Yet Another Cycling Forum

General Category => Audax => Topic started by: frankly frankie on February 14, 2011, 02:24:48 pm

Title: data protection and event entries
Post by: frankly frankie on February 14, 2011, 02:24:48 pm
Split from the £10 event fee thread (http://yacf.co.uk/forum/index.php?topic=43740.0) by request


MV



I think storing non-auk details is a DPA issue as well.  Names is OK, but addresses may be going too far, I dunno.

Yes, CTC DAs were removed from Entry Forms years ago - it's sad that the cards haven't caught up.  They are printed in huge bulk (the outsides that is) and even when a change is made it can take 6 months to work through all the old stock.

Title: data protection and event entries
Post by: mattc on February 14, 2011, 02:28:29 pm
DAs don't exist? Good point - someone should correct this data:

Results for current season (http://www.aukweb.net/results/detail/this/ctc)

(must go and pay my road tax ... )
Title: data protection and event entries
Post by: DanialW on February 14, 2011, 02:30:50 pm
I think storing non-auk details is a DPA issue as well.  Names is OK, but addresses may be going too far, I dunno.

Nah. It's all about what's reasonable, and what you say you're going to do with the data. If an entrant gives you their address, it's reasonable for everyone to assume that that information will be keyed into a database somewhere. This applies both to organisers and AUK.

IFor belt and braces, what AUK needs is a proper privacy policy. LEL has one, and it wouldn't take that much work to apply it to AUK.
Title: data protection and event entries
Post by: JohnHamilton on February 14, 2011, 02:43:11 pm
I think storing non-auk details is a DPA issue as well.  Names is OK, but addresses may be going too far, I dunno.

Nah. It's all about what's reasonable, and what you say you're going to do with the data. If an entrant gives you their address, it's reasonable for everyone to assume that that information will be keyed into a database somewhere. This applies both to organisers and AUK.

IFor belt and braces, what AUK needs is a proper privacy policy. LEL has one, and it wouldn't take that much work to apply it to AUK.

Quite. It's also about that information only being retained for the period for which it is required. Once you no longer have any need for it the data should be deleted. i.e. Once the event is over and the card returned to the rider the data should be deleted from the records as it is no longer required.
Title: data protection and event entries
Post by: DanialW on February 14, 2011, 03:36:13 pm
Quite. It's also about that information only being retained for the period for which it is required. Once you no longer have any need for it the data should be deleted. i.e. Once the event is over and the card returned to the rider the data should be deleted from the records as it is no longer required.

Absolutely. So, say, keeping a contact list of riders to mail them about anything other than the ride they entered, is really not on. If anyone you contacted made a complaint, you could be in trouble.

(sorry, this is drifting rather, isn't it?)
Title: data protection and event entries
Post by: ian_oli on February 14, 2011, 05:41:07 pm
Quite. It's also about that information only being retained for the period for which it is required. Once you no longer have any need for it the data should be deleted. i.e. Once the event is over and the card returned to the rider the data should be deleted from the records as it is no longer required.

Absolutely. So, say, keeping a contact list of riders to mail them about anything other than the ride they entered, is really not on. If anyone you contacted made a complaint, you could be in trouble.

(sorry, this is drifting rather, isn't it?)
And somewhere along the line as a newbie organiser, I was told that and will delete everyone's contact details once the Brevet cards have gone out.

If the application form were changed to allow me (as a rider) to opt in to emails sent by the organiser, I'd be quite willing to be sent emails publicising next years route/new rides etc.  by that organiser. I doubt any would abuse the privilege as the world we operate in is too small.
Title: data protection and event entries
Post by: Manotea on February 14, 2011, 07:47:25 pm
Quite. It's also about that information only being retained for the period for which it is required. Once you no longer have any need for it the data should be deleted. i.e. Once the event is over and the card returned to the rider the data should be deleted from the records as it is no longer required.

Absolutely. So, say, keeping a contact list of riders to mail them about anything other than the ride they entered, is really not on. If anyone you contacted made a complaint, you could be in trouble.

(sorry, this is drifting rather, isn't it?)
And somewhere along the line as a newbie organiser, I was told that and will delete everyone's contact details once the Brevet cards have gone out.

If the application form were changed to allow me (as a rider) to opt in to emails sent by the organiser, I'd be quite willing to be sent emails publicising next years route/new rides etc.  by that organiser. I doubt any would abuse the privilege as the world we operate in is too small.

On the one hand the DPA and direct marketing legislation really isn't aimed at the likes of AUK event organisers, although we do need to be aware of it.

On the other, tweaking the event application form to include a field explicitly requesting permission to contact riders regarding future events is not something we have to wait on AUK to action, especially as nowadays most riders do not fill in calendar event application forms anyway. Nowadays I email out route sheets. It would be easy as to include a rider registration form to collect whatever info we want basically.

Similarly, there is no reason why AUK could not mailshot the membership to request permission, say, for organisers whose rides they have previously participated in to contact them regarding future events by that organiser. Subject to resources to actually do it, this could be done 'now', before the 2011 season really kicks off. Alternatively such permission could be progressed as part of the membership renewal process but that would mean waiting a year or possiby two.

I'm making this up as I go along really but where there's a will, there's a way.
Title: data protection and event entries
Post by: Jaded on February 14, 2011, 07:57:34 pm
Alternatively such permission could be progressed as part of the membership renewal process but that would mean waiting a year or possiby two.

or 5!
Title: data protection and event entries
Post by: DanialW on February 14, 2011, 08:55:03 pm
Similarly, there is no reason why AUK could not mailshot the membership to request permission, say, for organisers whose rides they have previously participated in to contact them regarding future events by that organiser. Subject to resources to actually do it, this could be done 'now', before the 2011 season really kicks off. Alternatively such permission could be progressed as part of the membership renewal process but that would mean waiting a year or possiby two.

I'm making this up as I go along really but where there's a will, there's a way.

Absolutely. "where there's a will, there's a way" sums it up pretty nicely. As long as you tell people what you intend to do, and you give them the option to opt out*, you can use people's basic information to contact them as you please.

