data protection and event entries

[Hummers]

In practical reality, it would be difficult for anyone to prove that an organiser has infringed the DPA.  How would anyone know if I had held a file on my PC for longer than is necessary? It would only be known if the organiser had forwarded the material onto a third party or started spamming previous entrants.

Indeed and in the context of AUK, why would they really bother to pursue it however this doesn't let AUK off the hook.

Here are the reasons that a complaint would be considered (from the ICO) :

You have been denied any of your rights, including your right to see the personal information an organisation holds about you.

Personal information about you is used, held or disclosed:

• unfairly
• for a reason that is not the one it was collected for, or
• without proper security.

Personal information about you is:
• inadequate, irrelevant or excessive
• inaccurate or out of date, or
• kept for longer than is necessary.

The above has to backed up with evidence to be taken seriously and even then, the ICO push you to sort out the problem yourself and have no powers to award compensation, only to work with the individual and organsiation and at worst, order the organisation comply.

Like I said, organisations balance risk against information held but still have to consider DP implications. The pracrical outworking of this consideration is the DP policy which all people working under the auspices of the organisation should be aware of and comply with. It doesn't have to be onerous but it does have to exist and be followed.

H

[Philip Whiteman]

Hummers has it spot on.  E-mails should not be issued using the 'TO' field.  Equally, they must not be used to promote activities not immediate to the event and related audaxes.

Most of my communications for the Snowdrop/Sunrise Express are conducted electronically and restricted to the following messages:-

Pre-event
i.  the distribution of joining details and route cards;
ii. last minute changes to the event's details, if required;

Post-event
iii.  a post-event 'thank you' letter which also includes a summary of the day and details on lost property.
(delete all details apart from e-mail addresses)
iv.  9 months later, a notice to all previous entrants on joining details for the 2012 event.

Then delete remaining e-mail addresses.

[Greenbank]

Some mail clients will store the BCC field in the sent email, so don't forget to delete the email(s) from the sent folder, otherwise this can be construed as storing them (indefinitely).

[Jaded]

Consider your back-ups too.

 

[phil d]

It was quite a while ago, so might well have changed, but when I looked into this area in relation to the CTC Member Group (DA at that time!) I came to the conclusion that the DPA did not directly apply to what we as a local group were doing (which involved holding CTC member names and addresses on a computer).  I cannot recall whether this was because of a de minimis let-out, or we were non profit making, or some other reason.  Or maybe I drew the wrong conclusion.

Given that most organisers act independantly, under the rules of but not on behalf of AUK, I think that we are unlikely to be troubled by the force of law behind the DPA.

However, that does not remove a personal responsibility to try to protect an entrant's details, so fully agree with the need to carefully use BCCs when emailing to more than one.

[Hummers]

Not all organisations have to notify the ICO and apply to go on the pubic register of Data Controllers. There are grounds for exemption which may cover AUK and the example you offered.

However, any organisation holding personal information on its members, clients or customers is obliged to do so with regard to the 8 principles of the DPA. Again, from the ICO:

The Data Protection Act 1998 requires every data controller who is processing personal information in an automated form to notify, unless they are exempt. Failure to notify is a criminal offence. Register entries have to be renewed annually. If you are required to notify but don’t renew your registration, you are committing a criminal offence.

Most organisations that process personal data must notify the ICO. However, there are some exemptions. Data controllers who are exempt from notification must comply with the other provisions of the Act, and may choose to notify voluntarily.

My experience is that due to the extra cost and hassle, most organisations elect not to be put on the register but maintain a DP policy.

H

[BlackSheep]

Consider your back-ups too.
 

Always a safe move.

ISTBC, but doesn't the DPA info only apply to stuff stored on devices that can only be accessed electronicly, eg, blown ROMs, HDD, FDD, memory sticks, et al?

Reason for asking, is I recall BBC's watch-dog comeing unstuck once. because the organisation they were persueing held all the data (quite litterally dozens of rooms) on paper.

[Manotea]

On the subject of direct marketing, I had a chat with a helpful type at the Info Commission Office yesterday. We had one of those interesting conversations where he could only advise me on the law which was that complaints of unsolicited direct mailing could result in prosecution and fines of £5k. However under close questioning(!) he agreed such cases are associated with egregious violations by large organisations, which hardly describes a cycling event organisor communicating with previous event riders. He also suggested that DM legislation is concerned with promotions; emails  advising, 'click here if you would like to know more' would be fine.

