid down by AUK.

* it's 2 years or more since I last looked at the DPA, or rather, the surrounding documentation - and I'll bend the knee to anyone who really knows the ins and outs, but it sounds as though the 'for dummies' literature has improved, which is good news for everyone (except lawyers I suppose).
There used to be a 'DPA self-assessment' form somewhere - I completed it three times, with AUK's operation in mind, and got 2 'register' and 1 'don't register' results.  Ultimately what I didn't like was that, for all the talk of 'organisations' having responsibilities, ultimately it is an individual who has to sign up and register and put his head in the noose.  As an unpaid volunteer, I wasn't prepared to do that.  But AUK do try to take their DPA obligations seriously, that I do know - [edit] and clearly already exceed the DPA's requirements in several areas.

[Manotea]

Francis, I have no idea of the internal workings of AUK, ...
I'm only responding to questions raised on this thread based on my experience and knowledge of the DPA and data privacy.

Of course Mark - your knowledge of DPA is clearly considerable* and your comments in this thread very useful, IMO.

The point I was trying to make was about what Phil describes as the 'disconnect' between AUK and Organisers.  I would suggest this disconnect is there by design - AUK is always keen to make the point that Events 'belong to' organisers and are merely run according to principles laid down by AUK.

Events (up to and including LEL, though this changes with LEL2013) are put on by Organisers not AUK and organisers 'own the relationship' (salespeak) with the rider, at least as far as the Organiser's event. Rider contact info goes directly to the Org. The only info passed to AUK is memno and names for validation purposes. Orgs do have access to AUK memlist via the startlist lookup feature which includes postal addresses but *NOT* email addresses.

When I started as an Org all of ~5 years ago putting on an event was a totally paper based exercise and whilst application forms included email addresses they were not referenced by me. We are now well past the tipping point and ~75% of entries come in electronically, and in turn, for example, for the last several events I have sent out route sheets by email. I received back just a couple of requests for paper copies which of course I provided.

By the way, with regard to deleting rider details post event, I can flush them from my PC but all of this rider information will remain in my paypal account forever. I've just checked some transactions from several years ago; it's all there.

So taking DPA/DM regulation at face value as outlined by Hummers & GB will require AUK AND Organisers to develop policies and procedures for managing rider data even if they do not propose to use this information post event. Regardless there is no reason why we cannot swiftly move to total compliance with DPA/DM regulation without compromising our activities.

In so doing let's not lose sight of the fact that Organisers are running cycling events for riders with whom they have a direct relationship.

[Hummers]

Steady on chaps!  

The DPA calls for common sense rather than a New World Order.   As I said before, most organisations, rightly or wrongly, balance risk against how comprehensive their DP policy is and how far they follow the principles of the Act. Unless something right now is majorly broken, why try and fix it?

Hpwever, Andy H's comments on discussions around the direction of AUK are in the back of my mind too. If these come to fruition and means changes to how AUK uses the information it holds on its members, I suggest this will be the driver for a review of AUKs policy on privacy, communication and data protection.

Events (up to and including LEL, though this changes with LEL2013) are put on by Organisers not AUK and organisers 'own the relationship' (salespeak) with the rider, at least as far as the Organiser's event. Rider contact info goes directly to the Org. The only info passed to AUK is memno and names for validation purposes. Orgs do have access to AUK memlist via the startlist lookup feature which includes postal addresses but *NOT* email addresses.

Yes, tempting to think that the two are disconnected but that is not actually the case as you are involved in data processing for AUK. 

If I entered the event directly with AUK (I know I can't) and all they did was send you (as the organiser) a predictied number of riders to cater for and covered your costs, i.e. no information about the riders at all,  then from a DPA perspective, you are disconnected. If I wasn't a member and AUK had no information about me at all, then you are also disconnected.

But as an AUK member and based on my understanding of the process, if I enter one of your events:

• I send you a data set including details about me that AUK may or may not have
• I am uniquely identified as a member through my AUK number
• You relay my completion to AUK using my name and possibly the common reference i.e. AUK#
• Based on the information you send back, AUK put information about me up on their website
• If you keep my entry form or any information that relates to me by my AUK# alone, both you and AUK have personally identifiable information about me, linked via a common reference number

And both you and AUK hold my email address.

H

[Manotea]

The DPA calls for common sense rather than a New World Order.   As I said before, most organisations, rightly or wrongly, balance risk against how comprehensive their DP policy is and how far they follow the principles of the Act.

Absolutely

Unless something right now is majorly broken, why try and fix it?

Whilst AUK's modus operandi may be intact, the world has moved on

Posters often refer to AUK as shorthand to include Organisers whereas each Organiser is separate and unique. Where AUK can help is by consulting organisers and providing leadership and a framework under which we can all move forward together.