It's complicated in part because organisers keep data in addition to the AUK databases.

This probably falls under my patch, so perhaps I'll have a go at knocking something up.

Title: data protection and event entries
Post by: JayP on February 15, 2011, 01:21:31 pm

Quite. It's also about that information only being retained for the period for which it is required. Once you no longer have any need for it the data should be deleted. i.e. Once the event is over and the card returned to the rider the data should be deleted from the records as it is no longer required.

Absolutely. So, say, keeping a contact list of riders to mail them about anything other than the ride they entered, is really not on. If anyone you contacted made a complaint, you could be in trouble.

(sorry, this is drifting rather, isn't it?)
And somewhere along the line as a newbie organiser, I was told that and will delete everyone's contact details once the Brevet cards have gone out.

If the application form were changed to allow me (as a rider) to opt in to emails sent by the organiser, I'd be quite willing to be sent emails publicising next years route/new rides etc.  by that organiser. I doubt any would abuse the privilege as the world we operate in is too small.

On the one hand the DPA and direct marketing legislation really isn't aimed at the likes of AUK event organisers, although we do need to be aware of it.

On the other, tweaking the event application form to include a field explicitly requesting permission to contact riders regarding future events is not something we have to wait on AUK to action, especially as nowadays most riders do not fill in calendar event application forms anyway. Nowadays I email out route sheets. It would be easy as to include a rider registration form to collect whatever info we want basically.

Similarly, there is no reason why AUK could not mailshot the membership to request permission, say, for organisers whose rides they have previously participated in to contact them regarding future events by that organiser. Subject to resources to actually do it, this could be done 'now', before the 2011 season really kicks off. Alternatively such permission could be progressed as part of the membership renewal process but that would mean waiting a year or possiby two.

I'm making this up as I go along really but where there's a will, there's a way.
I already maintain an email dist' list of 'Broken Cross Audax Alumni'. Anybody who contacts me, by email, either to enter or just express an interest in an event of mine goes on the list. I recently sent out a flyer about this years rides from Broken Cross to everyone on the list. . It was a straightforward thing to do and not by any means an original idea.  I will instantly remove anyone from the list who doesn't want to be there. Its effectiveness has yet to be assessed.
Title: data protection and event entries
Post by: MSeries on February 15, 2011, 10:07:09 pm
  • No one has ever told me that I should delete contact data after an event.
  • It never occured to me to consider direct marketing legislation but if it had I wouldn't have thought it relevant in this context
spam. Unsolicited email. Doesn't have to be about viagra or nigerian lottery. CTC spammed me.
Title: data protection and event entries
Post by: itinerant on February 15, 2011, 10:51:48 pm
I already maintain an email dist' list of 'Broken Cross Audax Alumni'. Anybody who contacts me, by email, either to enter or just express an interest in an event of mine goes on the list. I recently sent out a flyer about this years rides from Broken Cross to everyone on the list. . It was a straightforward thing to do and not by any means an original idea.  I will instantly remove anyone from the list who doesn't want to be there. Its effectiveness has yet to be assessed.
  • No one has ever told me that I should delete contact data after an event.
  • It never occured to me to consider direct marketing legislation but if it had I wouldn't have thought it relevant in this context

I, for one, welcomed the email about this year's events. It reminded me what a good event the Venetian Nights had been and encouraged me to look at my diary to enter your other events this year.  If it had been a pain to get the email I could always have hit delete!
Title: data protection and event entries
Post by: simonp on February 15, 2011, 11:08:38 pm
I already maintain an email dist' list of 'Broken Cross Audax Alumni'. Anybody who contacts me, by email, either to enter or just express an interest in an event of mine goes on the list. I recently sent out a flyer about this years rides from Broken Cross to everyone on the list. . It was a straightforward thing to do and not by any means an original idea.  I will instantly remove anyone from the list who doesn't want to be there. Its effectiveness has yet to be assessed.
  • No one has ever told me that I should delete contact data after an event.
  • It never occured to me to consider direct marketing legislation but if it had I wouldn't have thought it relevant in this context

I, for one, welcomed the email about this year's events. It reminded me what a good event the Venetian Nights had been and encouraged me to look at my diary to enter your other events this year.  If it had been a pain to get the email I could always have hit delete!

It doesn't matter. Spammers in the traditonal sense make money out of a few people who click on the link and buy the fake Viagra. It's still a pain for everyone else. This kind of thing should be an opt-in because it should be up to the rider to choose.

I'm sure with Danial on the case, though, the Right Thing will be done.
Title: data protection and event entries
Post by: LittleWheelsandBig on February 15, 2011, 11:10:32 pm
Mods: Can we split the spam/ entrant details discussion out of this thread? It is way off-topic.
Title: Re: data protection and event entries
Post by: border-rider on February 15, 2011, 11:39:43 pm
Done
Title: Re: data protection and event entries
Post by: Hummers on February 16, 2011, 09:57:54 am
There is a lot of hot air blown around about the DPA and what it means, despite it being largely common sense and the prolific amount of information on the subject with some pretty useful guidance from the Information Commissioner’s Office (http://www.ico.gov.uk/) (ICO) from which I quote:

Quote
The Act works in two ways. Firstly, it helps to protect your interests by obliging organisations to manage the information they hold in a proper way. It states that anyone who processes personal information must comply with eight principles, which make sure that it is:

• fairly and lawfully processed;
• processed for limited purposes;
• adequate, relevant and not excessive;
• accurate and up to date;
• not kept for longer than is necessary;
• processed in line with an individual's rights;
• secure; and
• not transferred to other countries (outside of the EU) without adequate protection.

The second area covered by the Act gives you important rights, including the right to know what information is held about you and the right to correct information that is wrong. You also have the right to claim compensation through the courts if an organisation breaches the Act and this causes you damage, such as financial loss. If it has, you can also claim for distress.

The risk to organisations (registered or not) is that someone can claim and prove loss or damages due to a breach of the DPA. This is what most organisations are worried about and a Data Protection policy is intended to safeguard both the organisation and individuals against a breach. This does not have to be an exhaustive policy but how onerous it becomes is normally governed by the risk of a successful claim being brought against an organisation due to a breach of the information they hold. For example, as far as I  am aware, none of the info AUK hold is 'sensitive personal information' that might lead to discrimination against an individual, leading to personal loss and subsequent distress/damages.  Does AUK have a DP policy?

