Author Topic: data protection and event entries  (Read 11964 times)

frankly frankie

  • I kid you not
    • Fuchsiaphile
data protection and event entries
« on: 14 February, 2011, 02:24:48 pm »
Split from the £10 event fee thread by request


MV




I think storing non-auk details is a DPA issue as well.  Names is OK, but addresses may be going too far, I dunno.

Yes, CTC DAs were removed from Entry Forms years ago - it's sad that the cards haven't caught up.  They are printed in huge bulk (the outsides that is) and even when a change is made it can take 6 months to work through all the old stock.

when you're dead you're done, so let the good times roll

mattc

  • n.b. have grown beard since photo taken
    • Didcot Audaxes
data protection and event entries
« Reply #1 on: 14 February, 2011, 02:28:29 pm »
DAs don't exist? Good point - someone should correct this data:

Results for current season

(must go and pay my road tax ... )
Has never ridden RAAM
---------
No.11  Because of the great host of those who dislike the least appearance of "swank " when they travel the roads and lanes. - From Kuklos' 39 Articles

DanialW

data protection and event entries
« Reply #2 on: 14 February, 2011, 02:30:50 pm »
I think storing non-auk details is a DPA issue as well.  Names is OK, but addresses may be going too far, I dunno.

Nah. It's all about what's reasonable, and what you say you're going to do with the data. If an entrant gives you their address, it's reasonable for everyone to assume that that information will be keyed into a database somewhere. This applies both to organisers and AUK.

IFor belt and braces, what AUK needs is a proper privacy policy. LEL has one, and it wouldn't take that much work to apply it to AUK.

JohnHamilton

data protection and event entries
« Reply #3 on: 14 February, 2011, 02:43:11 pm »
I think storing non-auk details is a DPA issue as well.  Names is OK, but addresses may be going too far, I dunno.

Nah. It's all about what's reasonable, and what you say you're going to do with the data. If an entrant gives you their address, it's reasonable for everyone to assume that that information will be keyed into a database somewhere. This applies both to organisers and AUK.

IFor belt and braces, what AUK needs is a proper privacy policy. LEL has one, and it wouldn't take that much work to apply it to AUK.

Quite. It's also about that information only being retained for the period for which it is required. Once you no longer have any need for it the data should be deleted. i.e. Once the event is over and the card returned to the rider the data should be deleted from the records as it is no longer required.

DanialW

data protection and event entries
« Reply #4 on: 14 February, 2011, 03:36:13 pm »
Quite. It's also about that information only being retained for the period for which it is required. Once you no longer have any need for it the data should be deleted. i.e. Once the event is over and the card returned to the rider the data should be deleted from the records as it is no longer required.

Absolutely. So, say, keeping a contact list of riders to mail them about anything other than the ride they entered, is really not on. If anyone you contacted made a complaint, you could be in trouble.

(sorry, this is drifting rather, isn't it?)

data protection and event entries
« Reply #5 on: 14 February, 2011, 05:41:07 pm »
Quite. It's also about that information only being retained for the period for which it is required. Once you no longer have any need for it the data should be deleted. i.e. Once the event is over and the card returned to the rider the data should be deleted from the records as it is no longer required.

Absolutely. So, say, keeping a contact list of riders to mail them about anything other than the ride they entered, is really not on. If anyone you contacted made a complaint, you could be in trouble.

(sorry, this is drifting rather, isn't it?)
And somewhere along the line as a newbie organiser, I was told that and will delete everyone's contact details once the Brevet cards have gone out.

If the application form were changed to allow me (as a rider) to opt in to emails sent by the organiser, I'd be quite willing to be sent emails publicising next years route/new rides etc.  by that organiser. I doubt any would abuse the privilege as the world we operate in is too small.
Events I am running: 5th September 2021, the unseasonal Wellesden Reliability; HOPEFULLY Early April 2022, 3 Down London - New Forest 300K Audax;

Manotea

  • Where there is doubt...
data protection and event entries
« Reply #6 on: 14 February, 2011, 07:47:25 pm »
Quite. It's also about that information only being retained for the period for which it is required. Once you no longer have any need for it the data should be deleted. i.e. Once the event is over and the card returned to the rider the data should be deleted from the records as it is no longer required.