There is a potential issue with the volume of such missives riders might receive. Working on the basis that interested organisers might communicate with riders once or twice a year regarding this years programe, updates, etc. then even the most, um, promiscous riders might only receive a dozen emails a year. This is hardly onerous, especially if emails include an unsubscribe option. I'd be quite happy to receive email newsletters from JayP and other 'multiple offender' organisers such as Blacksheep and El Supremo (though ES may well be the last to go down that route!).

It similarly occurs to me that a four times a year AUK newletter to complement the publication of Arrivee might be useful for communicating with Auks & Non-Auks alike. This need not contain much in the way of original material but simply a cover letter with links to online materials such as Arrivee and other official notices (Committee meeting minutes, etc.) plus any other relevant 'stop press' info.

Clearly such activities need to be progressed sensibly. Any attempt at a structured hard sell of events and/or products is likely to be immediately counterproductive, and unsubscribe requests need to be actioned.

A personal view. IANAL.

[DanialW]

ISTBC, but doesn't the DPA info only apply to stuff stored on devices that can only be accessed electronicly, eg, blown ROMs, HDD, FDD, memory sticks, et al?

no

[mattc]

It similarly occurs to me that a four times a year AUK newletter to complement the publication of Arrivee might be useful for communicating with Auks & Non-Auks alike. This need not contain much in the way of original material but simply a cover letter with links to online materials such as Arrivee and other official notices (Committee meeting minutes, etc.) plus any other relevant 'stop press' info.

Clearly such activities need to be progressed sensibly. Any attempt at a structured hard sell of events and/or products is likely to be immediately counterproductive, and unsubscribe requests need to be actioned.

A personal view. IANAL.

Do you think that the AUK twitter feed is achieving some of this? Could it do more?

The thing about Twitter is that users can subscribe/unsubscribe at will!

[Jaded]

The thing about Twitter is that is is markedly less inclusive than email, which in itself is not wholly inclusive.

[mattc]

The thing about Twitter is that is is markedly less inclusive than email, which in itself is not wholly inclusive.

Very true. I mentioned it because:
- we already have it
- someone keen is stoking the boiler
- there are no legal issues (that I'm aware of!), or other bureaucratic barriers.

[Billy Weir]

As I've suggested in the past, AUK could consider a regular email that members and non-members opt in to.

It could make announcements of events where entries close in the next two weeks, links to historic articles from Arrivee and any proclaimations from the committee.  A bit like the emails that Cylcosport send out every week.

I would be prepared to help prepare this.  No doubt a formal proposal has to be submitted to the committee (this not being an official AUK board, but a collection of interested randonneur busy bodies, or something of that ilk!)

(This suggestion comes from not being a particular fan of unsolicited contact from individual organisers).

[DanialW]

If anyone has any suggestions for publicity, and, crucially, the time and willingness to make them happen, drop me a line.

[BlackSheep]

ISTBC, but doesn't the DPA info only apply to stuff stored on devices that can only be accessed electronicly, eg, blown ROMs, HDD, FDD, memory sticks, et al?

no

Thanks for that  , the most comprehensive answer from any committee member in my YACF history.


Then what does it apply to, I wonder?

[DanialW]

Thanks for that  ... then what does it apply to, I wonder?

The DPA applies to any personal data held in a filing system. A Rolodex or a GP's patient records would count as a relevant filing system.

[Jaded]

So it was changed from its original inception. I'm pretty sure it started out as electronic data only?

[Hummers]

Then what does it apply to, I wonder?

All on the ICO website but for your own personal digest Mr Blacksheep, there are three areas where paperwork and filing falls within the scope of the DPA in the AUK context but the definition is as follows:

Data means information which –

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,

(b) is recorded with the intention that it should be processed by means of such equipment,

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or

(e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d).

Accessible record means that you can access and retrieve personal information/data because it is stored and arranged in a structured manner. An index or a structured filing system would facilitate this so this data would come into scope, even if it wasn't going to be recorded on a computer system.