In addition, the rights of an individual, as alluded to above,  are as follows:

• Ask to access information relating to them
• Ask to correct information relating to them
• Ask to prevent processing of information (you can ask but the organisation is not bound to comply)
• Ask to stop unsolicited marketing (you can ask them to stop and they have to comply)
• Ask to stop automated decision making (i.e. where decisions are not made by people)


Whilst AUK may be exempt from notifying the ICO, it does hold and manages personally identifiable data and as such, should follow the 8 principles of the act however this does not have to be limited to AUK specifc information. For example, AUK may hold information about CTC membership as long as it is accurate, is associated and used in the context of the individual's activity or membership and is held/managed securely. It could be argued that despite the term 'DA' being an anachronism, it is still relevant to (some) individuals and the activities they are engaged in that are facilitated by AUK. In other words, although strictly speaking it should be replaced with the term 'Member Group', it could be argued that 'DA' implies the same thing until such time as the new stock of cards are printed.

One area where AUK might want to think about is the website component of AUK where personally identifiable data is shared with other members and anyone who lands on the site. This information is limited but is shared nonetheless. A stock item within most DP policies is that individuals give their consent to the processing of information and especially where this information is shared with 3rd parties. I don't see anything like that on the online entry (and couldn't remember consenting to it) but if not covered off elsewhere, I suggest two tick boxes be added to either the online entry or terms of membership with wording along the lines of "I consent to AUK storing my details and using these to process information related to activities associated with my membership" plus "I consent to my participation in AUK events being publicised on the AUK website and visible to both AUK members and the general public"

H
Title: Re: data protection and event entries
Post by: frankly frankie on February 16, 2011, 10:19:26 am
Not disagreeing with any of the above (though my personal, cynical, belief is that DPA is largely about ownership of data and only incidentally about individuals' rights) - but as far as listings are concerned - they're only names.  Names don't indentify anybody - do they?
Title: Re: data protection and event entries
Post by: Greenbank on February 16, 2011, 10:24:26 am
Names don't indentify anybody - do they?

They can, and email addresses most certainly can.
Title: Re: data protection and event entries
Post by: AndyH on February 16, 2011, 10:39:39 am
Excellent informative post Hummers. (I read it twice and still can't find the punchline)

Simple requirement for an opt in option or options. I think AUK is about the only organisation where I would actually tick the yes box to receiving email etc.
Title: Re: data protection and event entries
Post by: Hummers on February 16, 2011, 10:46:45 am
Not disagreeing with any of the above (though my personal, cynical, belief is that DPA is largely about ownership of data and only incidentally about individuals' rights) - but as far as listings are concerned - they're only names.  Names don't indentify anybody - do they?

Your belief is one thing, the DPA is another. Whilst there is a lot of room for hypothesis on what the DPA means to an organisation, the Act has two parts relating to: 1) the obligations of the organsiation holding data and 2) the rights of the individual they are holding it for. I'd like to say that the drive fro a DP policy cosmes from wanting to be responsible for the handing of individual's data but my experience is that the vast majority of Not for Profit organisations , although exempt from notifying the ICO, are more motivated by the threat of being sued due to a breach of the DPA than anything else.

Also you don't just use names, you also use the AUK number which uniquely identifies individuals. The fact that these numbers is only relevant to the AUK 'system' is irrelevant.

H
Title: Re: data protection and event entries
Post by: JayP on February 16, 2011, 10:58:04 am
I already maintain an email dist' list of 'Broken Cross Audax Alumni'. Anybody who contacts me, by email, either to enter or just express an interest in an event of mine goes on the list. I recently sent out a flyer about this years rides from Broken Cross to everyone on the list. . It was a straightforward thing to do and not by any means an original idea.  I will instantly remove anyone from the list who doesn't want to be there. Its effectiveness has yet to be assessed.
  • No one has ever told me that I should delete contact data after an event.
  • It never occured to me to consider direct marketing legislation but if it had I wouldn't have thought it relevant in this context

I, for one, welcomed the email about this year's events. It reminded me what a good event the Venetian Nights had been and encouraged me to look at my diary to enter your other events this year.  If it had been a pain to get the email I could always have hit delete!

It doesn't matter. Spammers in the traditonal sense make money out of a few people who click on the link and buy the fake Viagra. It's still a pain for everyone else. This kind of thing should be an opt-in because it should be up to the rider to choose.

I'm sure with Danial on the case, though, the Right Thing will be done.


Catch 23
God: Thou shalt not write to people unless you have already written to them to ask their permission to write to them.
Devil: Result!!

A bit frivolous but there is a point. My take is that Spam is just a business model. One which utilises the cheapness of email to make take-up from a tiny proportion of a huge audience viable. Those who use this model are oblivious to its nuisance value and If God gives the Devil his(/her) result with these people well and good. But the rest of us have been shot in the foot unless we draw a line which separates the benign witter and twitter of us nice ordinary folk from the Spammers.
Drawing lines is always difficult and all lines are contentious in their neighbourhood but the outliers are usually beyond dispute. I would say that the Viagra salesman is very very far on one side of the line and the organiser sending future long-ride information to other members of the same long-ride club is very very far on the other.
That said I think I’d vote for an opt-in tick box somewhere or other too. It’s not difficult to set up and keeps everyone happy so why not.
In any case I’ve sent mine for this year and no-one’s complained so far and this thread has given it some added value. Thank you Itinerant and Andy C, and other folk who email’d me, for your kind and positive remarks. I think the exercise will prove to be worthwhile.
Title: Re: data protection and event entries
Post by: Nuncio on February 16, 2011, 11:09:13 am
(I read it twice and still can't find the punchline)

Try it again, this time out loud and in the style of Bob Fleming from the Fast Show.  The sentence involving the words "consent", "DP", "shared" and "parties" becomes a right hoot.
Title: Re: data protection and event entries
Post by: Hummers on February 16, 2011, 11:16:49 am
(I read it twice and still can't find the punchline)

Try it again, this time out loud and in the style of Bob Fleming from the Fast Show.  The sentence involving the words "consent", "DP", "shared" and "parties" becomes a right hoot.