[Hummers]

Sorry Mr Tea, I added some more stuff on my post regarding 'disconnection'. You may think organisers are separate from AUK but from a DPA perspective, based on my understanding of the process you are both processing AUK data and information about me.

Whilst AUK's modus operandi may be intact, the world has moved on

But the DPA has not changed significantly and the P&EC regs have been around for about 7 years.
 
H

[DanialW]

Posters often refer to AUK as shorthand to include Organisers whereas each Organiser is separate and unique. Where AUK can help is by consulting organisers and providing leadership and a framework under which we can all move forward together.

I agree.

[Hummers]

Where AUK can help is by consulting organisers and providing leadership and a framework under which we can all move forward together.

Woaa... 

Now that really does sound like a New World Order.

I'll stick to stuff I understand. 

H

[frankly frankie]

• If you keep my entry form or any information that relates to me by my AUK# alone, both you and AUK have personally identifiable information about me, linked via a common reference number

That's interesting because there is (or maybe was) 'advice to Orgs' floating around, to the effect that Entry Forms should be stored (by the Org - AUK never sees them) for 7 years.

And both you and AUK hold my email address.

Though not necessarily the same one.  In other words there is no 'connect' in the data here.

[Hummers]

• If you keep my entry form or any information that relates to me by my AUK# alone, both you and AUK have personally identifiable information about me, linked via a common reference number

That's interesting because there is (or maybe was) 'advice to Orgs' floating around, to the effect that Entry Forms should be stored (by the Org - AUK never sees them) for 7 years.

Why would the organiser be made part of a data retention policy? That makes no sense to me.

And both you and AUK hold my email address.

Though not necessarily the same one.  In other words there is no 'connect' in the data here.

From a DPA standpoint it could be argued that only means that the information you hold on me is (in part) incorrect. It is my AUK number that 'connects' the information the organiser and AUK hold on me.

Looking at the process as described by organisers and others on this thread, like it or not, there is a flow of information that goes between AUK and the organiser that relates to personally identifiable information about its members and this means that the processing and management of this information is subject to the principles of the DPA - and this covers all information held, not just email addresses.

H

[simonp]

• If you keep my entry form or any information that relates to me by my AUK# alone, both you and AUK have personally identifiable information about me, linked via a common reference number

That's interesting because there is (or maybe was) 'advice to Orgs' floating around, to the effect that Entry Forms should be stored (by the Org - AUK never sees them) for 7 years.

And both you and AUK hold my email address.

Though not necessarily the same one.  In other words there is no 'connect' in the data here.

The advice was, roughly:

 - records should be kept for one year

except where an incident occurred on the event, in which case:

 - records should be kept for 7 years.

In the draught of the updated guidelines (much improved) last year this was changed to 5 years.

I can see that this is necessary for insurance purposes.

[Hummers]

• If you keep my entry form or any information that relates to me by my AUK# alone, both you and AUK have personally identifiable information about me, linked via a common reference number

That's interesting because there is (or maybe was) 'advice to Orgs' floating around, to the effect that Entry Forms should be stored (by the Org - AUK never sees them) for 7 years.

And both you and AUK hold my email address.

Though not necessarily the same one.  In other words there is no 'connect' in the data here.

The advice was, roughly:

 - records should be kept for one year

except where an incident occurred on the event, in which case:

 - records should be kept for 7 years.

In the draught of the updated guidelines (much improved) last year this was changed to 5 years.

I can see that this is necessary for insurance purposes.

I understand why records need to be kept; the entry form has (or should have) the rider's consent to the terms and conditions of participation and of questionable worth, a record of intended participation (although they could still DNS so in itself not is not a record of riding the event). I assume it also covers them from an insurance perspective whether they are a member or not

In terms of the DPA, if AUK are asking the organiser to hold on to the entry forms (and they comply) then they definitely fall within the scope of any AUK DP policy. Francis mentioned that organisers are required to sign up to a Privacy Statement but there are still issues around data being incorrect that would need to be managed.

Although I can see that asking the organiser to hold these records may seem practical and is no doubt historical, this raises all kinds of issues in terms of accessing, securing and managing information. I expect this has been considered but a centralised paperless on-line entry system that still allows organisers to access entry information and update it would mean that organisers no longer need to store rider's personal information and would only need access to a limited subset of it. This would limit risks of a breach of the DPA and give AUK (potentially) more flexibility in how it uses personal information. I am not sure if this is what happens when I opt to enter via PayPal but the feeling I get from this thread is that some if not all of the data resides elsewhere (although the entry form seems to be generated by AUK's system).

Perhaps someone can clarify what happens with online entries (and the information we provide) currently.

H