Publishing rider names on club events

[Kim]

Just out of interest, why does the club need to know where a member lives? I’ve not come across a club in quite a while that still needs this information.

To send luddites a paper copy of the club magazine?

[Tim Hall]

If you asked for permission to process personal data for membership administration purposes, your club would be doing it wrong.

Can you expand on that?Do you mean the club doesn't need to ask for permission to process data if its for admin reasons? 

[SpaceBadger]

Just out of interest, why does the club need to know where a member lives? I’ve not come across a club in quite a while that still needs this information.

To send luddites a paper copy of the club magazine?

That's one reason I was thinking about. Clubs that do this seem to be in a significant minority these days having migrated to email.

[SpaceBadger]

If you asked for permission to process personal data for membership administration purposes, your club would be doing it wrong.

Can you expand on that?Do you mean the club doesn't need to ask for permission to process data if its for admin reasons?

Happy to. The key aspect of most data protection considerations is the purpose of the processing. In the case of someone joining a club, one purpose for processing the member's information is for the club to fulfil that membership contract (maintain membership records, take payment, invite renewals etc.). Once purpose is established, the most appropriate lawful basis (or bases) needs to be identified. For membership, it would be that it is necessary to process that person's information for the performance of a contract (see Article 6 (1) (b) here https://www.mishcon.com/uk-gdpr/article-6). Note that it is necessary, so no request for permission (consent) needs to be made. Consent is a separate lawful basis that would suit other purposes where the individual can be given a free choice without detriment. An example might be asking them if their image can be used to promote the club.

Processing for fulfilment of a contract is narrowly interpreted, so don't stretch it. Define other purposes (if there are any) and match to appropriate other bases. It's not usually too tricky, just requires a bit of thought, starting with clarity of purpose i.e. what is the club needing to do and why?

[Kim]

Just out of interest, why does the club need to know where a member lives? I’ve not come across a club in quite a while that still needs this information.

To send luddites a paper copy of the club magazine?

That's one reason I was thinking about. Clubs that do this seem to be in a significant minority these days having migrated to email.

I think the BHPC has a single member who doesn't have an email address.
And many who do, but prefer to receive the magazine in dead tree format.  (It would save effort go purely electronic, but the magazine is the primary attraction of the club for many of our members, so it seems a bit mean not to offer the option if people are prepared for the fees to cover the costs.)

[Tim Hall]

If you asked for permission to process personal data for membership administration purposes, your club would be doing it wrong.

Can you expand on that?Do you mean the club doesn't need to ask for permission to process data if its for admin reasons?

Happy to. The key aspect of most data protection considerations is the purpose of the processing. In the case of someone joining a club, one purpose for processing the member's information is for the club to fulfil that membership contract (maintain membership records, take payment, invite renewals etc.). Once purpose is established, the most appropriate lawful basis (or bases) needs to be identified. For membership, it would be that it is necessary to process that person's information for the performance of a contract (see Article 6 (1) (b) here https://www.mishcon.com/uk-gdpr/article-6). Note that it is necessary, so no request for permission (consent) needs to be made. Consent is a separate lawful basis that would suit other purposes where the individual can be given a free choice without detriment. An example might be asking them if their image can be used to promote the club.

Processing for fulfilment of a contract is narrowly interpreted, so don't stretch it. Define other purposes (if there are any) and match to appropriate other bases. It's not usually too tricky, just requires a bit of thought, starting with clarity of purpose i.e. what is the club needing to do and why?

Thanks. Useful, informative reply.

[drossall]

It's worth reading what the Information Commissioner says on this - if you can't offer a real choice, consent is probably the wrong basis for processing. Since you can't have people as members who won't let you record their details and tell them about AGMs etc, it's very hard to see how you could run a membership system on the basis of consent - unless you stretch the meaning to, "Don't join unless you agree to this." And the ICO wouldn't accept that as consent, because it's not freely given.

SpaceBadger's point about stretching it includes mixed messaging. Whilst a membership renewal would not normally be processed on the basis of consent, promotion of club activities often would be. Then, including news about club activities with what was primarily a renewal notice could put you on shaky ground.

[TimC]

Data handling and processing is a necessary part of club administration, so it is logical that it is a condition of membership that the putative member allows the club to hold and process the minimal amount of data necessary to do the job. If the putative member cannot agree to that condition, then they obviously cannot be a member. Is that what you mean by 'consent'?