 :P

H
Title: Re: data protection and event entries
Post by: Philip Whiteman on February 16, 2011, 11:35:10 am
In practical reality, it would be difficult for anyone to prove that an organiser has infringed the DPA.  How would anyone know if I had held a file on my PC for longer than is necessary? It would only be known if the organiser had forwarded the material onto a third party or started spamming previous entrants.
Title: Re: data protection and event entries
Post by: Hummers on February 16, 2011, 11:35:52 am

That said I think I’d vote for an opt-in tick box somewhere or other too. It’s not difficult to set up and keeps everyone happy so why not.


If it is something you are concerned about and if it is you advertising your personaly organised or club rides (some may not be an Audax), a line on the bottom of the email saying something like...:

"If you don't want to receive information on my forthcoming rides, please reply to this email and ask be taken off the mailing list"

... obvious I know but it would give people a clear opt out.

The biggest potential 'privacy' issue with 'Forthcoming rides emails' is when everyone's email address is included in the 'To' field. If you are using Outlook, the way around this is to create your own personal distribution list, add the email addresses into this then use this list in the 'BCC' field with a dummy (or your own) email address in the 'To' field so that the email will go out.

H
Title: Re: data protection and event entries
Post by: Hummers on February 16, 2011, 11:49:33 am
In practical reality, it would be difficult for anyone to prove that an organiser has infringed the DPA.  How would anyone know if I had held a file on my PC for longer than is necessary? It would only be known if the organiser had forwarded the material onto a third party or started spamming previous entrants.


Indeed and in the context of AUK, why would they really bother to pursue it however this doesn't let AUK off the hook.

Here are the reasons that a complaint would be considered (from the ICO) :

Quote
You have been denied any of your rights, including your right to see the personal information an organisation holds about you.

Personal information about you is used, held or disclosed:

• unfairly
• for a reason that is not the one it was collected for, or
• without proper security.

Personal information about you is:
• inadequate, irrelevant or excessive
• inaccurate or out of date, or
• kept for longer than is necessary.

The above has to backed up with evidence to be taken seriously and even then, the ICO push you to sort out the problem yourself and have no powers to award compensation, only to work with the individual and organsiation and at worst, order the organisation comply.

Like I said, organisations balance risk against information held but still have to consider DP implications. The pracrical outworking of this consideration is the DP policy which all people working under the auspices of the organisation should be aware of and comply with. It doesn't have to be onerous but it does have to exist and be followed.

H
Title: Re: data protection and event entries
Post by: Philip Whiteman on February 16, 2011, 11:56:26 am
Hummers has it spot on.  E-mails should not be issued using the 'TO' field.  Equally, they must not be used to promote activities not immediate to the event and related audaxes.

Most of my communications for the Snowdrop/Sunrise Express are conducted electronically and restricted to the following messages:-

Pre-event
i.  the distribution of joining details and route cards;
ii. last minute changes to the event's details, if required;

Post-event
iii.  a post-event 'thank you' letter which also includes a summary of the day and details on lost property.
(delete all details apart from e-mail addresses)
iv.  9 months later, a notice to all previous entrants on joining details for the 2012 event.

Then delete remaining e-mail addresses.
Title: Re: data protection and event entries
Post by: Greenbank on February 16, 2011, 12:25:35 pm
Some mail clients will store the BCC field in the sent email, so don't forget to delete the email(s) from the sent folder, otherwise this can be construed as storing them (indefinitely).
Title: Re: data protection and event entries
Post by: Jaded on February 16, 2011, 12:30:07 pm
Consider your back-ups too.

 ;)
Title: Re: data protection and event entries
Post by: phil d on February 16, 2011, 01:37:51 pm
It was quite a while ago, so might well have changed, but when I looked into this area in relation to the CTC Member Group (DA at that time!) I came to the conclusion that the DPA did not directly apply to what we as a local group were doing (which involved holding CTC member names and addresses on a computer).  I cannot recall whether this was because of a de minimis let-out, or we were non profit making, or some other reason.  Or maybe I drew the wrong conclusion.

Given that most organisers act independantly, under the rules of but not on behalf of AUK, I think that we are unlikely to be troubled by the force of law behind the DPA.

However, that does not remove a personal responsibility to try to protect an entrant's details, so fully agree with the need to carefully use BCCs when emailing to more than one.

Title: Re: data protection and event entries
Post by: Hummers on February 16, 2011, 01:47:23 pm
Not all organisations have to notify the ICO and apply to go on the pubic register of Data Controllers. There are grounds for exemption which may cover AUK and the example you offered.

However, any organisation holding personal information on its members, clients or customers is obliged to do so with regard to the 8 principles of the DPA. Again, from the ICO:

Quote
The Data Protection Act 1998 requires every data controller who is processing personal information in an automated form to notify, unless they are exempt. Failure to notify is a criminal offence. Register entries have to be renewed annually. If you are required to notify but don’t renew your registration, you are committing a criminal offence.

Most organisations that process personal data must notify the ICO. However, there are some exemptions. Data controllers who are exempt from notification must comply with the other provisions of the Act, and may choose to notify voluntarily.

My experience is that due to the extra cost and hassle, most organisations elect not to be put on the register but maintain a DP policy.

H
Title: Re: data protection and event entries
Post by: BlackSheep on February 16, 2011, 01:54:07 pm
Consider your back-ups too.
 ;)

Always a safe move.

ISTBC, but doesn't the DPA info only apply to stuff stored on devices that can only be accessed electronicly, eg, blown ROMs, HDD, FDD, memory sticks, et al?