Absolutely. So, say, keeping a contact list of riders to mail them about anything other than the ride they entered, is really not on. If anyone you contacted made a complaint, you could be in trouble.

(sorry, this is drifting rather, isn't it?)
And somewhere along the line as a newbie organiser, I was told that and will delete everyone's contact details once the Brevet cards have gone out.

If the application form were changed to allow me (as a rider) to opt in to emails sent by the organiser, I'd be quite willing to be sent emails publicising next years route/new rides etc.  by that organiser. I doubt any would abuse the privilege as the world we operate in is too small.

On the one hand the DPA and direct marketing legislation really isn't aimed at the likes of AUK event organisers, although we do need to be aware of it.

On the other, tweaking the event application form to include a field explicitly requesting permission to contact riders regarding future events is not something we have to wait on AUK to action, especially as nowadays most riders do not fill in calendar event application forms anyway. Nowadays I email out route sheets. It would be easy as to include a rider registration form to collect whatever info we want basically.

Similarly, there is no reason why AUK could not mailshot the membership to request permission, say, for organisers whose rides they have previously participated in to contact them regarding future events by that organiser. Subject to resources to actually do it, this could be done 'now', before the 2011 season really kicks off. Alternatively such permission could be progressed as part of the membership renewal process but that would mean waiting a year or possiby two.

I'm making this up as I go along really but where there's a will, there's a way.

Jaded

  • The Codfather
  • Formerly known as Jaded
data protection and event entries
« Reply #7 on: 14 February, 2011, 07:57:34 pm »
Alternatively such permission could be progressed as part of the membership renewal process but that would mean waiting a year or possiby two.

or 5!
It is simpler than it looks.

DanialW

data protection and event entries
« Reply #8 on: 14 February, 2011, 08:55:03 pm »
Similarly, there is no reason why AUK could not mailshot the membership to request permission, say, for organisers whose rides they have previously participated in to contact them regarding future events by that organiser. Subject to resources to actually do it, this could be done 'now', before the 2011 season really kicks off. Alternatively such permission could be progressed as part of the membership renewal process but that would mean waiting a year or possiby two.

I'm making this up as I go along really but where there's a will, there's a way.

Absolutely. "where there's a will, there's a way" sums it up pretty nicely. As long as you tell people what you intend to do, and you give them the option to opt out*, you can use people's basic information to contact them as you please.

It's complicated in part because organisers keep data in addition to the AUK databases.

This probably falls under my patch, so perhaps I'll have a go at knocking something up.


JayP

  • You must be joking
data protection and event entries
« Reply #9 on: 15 February, 2011, 01:21:31 pm »

Quite. It's also about that information only being retained for the period for which it is required. Once you no longer have any need for it the data should be deleted. i.e. Once the event is over and the card returned to the rider the data should be deleted from the records as it is no longer required.

Absolutely. So, say, keeping a contact list of riders to mail them about anything other than the ride they entered, is really not on. If anyone you contacted made a complaint, you could be in trouble.

(sorry, this is drifting rather, isn't it?)
And somewhere along the line as a newbie organiser, I was told that and will delete everyone's contact details once the Brevet cards have gone out.

If the application form were changed to allow me (as a rider) to opt in to emails sent by the organiser, I'd be quite willing to be sent emails publicising next years route/new rides etc.  by that organiser. I doubt any would abuse the privilege as the world we operate in is too small.

On the one hand the DPA and direct marketing legislation really isn't aimed at the likes of AUK event organisers, although we do need to be aware of it.

On the other, tweaking the event application form to include a field explicitly requesting permission to contact riders regarding future events is not something we have to wait on AUK to action, especially as nowadays most riders do not fill in calendar event application forms anyway. Nowadays I email out route sheets. It would be easy as to include a rider registration form to collect whatever info we want basically.

Similarly, there is no reason why AUK could not mailshot the membership to request permission, say, for organisers whose rides they have previously participated in to contact them regarding future events by that organiser. Subject to resources to actually do it, this could be done 'now', before the 2011 season really kicks off. Alternatively such permission could be progressed as part of the membership renewal process but that would mean waiting a year or possiby two.