[Regulator]

It's worth reading what the Information Commissioner says on this - if you can't offer a real choice, consent is probably the wrong basis for processing. Since you can't have people as members who won't let you record their details and tell them about AGMs etc, it's very hard to see how you could run a membership system on the basis of consent - unless you stretch the meaning to, "Don't join unless you agree to this." And the ICO wouldn't accept that as consent, because it's not freely given.

SpaceBadger's point about stretching it includes mixed messaging. Whilst a membership renewal would not normally be processed on the basis of consent, promotion of club activities often would be. Then, including news about club activities with what was primarily a renewal notice could put you on shaky ground.

Yes.

You should seek consent for all aspects of processing, as consent is the fundamental basis for processing (this is not a case where many of the other grounds would apply).  So you'd get consent to process for membership/renewal and get opt-in consent for mailings.  If you're going to publish names of riders (as per the OP) you should also get consent for that.

You can do all this in a single document/sign up process - but the nature of the proposed processing needs to be clear and explicit.  Each part of the sign up process should have a separate way of indicating consent (e.g. a tick box).  And best practice is that it should be opt-in rather than opt-out.

If you're handling sensitive personal data (special category data in GDPR parlance) then that's a whole other kettle of fish and clubs/societies often fail to meet the requirements there, not realising that they may be processing SPD/SCD.

[SpaceBadger]

Data handling and processing is a necessary part of club administration, so it is logical that it is a condition of membership that the putative member allows the club to hold and process the minimal amount of data necessary to do the job. If the putative member cannot agree to that condition, then they obviously cannot be a member. Is that what you mean by 'consent'?

Not quite. You can stop at necessary. No one has or should be asked to agree to or allow having their information processed for club membership administration. It shouldn’t therefore be bundled with any conditions. If you want to be a member, you have to give the club xyz information.They don’t have a free, without detriment choice, so giving a choice, or the illusion of one is inappropriate.Take the Inland Revenue, for instance. They don’t ask for your permission to process your information because they don’t need to.

Some information may be optional and this is fine. For example, if you want to receive a hard copy newsletter, provide your address (and your address will only be used for that purpose).Insisting on holding everyone’s address for a small minority who choose a hard copy would be a problem. Imagine a club membership list gets left in the pub at a committee meeting. If you wanted to know which sheds or garages to target as a crook, it would be a very useful starting point.

What is collected and how it is minimised, used, secured, kept up to date etc. must comply with the seven data protection principles which is important to ensure the club operates lawfully and the members have confidence. Having an appropriate lawful basis before you start (consent, contractual necessity etc) is one part of one of the seven principles.

[Regulator]

Data handling and processing is a necessary part of club administration, so it is logical that it is a condition of membership that the putative member allows the club to hold and process the minimal amount of data necessary to do the job. If the putative member cannot agree to that condition, then they obviously cannot be a member. Is that what you mean by 'consent'?

Not quite. You can stop at necessary. No one has or should be asked to agree to or allow having their information processed for club membership administration. It shouldn’t therefore be bundled with any conditions. If you want to be a member, you have to give the club xyz information.They don’t have a free, without detriment choice, so giving a choice, or the illusion of one is inappropriate.Take the Inland Revenue, for instance. They don’t ask for your permission to process your information because they don’t need to.

Some information may be optional and this is fine. For example, if you want to receive a hard copy newsletter, provide your address (and your address will only be used for that purpose).Insisting on holding everyone’s address for a small minority who choose a hard copy would be a problem. Imagine a club membership list gets left in the pub at a committee meeting. If you wanted to know which sheds or garages to target as a crook, it would be a very useful starting point.

What is collected and how it is minimised, used, secured, kept up to date etc. must comply with the seven data protection principles which is important to ensure the club operates lawfully and the members have confidence. Having an appropriate lawful basis before you start (consent, contractual necessity etc) is one part of one of the seven principles.

That is because the Inland Revenue is processing data in pursuance of a statutory duty and therefore the processing has a statutory basis.  That's nothing like membership of a club.

[SpaceBadger]

It's worth reading what the Information Commissioner says on this - if you can't offer a real choice, consent is probably the wrong basis for processing. Since you can't have people as members who won't let you record their details and tell them about AGMs etc, it's very hard to see how you could run a membership system on the basis of consent - unless you stretch the meaning to, "Don't join unless you agree to this." And the ICO wouldn't accept that as consent, because it's not freely given.

SpaceBadger's point about stretching it includes mixed messaging. Whilst a membership renewal would not normally be processed on the basis of consent, promotion of club activities often would be. Then, including news about club activities with what was primarily a renewal notice could put you on shaky ground.