So it was changed from its original inception. I'm pretty sure it started out as electronic data only?

This change was crystalised in the 1998 Act but there were changes prior to this regarding manual records held by local and health authorities that pre-date 1998. The 1984 act did not include paper or manual records and I think this is where the confusion comes from.

H

[ian_oli]

Direct marketing opt-in is required by legislation - the The Privacy and Electronic Communications (EC Directive) Regulations 2003. Any promotion of an Audax event by email is absolutely direct marketing as an audax is a service provided for a consideration. The fact that it is small scale and non-profit is neither here nor there.

The relevant section of the regulations is 22, shown below.

A point about Data Protection is also context. For instance, disclosure of most audaxers addresses will be quite harmless (you can find mine quite easily and so what) but someone who has moved house because of a stalker is a different matter. When someone enters an Audax you dont know their situation, therefore as an organiser you need to keep the address secure. You need to apply this sort of risk analysis to whatever information you do collect.



22.—(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.

(2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.

(3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—

(a)that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;

(b)the direct marketing is in respect of that person’s similar products and services only; and

(c)the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

(4) A subscriber shall not permit his line to be used in contravention of paragraph (2).

[Hummers]

<snip>

Direct marketing opt-in is required by legislation - the The Privacy and Electronic Communications (EC Directive) Regulations 2003. Any promotion of an Audax event by email is absolutely direct marketing as an audax is a service provided for a consideration. The fact that it is small scale and non-profit is neither here nor there.

The relevant section of the regulations is 22, shown below.

</snip>

Indeed. If you have signed up online to any sort of service over the last few years you will have seen opt-ins for both being contacted and the method by which you are being contacted. This is common practice and applies to all organisations that hold personal information and who want to use this to contact individuals.

Direct marketing, including contact individuals about activities of an organisation, falls under both the DPA and the P&EC regs. This would include emailing about events and things like the AGM. However for AUK, I suggest there is a simple way of complying to both for email based direct marketing for both new/renewing and existing members:

• When people join, you tell individuals that your organisation may wish to use their information to contact them about events, activities and services related to AUK i.e. 'direct marketing' (this satisifies the DPA first principle)
• You offer new or renewing members the the opportunity to opt-out to direct email 'marketing' there and then (this satisifies the P&EC regs)
• For exisiting members, any communication sent out has a single line within the email that allows them to email back and opt out (this meets the P&EC regs under section 22(3) and is referred to as the 'soft opt-in' but is really an opt-out')

H

[phil d]

This is all well and good (and I have found the extensive replies above most informative - thanks chaps), but as I see it there is a disconnect between AUK on the one hand, and the organisers on the other. 

While we organise under AUK rules, we do not do it as part of, or even on behalf of, AUK (though may be organising on behalf of another membership organisation like a cycling club, or CTC).  So any opt-in or opt-out provided as part of the membership process arguably doesn't apply to us.

Which leaves us on our own.  I'm not particularly bothered, as I do not retain any personal information except the actual entry forms, and do not propose to start direct marketing my event.  But others could be affected.

[Hummers]

This is all well and good (and I have found the extensive replies above most informative - thanks chaps), but as I see it there is a disconnect between AUK on the one hand, and the organisers on the other.  

While we organise under AUK rules, we do not do it as part of, or even on behalf of, AUK (though may be organising on behalf of another membership organisation like a cycling club, or CTC).  So any opt-in or opt-out provided as part of the membership process arguably doesn't apply to us.

Which leaves us on our own.  I'm not particularly bothered, as I do not retain any personal information except the actual entry forms, and do not propose to start direct marketing my event.  But others could be affected.

I understand where you are coming from Phil and if you were just organising rides that were for your own and a number of other rider's personal enjoyment and maintained a personal email/contact list based on info they sent you directly (i.e. as Phil D, not AUK) then there's not problem. It could be argued that they still need an 'opt-out' but personal directories and mail lists are exempt from the DPA and P&EC regs.

However, you are effectively working on behalf of AUK if you are part of their data handling process and AUK should have a DP policy that covers your activity. This is not uncommon (volunteer based organisations do it all the time) and whilst the outworking might affect the way you handle data between you and AUK, in practice, I doubt it would make very little difference to what you do now or create any more work.