I'm making this up as I go along really but where there's a will, there's a way.
I already maintain an email dist' list of 'Broken Cross Audax Alumni'. Anybody who contacts me, by email, either to enter or just express an interest in an event of mine goes on the list. I recently sent out a flyer about this years rides from Broken Cross to everyone on the list. . It was a straightforward thing to do and not by any means an original idea.  I will instantly remove anyone from the list who doesn't want to be there. Its effectiveness has yet to be assessed.
  • No one has ever told me that I should delete contact data after an event.
  • It never occured to me to consider direct marketing legislation but if it had I wouldn't have thought it relevant in this context

data protection and event entries
« Reply #10 on: 15 February, 2011, 10:07:09 pm »
  • No one has ever told me that I should delete contact data after an event.
  • It never occured to me to consider direct marketing legislation but if it had I wouldn't have thought it relevant in this context
spam. Unsolicited email. Doesn't have to be about viagra or nigerian lottery. CTC spammed me.

data protection and event entries
« Reply #11 on: 15 February, 2011, 10:51:48 pm »
I already maintain an email dist' list of 'Broken Cross Audax Alumni'. Anybody who contacts me, by email, either to enter or just express an interest in an event of mine goes on the list. I recently sent out a flyer about this years rides from Broken Cross to everyone on the list. . It was a straightforward thing to do and not by any means an original idea.  I will instantly remove anyone from the list who doesn't want to be there. Its effectiveness has yet to be assessed.
  • No one has ever told me that I should delete contact data after an event.
  • It never occured to me to consider direct marketing legislation but if it had I wouldn't have thought it relevant in this context

I, for one, welcomed the email about this year's events. It reminded me what a good event the Venetian Nights had been and encouraged me to look at my diary to enter your other events this year.  If it had been a pain to get the email I could always have hit delete!

simonp

data protection and event entries
« Reply #12 on: 15 February, 2011, 11:08:38 pm »
I already maintain an email dist' list of 'Broken Cross Audax Alumni'. Anybody who contacts me, by email, either to enter or just express an interest in an event of mine goes on the list. I recently sent out a flyer about this years rides from Broken Cross to everyone on the list. . It was a straightforward thing to do and not by any means an original idea.  I will instantly remove anyone from the list who doesn't want to be there. Its effectiveness has yet to be assessed.
  • No one has ever told me that I should delete contact data after an event.
  • It never occured to me to consider direct marketing legislation but if it had I wouldn't have thought it relevant in this context

I, for one, welcomed the email about this year's events. It reminded me what a good event the Venetian Nights had been and encouraged me to look at my diary to enter your other events this year.  If it had been a pain to get the email I could always have hit delete!

It doesn't matter. Spammers in the traditonal sense make money out of a few people who click on the link and buy the fake Viagra. It's still a pain for everyone else. This kind of thing should be an opt-in because it should be up to the rider to choose.

I'm sure with Danial on the case, though, the Right Thing will be done.

LittleWheelsandBig

  • Whimsy Rider
data protection and event entries
« Reply #13 on: 15 February, 2011, 11:10:32 pm »
Mods: Can we split the spam/ entrant details discussion out of this thread? It is way off-topic.
Wheel meet again, don't know where, don't know when...

border-rider

Re: data protection and event entries
« Reply #14 on: 15 February, 2011, 11:39:43 pm »
Done

Hummers

  • It is all about the taste.
Re: data protection and event entries
« Reply #15 on: 16 February, 2011, 09:57:54 am »
There is a lot of hot air blown around about the DPA and what it means, despite it being largely common sense and the prolific amount of information on the subject with some pretty useful guidance from the Information Commissioner’s Office (ICO) from which I quote:

Quote
The Act works in two ways. Firstly, it helps to protect your interests by obliging organisations to manage the information they hold in a proper way. It states that anyone who processes personal information must comply with eight principles, which make sure that it is:

• fairly and lawfully processed;
• processed for limited purposes;
• adequate, relevant and not excessive;
• accurate and up to date;
• not kept for longer than is necessary;
• processed in line with an individual's rights;
• secure; and
• not transferred to other countries (outside of the EU) without adequate protection.