Reason for asking, is I recall BBC's watch-dog comeing unstuck once. because the organisation they were persueing held all the data (quite litterally dozens of rooms) on paper.
Title: Re: data protection and event entries
Post by: Manotea on February 16, 2011, 02:09:57 pm
On the subject of direct marketing, I had a chat with a helpful type at the Info Commission Office yesterday. We had one of those interesting conversations where he could only advise me on the law which was that complaints of unsolicited direct mailing could result in prosecution and fines of £5k. However under close questioning(!) he agreed such cases are associated with egregious violations by large organisations, which hardly describes a cycling event organisor communicating with previous event riders. He also suggested that DM legislation is concerned with promotions; emails  advising, 'click here if you would like to know more' would be fine.

There is a potential issue with the volume of such missives riders might receive. Working on the basis that interested organisers might communicate with riders once or twice a year regarding this years programe, updates, etc. then even the most, um, promiscous riders might only receive a dozen emails a year. This is hardly onerous, especially if emails include an unsubscribe option. I'd be quite happy to receive email newsletters from JayP and other 'multiple offender' organisers such as Blacksheep and El Supremo (though ES may well be the last to go down that route!).

It similarly occurs to me that a four times a year AUK newletter to complement the publication of Arrivee might be useful for communicating with Auks & Non-Auks alike. This need not contain much in the way of original material but simply a cover letter with links to online materials such as Arrivee and other official notices (Committee meeting minutes, etc.) plus any other relevant 'stop press' info.

Clearly such activities need to be progressed sensibly. Any attempt at a structured hard sell of events and/or products is likely to be immediately counterproductive, and unsubscribe requests need to be actioned.

A personal view. IANAL.
Title: Re: data protection and event entries
Post by: DanialW on February 16, 2011, 03:56:13 pm
ISTBC, but doesn't the DPA info only apply to stuff stored on devices that can only be accessed electronicly, eg, blown ROMs, HDD, FDD, memory sticks, et al?

no
Title: Re: data protection and event entries
Post by: mattc on February 16, 2011, 05:52:33 pm
It similarly occurs to me that a four times a year AUK newletter to complement the publication of Arrivee might be useful for communicating with Auks & Non-Auks alike. This need not contain much in the way of original material but simply a cover letter with links to online materials such as Arrivee and other official notices (Committee meeting minutes, etc.) plus any other relevant 'stop press' info.

Clearly such activities need to be progressed sensibly. Any attempt at a structured hard sell of events and/or products is likely to be immediately counterproductive, and unsubscribe requests need to be actioned.

A personal view. IANAL.
Do you think that the AUK twitter feed is achieving some of this? Could it do more?

The thing about Twitter is that users can subscribe/unsubscribe at will!
Title: Re: data protection and event entries
Post by: Jaded on February 16, 2011, 05:54:15 pm
The thing about Twitter is that is is markedly less inclusive than email, which in itself is not wholly inclusive.
Title: Re: data protection and event entries
Post by: mattc on February 16, 2011, 06:01:34 pm
The thing about Twitter is that is is markedly less inclusive than email, which in itself is not wholly inclusive.

Very true. I mentioned it because:
- we already have it
- someone keen is stoking the boiler
- there are no legal issues (that I'm aware of!), or other bureaucratic barriers.
Title: Re: data protection and event entries
Post by: Billy Weir on February 16, 2011, 06:08:01 pm
As I've suggested in the past, AUK could consider a regular email that members and non-members opt in to.

It could make announcements of events where entries close in the next two weeks, links to historic articles from Arrivee and any proclaimations from the committee.  A bit like the emails that Cylcosport send out every week.

I would be prepared to help prepare this.  No doubt a formal proposal has to be submitted to the committee (this not being an official AUK board, but a collection of interested randonneur busy bodies, or something of that ilk!)

(This suggestion comes from not being a particular fan of unsolicited contact from individual organisers).
Title: Re: data protection and event entries
Post by: DanialW on February 16, 2011, 06:11:43 pm
If anyone has any suggestions for publicity, and, crucially, the time and willingness to make them happen, drop me a line.
Title: Re: data protection and event entries
Post by: BlackSheep on February 16, 2011, 06:47:22 pm
ISTBC, but doesn't the DPA info only apply to stuff stored on devices that can only be accessed electronicly, eg, blown ROMs, HDD, FDD, memory sticks, et al?

no

Thanks for that  :thumbsup:, the most comprehensive answer from any committee member in my YACF history.


Then what does it apply to, I wonder?
Title: Re: data protection and event entries
Post by: DanialW on February 16, 2011, 09:09:55 pm

Thanks for that  :thumbsup: ... then what does it apply to, I wonder?


The DPA applies to any personal data held in a filing system. A Rolodex or a GP's patient records would count as a relevant filing system.
Title: Re: data protection and event entries
Post by: Jaded on February 16, 2011, 11:05:19 pm
So it was changed from its original inception. I'm pretty sure it started out as electronic data only?
Title: Re: data protection and event entries
Post by: Hummers on February 17, 2011, 12:03:08 am

Then what does it apply to, I wonder?

All on the ICO website but for your own personal digest Mr Blacksheep, there are three areas where paperwork and filing falls within the scope of the DPA in the AUK context but the definition is as follows:

Quote
Data means information which –

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,

(b) is recorded with the intention that it should be processed by means of such equipment,

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or

(e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d).

Accessible record means that you can access and retrieve personal information/data because it is stored and arranged in a structured manner. An index or a structured filing system would facilitate this so this data would come into scope, even if it wasn't going to be recorded on a computer system.

So it was changed from its original inception. I'm pretty sure it started out as electronic data only?

This change was crystalised in the 1998 Act but there were changes prior to this regarding manual records held by local and health authorities that pre-date 1998. The 1984 act did not include paper or manual records and I think this is where the confusion comes from.

H
Title: Re: data protection and event entries
Post by: ian_oli on February 17, 2011, 12:44:54 am
Direct marketing opt-in is required by legislation - the The Privacy and Electronic Communications (EC Directive) Regulations 2003. Any promotion of an Audax event by email is absolutely direct marketing as an audax is a service provided for a consideration. The fact that it is small scale and non-profit is neither here nor there.

The relevant section of the regulations is 22, shown below.