However, to safeguard both AUK and the privacy of its members, the DP policy should prohibit organisers from using this information for personal reasons or sharing it with another organisation.

Why is this?

Well, what can and does cause problems is when people start receiving unsolicited emails from either an individual or another organisation (e.g. your CTC DA Member Group) and feel that the information they have provided the original organisation (e.g. AUK) is being used for other reasons or passed onto 3rd party without their consent.  It's hardly an 'I'll see you in court thing' but it is bad practice and diminishes confidence in an organisation if they don't seem to be handling personal information securely and fairly.

<edit>
Reading your post again, I may have missed your point     but if you apply the same rules, if your club or your CTC group are collecting information on individuals and passing this onto AUK and off the back of this AUK starts sending that individual unsolicited emails, that's not good either. The onus falls on you/your club/your CTC group to get an individual's consent for this or AUK to provide an 'opt-out' in their mails.
</edit>

H

[frankly frankie]

• When people join, you tell individuals that your organisation may wish to use their information to contact them about events, activities and services related to AUK i.e. 'direct marketing' (this satisifies the DPA first principle)

But AUK don't use the information in this way and AFAIK have no plans to.

And there is a Privacy Statement clearly accessible from every page of the new website.

And Organisers are all asked to sign up to a separate, more specific, privacy agreement.  (This has been in place for a couple of years at least, it's not compulsory, but in fact all bar one of current Organisers are signed up.)  That agreement doesn't specifically say anything about direct marketing, but it does include the phrase
"You must not use this information in any ways not directly related to the conduct of your Event(s)."

[Hummers]

• When people join, you tell individuals that your organisation may wish to use their information to contact them about events, activities and services related to AUK i.e. 'direct marketing' (this satisifies the DPA first principle)

But AUK don't use the information in this way and AFAIK have no plans to.

And there is a Privacy Statement clearly accessible from every page of the new website.

And Organisers are all asked to sign up to a separate, more specific, privacy agreement.  (This has been in place for a couple of years at least, it's not compulsory, but in fact all bar one of current Organisers are signed up.)  That agreement doesn't specifically say anything about direct marketing, but it does include the phrase
"You must not use this information in any ways not directly related to the conduct of your Event(s)."

Francis, I have no idea of the internal workings of AUK, what has been agreed with Organisers or knowledge of what it might choose to do with the information it holds on its members.

I'm only responding to questions raised on this thread based on my experience and knowledge of the DPA and data privacy. I'm not commenting on what AUK may or may not have in place as that's clearly the domain for people like you who have more of an understanding as to how these principles have or have not been applied.

H

[AndyH]

</snip>

• When people join, you tell individuals that your organisation may wish to use their information to contact them about events, activities and services related to AUK i.e. 'direct marketing' (this satisifies the DPA first principle)
• You offer new or renewing members the the opportunity to opt-out to direct email 'marketing' there and then (this satisifies the P&EC regs)
• For exisiting members, any communication sent out has a single line within the email that allows them to email back and opt out (this meets the P&EC regs under section 22(3) and is referred to as the 'soft opt-in' but is really an opt-out')

H

But AUK don't use the information in this way and AFAIK have no plans to.

Various other threads have talked about communications, e.g. organisers requiring email addresses, Arrivee being made available electronically, the handbook only being available in electronic form etc. The world is going that way, and although there are no current plans to use the stored info for communications purposes surely it can only be a matter of time? If this is not a current requirement then there is a window in which to implement a policy and build the database of opt ins & opt outs.

Then there's the question of organisers emailing event details to previous year's entrants. I had one about the Dorset Downs the other day. I've no idea how the organiser got my email address, but it was not an unwelcome email.* The line between it being an individual organiser working on his own and an AUK email is blurred in my mind, because the information was about an event for which is held under AUK regulations and for which I'd get AUK points. If it wasn't I probably wouldn't be so interested. The rider info that AUK provides to organisers to populate start sheets could include the opt in / out info so organisers would know if they could contact riders in subsequent years.

The steps Hummers outlined seem sensible if not immediately required.

* Actually IIRC last year I entered online but through the organisers own facility, not the AUK / Paypal one. They have obviously stored my email address. I can't remember I was asked for consent, but it's always good to recieve a cycling related email when I should be working