The second area covered by the Act gives you important rights, including the right to know what information is held about you and the right to correct information that is wrong. You also have the right to claim compensation through the courts if an organisation breaches the Act and this causes you damage, such as financial loss. If it has, you can also claim for distress.

The risk to organisations (registered or not) is that someone can claim and prove loss or damages due to a breach of the DPA. This is what most organisations are worried about and a Data Protection policy is intended to safeguard both the organisation and individuals against a breach. This does not have to be an exhaustive policy but how onerous it becomes is normally governed by the risk of a successful claim being brought against an organisation due to a breach of the information they hold. For example, as far as I  am aware, none of the info AUK hold is 'sensitive personal information' that might lead to discrimination against an individual, leading to personal loss and subsequent distress/damages.  Does AUK have a DP policy?

In addition, the rights of an individual, as alluded to above,  are as follows:

• Ask to access information relating to them
• Ask to correct information relating to them
• Ask to prevent processing of information (you can ask but the organisation is not bound to comply)
• Ask to stop unsolicited marketing (you can ask them to stop and they have to comply)
• Ask to stop automated decision making (i.e. where decisions are not made by people)


Whilst AUK may be exempt from notifying the ICO, it does hold and manages personally identifiable data and as such, should follow the 8 principles of the act however this does not have to be limited to AUK specifc information. For example, AUK may hold information about CTC membership as long as it is accurate, is associated and used in the context of the individual's activity or membership and is held/managed securely. It could be argued that despite the term 'DA' being an anachronism, it is still relevant to (some) individuals and the activities they are engaged in that are facilitated by AUK. In other words, although strictly speaking it should be replaced with the term 'Member Group', it could be argued that 'DA' implies the same thing until such time as the new stock of cards are printed.

One area where AUK might want to think about is the website component of AUK where personally identifiable data is shared with other members and anyone who lands on the site. This information is limited but is shared nonetheless. A stock item within most DP policies is that individuals give their consent to the processing of information and especially where this information is shared with 3rd parties. I don't see anything like that on the online entry (and couldn't remember consenting to it) but if not covered off elsewhere, I suggest two tick boxes be added to either the online entry or terms of membership with wording along the lines of "I consent to AUK storing my details and using these to process information related to activities associated with my membership" plus "I consent to my participation in AUK events being publicised on the AUK website and visible to both AUK members and the general public"

H

frankly frankie

  • I kid you not
    • Fuchsiaphile
Re: data protection and event entries
« Reply #16 on: 16 February, 2011, 10:19:26 am »
Not disagreeing with any of the above (though my personal, cynical, belief is that DPA is largely about ownership of data and only incidentally about individuals' rights) - but as far as listings are concerned - they're only names.  Names don't indentify anybody - do they?
when you're dead you're done, so let the good times roll

Re: data protection and event entries
« Reply #17 on: 16 February, 2011, 10:24:26 am »
Names don't indentify anybody - do they?

They can, and email addresses most certainly can.
"Yes please" said Squirrel "biscuits are our favourite things."

AndyH

Re: data protection and event entries
« Reply #18 on: 16 February, 2011, 10:39:39 am »
Excellent informative post Hummers. (I read it twice and still can't find the punchline)

Simple requirement for an opt in option or options. I think AUK is about the only organisation where I would actually tick the yes box to receiving email etc.

Hummers

  • It is all about the taste.
Re: data protection and event entries
« Reply #19 on: 16 February, 2011, 10:46:45 am »
Not disagreeing with any of the above (though my personal, cynical, belief is that DPA is largely about ownership of data and only incidentally about individuals' rights) - but as far as listings are concerned - they're only names.  Names don't indentify anybody - do they?

Your belief is one thing, the DPA is another. Whilst there is a lot of room for hypothesis on what the DPA means to an organisation, the Act has two parts relating to: 1) the obligations of the organsiation holding data and 2) the rights of the individual they are holding it for. I'd like to say that the drive fro a DP policy cosmes from wanting to be responsible for the handing of individual's data but my experience is that the vast majority of Not for Profit organisations , although exempt from notifying the ICO, are more motivated by the threat of being sued due to a breach of the DPA than anything else.

Also you don't just use names, you also use the AUK number which uniquely identifies individuals. The fact that these numbers is only relevant to the AUK 'system' is irrelevant.