You should seek consent for all aspects of processing, as consent is the fundamental basis for processing (this is not a case where many of the other grounds would apply).  So you'd get consent to process for membership/renewal and get opt-in consent for mailings.  If you're going to publish names of riders (as per the OP) you should also get consent for that.

That’s not appropriate. All the bases are equal. Consent holds no special prominence. It’s about finding the best match for the processing purpose. Consent for membership related matters would be wrong and expose the club to issues.

[SpaceBadger]

Data handling and processing is a necessary part of club administration, so it is logical that it is a condition of membership that the putative member allows the club to hold and process the minimal amount of data necessary to do the job. If the putative member cannot agree to that condition, then they obviously cannot be a member. Is that what you mean by 'consent'?

Not quite. You can stop at necessary. No one has or should be asked to agree to or allow having their information processed for club membership administration. It shouldn’t therefore be bundled with any conditions. If you want to be a member, you have to give the club xyz information.They don’t have a free, without detriment choice, so giving a choice, or the illusion of one is inappropriate.Take the Inland Revenue, for instance. They don’t ask for your permission to process your information because they don’t need to.

Some information may be optional and this is fine. For example, if you want to receive a hard copy newsletter, provide your address (and your address will only be used for that purpose).Insisting on holding everyone’s address for a small minority who choose a hard copy would be a problem. Imagine a club membership list gets left in the pub at a committee meeting. If you wanted to know which sheds or garages to target as a crook, it would be a very useful starting point.

What is collected and how it is minimised, used, secured, kept up to date etc. must comply with the seven data protection principles which is important to ensure the club operates lawfully and the members have confidence. Having an appropriate lawful basis before you start (consent, contractual necessity etc) is one part of one of the seven principles.

That is because the Inland Revenue is processing data in pursuance of a statutory duty and therefore the processing has a statutory basis.  That's nothing like membership of a club.

Yes, thank you. I know that. It was to illustrate with a different example of how consent is not necessary or appropriate.

[Regulator]

It's worth reading what the Information Commissioner says on this - if you can't offer a real choice, consent is probably the wrong basis for processing. Since you can't have people as members who won't let you record their details and tell them about AGMs etc, it's very hard to see how you could run a membership system on the basis of consent - unless you stretch the meaning to, "Don't join unless you agree to this." And the ICO wouldn't accept that as consent, because it's not freely given.

SpaceBadger's point about stretching it includes mixed messaging. Whilst a membership renewal would not normally be processed on the basis of consent, promotion of club activities often would be. Then, including news about club activities with what was primarily a renewal notice could put you on shaky ground.

You should seek consent for all aspects of processing, as consent is the fundamental basis for processing (this is not a case where many of the other grounds would apply).  So you'd get consent to process for membership/renewal and get opt-in consent for mailings.  If you're going to publish names of riders (as per the OP) you should also get consent for that.

That’s not appropriate. All the bases are equal. Consent holds no special prominence. It’s about finding the best match for the processing purpose. Consent for membership related matters would be wrong and expose the club to issues.

Actually, that is best practice. 

Under GDPR, the basic principle is that processing of personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing.

Consent should always be the first option (and that consent should  always people genuine choice and control over how you use their data).

Even where the processing is expressly allowed by law, consent may be required for some aspects of processing (one of the reasons the NHS has issues over handing over data to third parties).

[SpaceBadger]

I continue to disagree with you on several levels, but you seem convinced. I wish you well and I don’t think carrying this on is helpful to the question asked. If we are discussing in the context of a UK club, it’s the UK GDPR.

[TimC]

Data handling and processing is a necessary part of club administration, so it is logical that it is a condition of membership that the putative member allows the club to hold and process the minimal amount of data necessary to do the job. If the putative member cannot agree to that condition, then they obviously cannot be a member. Is that what you mean by 'consent'?

Not quite. You can stop at necessary. No one has or should be asked to agree to or allow having their information processed for club membership administration. It shouldn’t therefore be bundled with any conditions. If you want to be a member, you have to give the club xyz information.They don’t have a free, without detriment choice, so giving a choice, or the illusion of one is inappropriate.Take the Inland Revenue, for instance. They don’t ask for your permission to process your information because they don’t need to.

Some information may be optional and this is fine. For example, if you want to receive a hard copy newsletter, provide your address (and your address will only be used for that purpose).Insisting on holding everyone’s address for a small minority who choose a hard copy would be a problem. Imagine a club membership list gets left in the pub at a committee meeting. If you wanted to know which sheds or garages to target as a crook, it would be a very useful starting point.

