* General Data Protection Regulation

[Valkrider]

One thing to bear in mind is the security of the data on any cloud storage particularly as you are responsible with the new GDPR law that comes in on the 25th.

[tatewise]

As far as the fundamental security of personal data is concerned, GDPR does not appear to significantly alter the requirements compared with the existing UK Data Protection Act in force for several decades.

That some new levels of security are needed is one of the myths of GDPR as far as non-sensitive personal data is concerned.

[Valkrider]

Sorry Mike I disagree with you having just done a 4 week course on GDPR. It is far ranging, if you have data on a living person who is identifiable from that data then you must have their permission to have that data and you must only use it for the purpose that they have agreed for you to have that data.

[tatewise]

I agree there are new requirements, but you only mentioned security of data, and my understanding is that has not significantly changed as far as non-sensitive personal data for adults is concerned.

The legal basis of usage is another matter, and consent (or permission) is only one of six alternatives.

Did the course cover legitimate interest (as an alternative to consent) that does not need explicit permission.
My understanding is that if the data is non-sensitive details (such as name, address & telephone), and the usage would be reasonably expected by the person (such as membership of a club), then legitimate interest is feasible and needs no consent as long as the usage and privacy policy is documented and publicised in accordance with GDPR. It is that last need to document in plain language that is the major change.

[mjashby]

There's a not so subtle "get-out" for family historians from the provisions of the GDPR; in that the guidance issued by the Information Commissioner's Office clearly states:

"The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU."

I can find no mention of any responsibility being placed on individuals who are not operating within an organisational structure and; as the vast majority of hobbyist Family Historians/Genealogists could not possibly be described as 'organisations', I don't see how the new regulations could be applied to them. There could, of course, clearly be a difference for any individuals researching for or within some form of formal organisation/partnership, which includes data providers such as Ancestry, FindMyPast, Family History Societies etc. which may hold and or publish some data sources that contain data relating directly to living individuals. Also, researchers providing research services could be affected if they are not working solely as individuals.

Can't see how Cloud Storage Services could be considered directly responsible for any personal data held on living people stored in individual User Accounts if they don't directly process or access the actual data; and, providing 'Home Users' only use a personal account for storing their data in the cloud the regulations would not appear to apply. However, if anyone is using a business account to store such data then the content could definitely be said to be the responsibility of the business (organisation) concerned. The same would apply if a user stores personal (potentially sensitive) data relating to living individuals on IT equipment (or even in a book) that is the property of a business, or some other organisation

Mervyn

[Valkrider]

Mike

It’s really complex and this course only scratched the surface. It has 99 different articles in 11 chapters, and then 173 recitals explaining those articles.

I doubt anyone truly understands it all.

My understanding is that if you gather the data you are responsible for the safe storage of such data. I don't see anywhere in the legislation that you can pass this responsibility off to a third party.

GDPR does not apply just to organisations it applies to anyone who stores data on another living person who is an EU citizen or to the data of any person, regardless of citizenship, who is resident in the EU.

Consent was covered and legitimate use was only covered with regard to Police, Government departments etc and no mention was made of it applying to individuals such as us.

Whether the ICO is likely to come after an individual genealogist I think is unlikely certainly at the early stages, they will be looking to make an example of a large company. However, we may become easy pickings later particularly if someone complains to the ICO about the data one of us has on paper or in a database, but there again if we don't tell an individual or publish their data how would they know we had data on them.

As genealogists we are 'data aggregators' in that we collect data from many individual sources and construct a record from those pieces of data.

Let's not forget that in most cases the people we research are dead and so GDPR does not apply. I think it is in all our best interests to be extra careful with living peoples data.

[tatewise]

Among other sources the ICO Guide to the GDPR gives some very useful guidance.

Its Key definitions says "The GDPR does not apply to certain activities including ... processing carried out by individuals purely for personal/household activities." I would imagine that a hobby such as genealogy counts as personal activities.

Its Legitimate interests section readily applies to processing of member details in clubs and societies, and that is supported by many web sites I have investigated such as the following two web pages:
https://www.dphub.eu/features/gdpr_sbs_and_clubs.html
https://shadow.cat/blog/mark-keating/2017/013-GDPR-01/.

Its Accountability and governance says "There are a number of measures that you can, and in some cases must, take including: putting written contracts in place with organisations that process personal data on your behalf". So you can contractually pass responsibility off to a third party.

In many respects the GDPR is simply a replacement for the UK Data Protection Act. So if you comply with that, and have not fallen foul of it, then the GDPR should not pose too many problems.

The GDPR is primarily aimed at large organisations, especially if they hold sensitive personal data such as medical or financial details, or involved children. Anyway, in the first instance I believe a small club would only be warned.

It seems that the most significant extra requirement is a written compliance statement with a Privacy Notice & Policy.
Essentially it says what data is involved, how it is used, who uses it, how it is secured, and how members can get at it.

One major decision is which of the six GDPR legal justifications for processing personal data is appropriate.
I discounted "Consent" because it is quite tricky to operate satisfactorily.
It is much easier to justify that “Legitimate interest” applies to the essential processing expected by members to run a club.

Data protection should be appropriate and proportionate for the data at risk.

[AdrianBruce]

... Its Key definitions says "The GDPR does not apply to certain activities including ... processing carried out by individuals purely for personal/household activities." I would imagine that a hobby such as genealogy counts as personal activities. ...

I agree Mike - I've only had a very quick look at the ICO's site for this, but I was looking for guidance on what happens to individuals - there was nothing on their responsibilities under GDPR, only their rights. If anybody and everybody is to follow the GDPR, then we would all need to inform our friends that we had written down in our diary that we were to meet them at X on date Y, etc.; or inform them that we were holding their telephone numbers; or inform them that we were holding their addresses in order to send them a Christmas Card - in which case, am I forbidden to send them any other mail?

Are the above examples frivolous? Certainly. But the fact that it is not possible to find explicit statements about them suggests that they are out of scope. Mind you, I do wish I could find some definitions of "personal/household".

My above denial of the relevance of GDPR to my Google Calendar is absolutely not to be taken as me ignoring topics of confidentiality over that sort of personal data. Quite apart from the GDPR, it would be plain bad manners to leave someone's contact details lying around - to this extent, GDPR (like Data Protection before it) should act as a "best practice" inspiration.

[AdrianBruce]

Usual story - I find something after I've hit <Send>

Re definitions - https://ico.org.uk/for-organisations/gu ... finitions/ provides onwards link to http://eur-lex.europa.eu/legal-content/ ... 79&from=EN - I searched for "household" and got various bits such as

(18) This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities

And also...

2. This Regulation does not apply to the processing of personal data:
...
(c) by a natural person in the course of a purely personal or household activity

I suspect that the bit However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities could be held to imply that Ancestry, FamilySearch, Google (GMail etc), Microsoft (Outlook etc), and others are under the Act. Where I suspect a can of worms lies, is in relation to cloud computing where a supplier provides a general storage facility (and software?) - are they a processor under the terms of the act if they have no means of knowing what their data storage is used for? (And it's used by an organisation which is under GDPR)