H

JayP

  • You must be joking
Re: data protection and event entries
« Reply #20 on: 16 February, 2011, 10:58:04 am »
I already maintain an email dist' list of 'Broken Cross Audax Alumni'. Anybody who contacts me, by email, either to enter or just express an interest in an event of mine goes on the list. I recently sent out a flyer about this years rides from Broken Cross to everyone on the list. . It was a straightforward thing to do and not by any means an original idea.  I will instantly remove anyone from the list who doesn't want to be there. Its effectiveness has yet to be assessed.
  • No one has ever told me that I should delete contact data after an event.
  • It never occured to me to consider direct marketing legislation but if it had I wouldn't have thought it relevant in this context

I, for one, welcomed the email about this year's events. It reminded me what a good event the Venetian Nights had been and encouraged me to look at my diary to enter your other events this year.  If it had been a pain to get the email I could always have hit delete!

It doesn't matter. Spammers in the traditonal sense make money out of a few people who click on the link and buy the fake Viagra. It's still a pain for everyone else. This kind of thing should be an opt-in because it should be up to the rider to choose.

I'm sure with Danial on the case, though, the Right Thing will be done.


Catch 23
God: Thou shalt not write to people unless you have already written to them to ask their permission to write to them.
Devil: Result!!

A bit frivolous but there is a point. My take is that Spam is just a business model. One which utilises the cheapness of email to make take-up from a tiny proportion of a huge audience viable. Those who use this model are oblivious to its nuisance value and If God gives the Devil his(/her) result with these people well and good. But the rest of us have been shot in the foot unless we draw a line which separates the benign witter and twitter of us nice ordinary folk from the Spammers.
Drawing lines is always difficult and all lines are contentious in their neighbourhood but the outliers are usually beyond dispute. I would say that the Viagra salesman is very very far on one side of the line and the organiser sending future long-ride information to other members of the same long-ride club is very very far on the other.
That said I think I’d vote for an opt-in tick box somewhere or other too. It’s not difficult to set up and keeps everyone happy so why not.
In any case I’ve sent mine for this year and no-one’s complained so far and this thread has given it some added value. Thank you Itinerant and Andy C, and other folk who email’d me, for your kind and positive remarks. I think the exercise will prove to be worthwhile.

Re: data protection and event entries
« Reply #21 on: 16 February, 2011, 11:09:13 am »
(I read it twice and still can't find the punchline)

Try it again, this time out loud and in the style of Bob Fleming from the Fast Show.  The sentence involving the words "consent", "DP", "shared" and "parties" becomes a right hoot.

Hummers

  • It is all about the taste.
Re: data protection and event entries
« Reply #22 on: 16 February, 2011, 11:16:49 am »
(I read it twice and still can't find the punchline)

Try it again, this time out loud and in the style of Bob Fleming from the Fast Show.  The sentence involving the words "consent", "DP", "shared" and "parties" becomes a right hoot.

 :P

H

Re: data protection and event entries
« Reply #23 on: 16 February, 2011, 11:35:10 am »
In practical reality, it would be difficult for anyone to prove that an organiser has infringed the DPA.  How would anyone know if I had held a file on my PC for longer than is necessary? It would only be known if the organiser had forwarded the material onto a third party or started spamming previous entrants.
Organiser of Droitwich Cycling Club audaxes.  https://www.droitwichcyclingclub.co.uk/audax/

Hummers

  • It is all about the taste.
Re: data protection and event entries
« Reply #24 on: 16 February, 2011, 11:35:52 am »

That said I think I’d vote for an opt-in tick box somewhere or other too. It’s not difficult to set up and keeps everyone happy so why not.


If it is something you are concerned about and if it is you advertising your personaly organised or club rides (some may not be an Audax), a line on the bottom of the email saying something like...:

"If you don't want to receive information on my forthcoming rides, please reply to this email and ask be taken off the mailing list"

... obvious I know but it would give people a clear opt out.

The biggest potential 'privacy' issue with 'Forthcoming rides emails' is when everyone's email address is included in the 'To' field. If you are using Outlook, the way around this is to create your own personal distribution list, add the email addresses into this then use this list in the 'BCC' field with a dummy (or your own) email address in the 'To' field so that the email will go out.

H