What is collected and how it is minimised, used, secured, kept up to date etc. must comply with the seven data protection principles which is important to ensure the club operates lawfully and the members have confidence. Having an appropriate lawful basis before you start (consent, contractual necessity etc) is one part of one of the seven principles.

Gotcha. I wasn't implying that we ask consent to handle the member's data, simply that if we can't handle the data, they can't be a member! In our club, we tell them that we handle it, how we handle it and what they can do to edit it, and that it is deleted once they cease to be a member. We don't ask for consent. That's implied by the application to join.

[drossall]

Consent should always be the first option (and that consent should always people genuine choice and control over how you use their data).

I agree with SpaceBadger and, in my reading, the Information Commissioner does too, when advising on when consent is appropriate. Some particular quotes from that page, and my comments in italics:

Do we always need consent?
In short, no. Consent is one lawful basis for processing, but there are five others. Consent won’t always be the most appropriate or easiest.
You must always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing.

For club membership, the issue is, as I said, that you can't have members who don't want you to record their data. You need to be able to notify them of renewals, AGMs, and so on. You specifically should not give the impression that they can opt out of these things (and remain members).

You are likely to need to consider consent when no other lawful basis obviously applies.

Which is rather different from saying that consent is the first option to use. Note also that the ICO point out that agreeing to things (for example to become a member, in the knowledge of what the club will do with your data to maintain that membership) is not the same thing as consent.

However, like SpaceBadger, I accept that the responsibility for following the principles lies with the local trustees/administrators (data controllers), and that you are convinced of your interpretation, so I won't continue the discussion.

[Regulator]

Consent should always be the first option (and that consent should always people genuine choice and control over how you use their data).

I agree with SpaceBadger and, in my reading, the Information Commissioner does too, when advising on when consent is appropriate. Some particular quotes from that page, and my comments in italics:

Do we always need consent?
In short, no. Consent is one lawful basis for processing, but there are five others. Consent won’t always be the most appropriate or easiest.
You must always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing.

For club membership, the issue is, as I said, that you can't have members who don't want you to record their data. You need to be able to notify them of renewals, AGMs, and so on. You specifically should not give the impression that they can opt out of these things (and remain members).

You are likely to need to consider consent when no other lawful basis obviously applies.

Which is rather different from saying that consent is the first option to use. Note also that the ICO point out that agreeing to things (for example to become a member, in the knowledge of what the club will do with your data to maintain that membership) is not the same thing as consent.

However, like SpaceBadger, I accept that the responsibility for following the principles lies with the local trustees/administrators (data controllers), and that you are convinced of your interpretation, so I won't continue the discussion.

You need to read the ICO's advice in the context of the purpose for the processing.  As the ICO says "You must always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing". 

Being a voluntary member of a club is very different that the taxman processing your data, or your employer processing data, or the health service processing data.  You couldn't rely on:

- vital interests
- compliance with a legal obligation
- public task

If you're joining a club arguably you are creating a contract - but the contract would need to specify the nature of any processing that would be undertaken.  There may be more than one type of processing going on and each purpose would need to be specified* and would need to be necessary. 

You could potentially argue legitimate interests  but these are actually narrower in scope than many people think.  In order to rely on rely on legitimate interest, the processing must be necessary.  It's difficult to argue that publishing** the names of riders (to go back to the OP) is necessary or even that receiving club communications (other than in relation to the membership itself) is necessary.  Also, if you rely on legitimate interests, the data subject has the right to object.


*Not necessarily in the contract/membership agreement but potentially in a privacy notice, that would have to be available at the time of application.
**Recording the names of those on a ride might well be necessary for insurance purposes but publishing them isn't.

[DuncanM]

My club have a checkbox that you have to tick in order for them to send you a Christmas card. 

Surely, when you join the club there's some small print saying you consent to them storing that information for membership related purposes? Publishing the details of who went on what club run is hardly that though.

[Lightning Phil]

Indeed back on topic.  They should not be publishing names of riders who went on events, unless said riders have explicitly consented.  That has nothing to do with holding details for membership purposes.

Also agree that it’s not necessary to have addresses for membership details these days, unless it’s the snail mail club and all club communications must be by letter or postcard or carrier pigeon.

[robgul]

Yep - I'm perfectly happy with the admin/membership requirements for my name, address, British Cycling membership (club is affiliated) etc - it's the publication of my name on the "ride reports" that I'm not happy with. 

BTW the reports are a complete waste of time - "we rode along nn lane, had coffee at nnn and then rode back, it was raining, speed was nn mph, climbing was nn ft, riders were nnn nnnn etc" - who gives a toss? - it's old news, it's happened!

There are better ways of keeping records of rides/ride participants