A point about Data Protection is also context. For instance, disclosure of most audaxers addresses will be quite harmless (you can find mine quite easily and so what) but someone who has moved house because of a stalker is a different matter. When someone enters an Audax you dont know their situation, therefore as an organiser you need to keep the address secure. You need to apply this sort of risk analysis to whatever information you do collect.



22.—(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.

(2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.

(3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—

(a)that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;

(b)the direct marketing is in respect of that person’s similar products and services only; and


(c)the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

(4) A subscriber shall not permit his line to be used in contravention of paragraph (2).
Title: Re: data protection and event entries
Post by: Hummers on February 17, 2011, 07:58:01 am
<snip>
Direct marketing opt-in is required by legislation - the The Privacy and Electronic Communications (EC Directive) Regulations 2003. Any promotion of an Audax event by email is absolutely direct marketing as an audax is a service provided for a consideration. The fact that it is small scale and non-profit is neither here nor there.

The relevant section of the regulations is 22, shown below.
</snip>

Indeed. If you have signed up online to any sort of service over the last few years you will have seen opt-ins for both being contacted and the method by which you are being contacted. This is common practice and applies to all organisations that hold personal information and who want to use this to contact individuals.

Direct marketing, including contact individuals about activities of an organisation, falls under both the DPA and the P&EC regs. This would include emailing about events and things like the AGM. However for AUK, I suggest there is a simple way of complying to both for email based direct marketing for both new/renewing and existing members:


H
Title: Re: data protection and event entries
Post by: phil d on February 17, 2011, 09:14:30 am
This is all well and good (and I have found the extensive replies above most informative - thanks chaps), but as I see it there is a disconnect between AUK on the one hand, and the organisers on the other. 

While we organise under AUK rules, we do not do it as part of, or even on behalf of, AUK (though may be organising on behalf of another membership organisation like a cycling club, or CTC).  So any opt-in or opt-out provided as part of the membership process arguably doesn't apply to us.

Which leaves us on our own.  I'm not particularly bothered, as I do not retain any personal information except the actual entry forms, and do not propose to start direct marketing my event.  But others could be affected.

Title: Re: data protection and event entries
Post by: Hummers on February 17, 2011, 10:09:59 am
This is all well and good (and I have found the extensive replies above most informative - thanks chaps), but as I see it there is a disconnect between AUK on the one hand, and the organisers on the other.  

While we organise under AUK rules, we do not do it as part of, or even on behalf of, AUK (though may be organising on behalf of another membership organisation like a cycling club, or CTC).  So any opt-in or opt-out provided as part of the membership process arguably doesn't apply to us.

Which leaves us on our own.  I'm not particularly bothered, as I do not retain any personal information except the actual entry forms, and do not propose to start direct marketing my event.  But others could be affected.



I understand where you are coming from Phil and if you were just organising rides that were for your own and a number of other rider's personal enjoyment and maintained a personal email/contact list based on info they sent you directly (i.e. as Phil D, not AUK) then there's not problem. It could be argued that they still need an 'opt-out' but personal directories and mail lists are exempt from the DPA and P&EC regs.

However, you are effectively working on behalf of AUK if you are part of their data handling process and AUK should have a DP policy that covers your activity. This is not uncommon (volunteer based organisations do it all the time) and whilst the outworking might affect the way you handle data between you and AUK, in practice, I doubt it would make very little difference to what you do now or create any more work.

However, to safeguard both AUK and the privacy of its members, the DP policy should prohibit organisers from using this information for personal reasons or sharing it with another organisation.

Why is this?

Well, what can and does cause problems is when people start receiving unsolicited emails from either an individual or another organisation (e.g. your CTC DA Member Group) and feel that the information they have provided the original organisation (e.g. AUK) is being used for other reasons or passed onto 3rd party without their consent.  It's hardly an 'I'll see you in court thing' but it is bad practice and diminishes confidence in an organisation if they don't seem to be handling personal information securely and fairly.

<edit>
Reading your post again, I may have missed your point   :-[  but if you apply the same rules, if your club or your CTC group are collecting information on individuals and passing this onto AUK and off the back of this AUK starts sending that individual unsolicited emails, that's not good either. The onus falls on you/your club/your CTC group to get an individual's consent for this or AUK to provide an 'opt-out' in their mails.
</edit>

H
Title: Re: data protection and event entries
Post by: frankly frankie on February 17, 2011, 10:40:19 am
Quote
  • When people join, you tell individuals that your organisation may wish to use their information to contact them about events, activities and services related to AUK i.e. 'direct marketing' (this satisifies the DPA first principle)

But AUK don't use the information in this way and AFAIK have no plans to.

And there is a Privacy Statement clearly accessible from every page of the new website.

And Organisers are all asked to sign up to a separate, more specific, privacy agreement.  (This has been in place for a couple of years at least, it's not compulsory, but in fact all bar one of current Organisers are signed up.)  That agreement doesn't specifically say anything about direct marketing, but it does include the phrase
"You must not use this information in any ways not directly related to the conduct of your Event(s)."
Title: Re: data protection and event entries
Post by: Hummers on February 17, 2011, 12:38:48 pm
Quote
  • When people join, you tell individuals that your organisation may wish to use their information to contact them about events, activities and services related to AUK i.e. 'direct marketing' (this satisifies the DPA first principle)

But AUK don't use the information in this way and AFAIK have no plans to.

And there is a Privacy Statement clearly accessible from every page of the new website.

And Organisers are all asked to sign up to a separate, more specific, privacy agreement.  (This has been in place for a couple of years at least, it's not compulsory, but in fact all bar one of current Organisers are signed up.)  That agreement doesn't specifically say anything about direct marketing, but it does include the phrase
"You must not use this information in any ways not directly related to the conduct of your Event(s)."

Francis, I have no idea of the internal workings of AUK, what has been agreed with Organisers or knowledge of what it might choose to do with the information it holds on its members.

I'm only responding to questions raised on this thread based on my experience and knowledge of the DPA and data privacy. I'm not commenting on what AUK may or may not have in place as that's clearly the domain for people like you who have more of an understanding as to how these principles have or have not been applied.

H
Title: Re: data protection and event entries
Post by: AndyH on February 17, 2011, 01:26:13 pm
</snip>
  • When people join, you tell individuals that your organisation may wish to use their information to contact them about events, activities and services related to AUK i.e. 'direct marketing' (this satisifies the DPA first principle)
  • You offer new or renewing members the the opportunity to opt-out to direct email 'marketing' there and then (this satisifies the P&EC regs)
  • For exisiting members, any communication sent out has a single line within the email that allows them to email back and opt out (this meets the P&EC regs under section 22(3) and is referred to as the 'soft opt-in' but is really an opt-out')

H
But AUK don't use the information in this way and AFAIK have no plans to.

Various other threads have talked about communications, e.g. organisers requiring email addresses, Arrivee being made available electronically, the handbook only being available in electronic form etc. The world is going that way, and although there are no current plans to use the stored info for communications purposes surely it can only be a matter of time? If this is not a current requirement then there is a window in which to implement a policy and build the database of opt ins & opt outs.

Then there's the question of organisers emailing event details to previous year's entrants. I had one about the Dorset Downs the other day. I've no idea how the organiser got my email address, but it was not an unwelcome email.* The line between it being an individual organiser working on his own and an AUK email is blurred in my mind, because the information was about an event for which is held under AUK regulations and for which I'd get AUK points. If it wasn't I probably wouldn't be so interested. The rider info that AUK provides to organisers to populate start sheets could include the opt in / out info so organisers would know if they could contact riders in subsequent years.

The steps Hummers outlined seem sensible if not immediately required.

* Actually IIRC last year I entered online but through the organisers own facility, not the AUK / Paypal one. They have obviously stored my email address. I can't remember I was asked for consent, but it's always good to recieve a cycling related email when I should be working  ;D
Title: Re: data protection and event entries
Post by: frankly frankie on February 17, 2011, 02:58:31 pm
Francis, I have no idea of the internal workings of AUK, ...
I'm only responding to questions raised on this thread based on my experience and knowledge of the DPA and data privacy.

Of course Mark - your knowledge of DPA is clearly considerable* and your comments in this thread very useful, IMO.

The point I was trying to make was about what Phil describes as the 'disconnect' between AUK and Organisers.  I would suggest this disconnect is there by design - AUK is always keen to make the point that Events 'belong to' organisers and are merely run according to principles laid down by AUK.

* it's 2 years or more since I last looked at the DPA, or rather, the surrounding documentation - and I'll bend the knee to anyone who really knows the ins and outs, but it sounds as though the 'for dummies' literature has improved, which is good news for everyone (except lawyers I suppose).
There used to be a 'DPA self-assessment' form somewhere - I completed it three times, with AUK's operation in mind, and got 2 'register' and 1 'don't register' results.  Ultimately what I didn't like was that, for all the talk of 'organisations' having responsibilities, ultimately it is an individual who has to sign up and register and put his head in the noose.  As an unpaid volunteer, I wasn't prepared to do that.  But AUK do try to take their DPA obligations seriously, that I do know - [edit] and clearly already exceed the DPA's requirements in several areas.
Title: Re: data protection and event entries
Post by: Manotea on February 17, 2011, 04:02:07 pm
Francis, I have no idea of the internal workings of AUK, ...
I'm only responding to questions raised on this thread based on my experience and knowledge of the DPA and data privacy.

Of course Mark - your knowledge of DPA is clearly considerable* and your comments in this thread very useful, IMO.

The point I was trying to make was about what Phil describes as the 'disconnect' between AUK and Organisers.  I would suggest this disconnect is there by design - AUK is always keen to make the point that Events 'belong to' organisers and are merely run according to principles laid down by AUK.

Events (up to and including LEL, though this changes with LEL2013) are put on by Organisers not AUK and organisers 'own the relationship' (salespeak) with the rider, at least as far as the Organiser's event. Rider contact info goes directly to the Org. The only info passed to AUK is memno and names for validation purposes. Orgs do have access to AUK memlist via the startlist lookup feature which includes postal addresses but *NOT* email addresses.

When I started as an Org all of ~5 years ago putting on an event was a totally paper based exercise and whilst application forms included email addresses they were not referenced by me. We are now well past the tipping point and ~75% of entries come in electronically, and in turn, for example, for the last several events I have sent out route sheets by email. I received back just a couple of requests for paper copies which of course I provided.

By the way, with regard to deleting rider details post event, I can flush them from my PC but all of this rider information will remain in my paypal account forever. I've just checked some transactions from several years ago; it's all there.

So taking DPA/DM regulation at face value as outlined by Hummers & GB will require AUK AND Organisers to develop policies and procedures for managing rider data even if they do not propose to use this information post event. Regardless there is no reason why we cannot swiftly move to total compliance with DPA/DM regulation without compromising our activities.

In so doing let's not lose sight of the fact that Organisers are running cycling events for riders with whom they have a direct relationship.
Title: Re: data protection and event entries
Post by: Hummers on February 17, 2011, 04:42:31 pm
Steady on chaps!  :o

The DPA calls for common sense rather than a New World Order.  :facepalm: As I said before, most organisations, rightly or wrongly, balance risk against how comprehensive their DP policy is and how far they follow the principles of the Act. Unless something right now is majorly broken, why try and fix it?

Hpwever, Andy H's comments on discussions around the direction of AUK are in the back of my mind too. If these come to fruition and means changes to how AUK uses the information it holds on its members, I suggest this will be the driver for a review of AUKs policy on privacy, communication and data protection.


Events (up to and including LEL, though this changes with LEL2013) are put on by Organisers not AUK and organisers 'own the relationship' (salespeak) with the rider, at least as far as the Organiser's event. Rider contact info goes directly to the Org. The only info passed to AUK is memno and names for validation purposes. Orgs do have access to AUK memlist via the startlist lookup feature which includes postal addresses but *NOT* email addresses.

Yes, tempting to think that the two are disconnected but that is not actually the case as you are involved in data processing for AUK. 

If I entered the event directly with AUK (I know I can't) and all they did was send you (as the organiser) a predictied number of riders to cater for and covered your costs, i.e. no information about the riders at all,  then from a DPA perspective, you are disconnected. If I wasn't a member and AUK had no information about me at all, then you are also disconnected.

But as an AUK member and based on my understanding of the process, if I enter one of your events:


And both you and AUK hold my email address.

H
Title: Re: data protection and event entries
Post by: Manotea on February 17, 2011, 04:54:05 pm
The DPA calls for common sense rather than a New World Order.  :facepalm: As I said before, most organisations, rightly or wrongly, balance risk against how comprehensive their DP policy is and how far they follow the principles of the Act.

Absolutely

Unless something right now is majorly broken, why try and fix it?

Whilst AUK's modus operandi may be intact, the world has moved on

Posters often refer to AUK as shorthand to include Organisers whereas each Organiser is separate and unique. Where AUK can help is by consulting organisers and providing leadership and a framework under which we can all move forward together.


Title: Re: data protection and event entries
Post by: Hummers on February 17, 2011, 05:02:41 pm
Sorry Mr Tea, I added some more stuff on my post regarding 'disconnection'. You may think organisers are separate from AUK but from a DPA perspective, based on my understanding of the process you are both processing AUK data and information about me.

Whilst AUK's modus operandi may be intact, the world has moved on


But the DPA has not changed significantly and the P&EC regs have been around for about 7 years.
 
H
Title: Re: data protection and event entries
Post by: DanialW on February 17, 2011, 05:04:56 pm
Posters often refer to AUK as shorthand to include Organisers whereas each Organiser is separate and unique. Where AUK can help is by consulting organisers and providing leadership and a framework under which we can all move forward together.

I agree.

Title: Re: data protection and event entries
Post by: Hummers on February 17, 2011, 05:42:59 pm
Where AUK can help is by consulting organisers and providing leadership and a framework under which we can all move forward together.

Woaa...  :o

Now that really does sound like a New World Order.

I'll stick to stuff I understand.  ;)

H
Title: Re: data protection and event entries
Post by: frankly frankie on February 17, 2011, 07:05:02 pm
  • If you keep my entry form or any information that relates to me by my AUK# alone, both you and AUK have personally identifiable information about me, linked via a common reference number

That's interesting because there is (or maybe was) 'advice to Orgs' floating around, to the effect that Entry Forms should be stored (by the Org - AUK never sees them) for 7 years.

Quote
And both you and AUK hold my email address.

Though not necessarily the same one.  In other words there is no 'connect' in the data here.
Title: Re: data protection and event entries
Post by: Hummers on February 17, 2011, 07:48:54 pm
  • If you keep my entry form or any information that relates to me by my AUK# alone, both you and AUK have personally identifiable information about me, linked via a common reference number

That's interesting because there is (or maybe was) 'advice to Orgs' floating around, to the effect that Entry Forms should be stored (by the Org - AUK never sees them) for 7 years.

Why would the organiser be made part of a data retention policy? That makes no sense to me.
Quote
Quote
And both you and AUK hold my email address.

Though not necessarily the same one.  In other words there is no 'connect' in the data here.

From a DPA standpoint it could be argued that only means that the information you hold on me is (in part) incorrect. It is my AUK number that 'connects' the information the organiser and AUK hold on me.

Looking at the process as described by organisers and others on this thread, like it or not, there is a flow of information that goes between AUK and the organiser that relates to personally identifiable information about its members and this means that the processing and management of this information is subject to the principles of the DPA - and this covers all information held, not just email addresses.

H
Title: Re: data protection and event entries
Post by: simonp on February 18, 2011, 12:09:06 am
  • If you keep my entry form or any information that relates to me by my AUK# alone, both you and AUK have personally identifiable information about me, linked via a common reference number

That's interesting because there is (or maybe was) 'advice to Orgs' floating around, to the effect that Entry Forms should be stored (by the Org - AUK never sees them) for 7 years.

Quote
And both you and AUK hold my email address.

Though not necessarily the same one.  In other words there is no 'connect' in the data here.

The advice was, roughly:

 - records should be kept for one year

except where an incident occurred on the event, in which case:

 - records should be kept for 7 years.

In the draught of the updated guidelines (much improved) last year this was changed to 5 years.

I can see that this is necessary for insurance purposes.

Title: Re: data protection and event entries
Post by: Hummers on February 18, 2011, 09:22:02 am
  • If you keep my entry form or any information that relates to me by my AUK# alone, both you and AUK have personally identifiable information about me, linked via a common reference number

That's interesting because there is (or maybe was) 'advice to Orgs' floating around, to the effect that Entry Forms should be stored (by the Org - AUK never sees them) for 7 years.

Quote
And both you and AUK hold my email address.

Though not necessarily the same one.  In other words there is no 'connect' in the data here.

The advice was, roughly:

 - records should be kept for one year

except where an incident occurred on the event, in which case:

 - records should be kept for 7 years.

In the draught of the updated guidelines (much improved) last year this was changed to 5 years.

I can see that this is necessary for insurance purposes.


I understand why records need to be kept; the entry form has (or should have) the rider's consent to the terms and conditions of participation and of questionable worth, a record of intended participation (although they could still DNS so in itself not is not a record of riding the event). I assume it also covers them from an insurance perspective whether they are a member or not

In terms of the DPA, if AUK are asking the organiser to hold on to the entry forms (and they comply) then they definitely fall within the scope of any AUK DP policy. Francis mentioned that organisers are required to sign up to a Privacy Statement but there are still issues around data being incorrect that would need to be managed.

Although I can see that asking the organiser to hold these records may seem practical and is no doubt historical, this raises all kinds of issues in terms of accessing, securing and managing information. I expect this has been considered but a centralised paperless on-line entry system that still allows organisers to access entry information and update it would mean that organisers no longer need to store rider's personal information and would only need access to a limited subset of it. This would limit risks of a breach of the DPA and give AUK (potentially) more flexibility in how it uses personal information. I am not sure if this is what happens when I opt to enter via PayPal but the feeling I get from this thread is that some if not all of the data resides elsewhere (although the entry form seems to be generated by AUK's system).

Perhaps someone can clarify what happens with online entries (and the information we provide) currently.

H