Forum GDPR compliance?

for all subjects/topics not covered by the other forum categories
User avatar
Richard Russell
Posts: 501
Joined: Sun Feb 27, 2011 10:35 am
Location: Downham Market, Norfolk
Contact:

Forum GDPR compliance?

Post by Richard Russell » Thu May 24, 2018 11:01 pm

As far as I can tell this forum has not installed/enabled the phpBB Privacy Policy extension, so I am concerned that it may not be GDPR compliant, which it is required to be from today (25th May 2018). Is this something under active consideration, or has it been overlooked?

User avatar
danielj
Posts: 6582
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: Forum GDPR compliance?

Post by danielj » Fri May 25, 2018 6:19 am

It's all a little ambiguous as to how it applies to non-commercial entities. Given that we're not an organisation, rather a loose collection of self organising wotnots who under the previous legislation so far as I can tell would be mostly concerned with domestic rather than commercial issues. However, yes, will see about putting that module. The database didn't upgrade last time the forum upgraded (I don't know why, I'm not really techy enough on that front), I'll try and kick it over, but it might break something :( - we're also incredibly low on disk space.

d.

User avatar
vanpeebles
Posts: 467
Joined: Wed Nov 28, 2012 10:01 am
Location: UK
Contact:

Re: Forum GDPR compliance?

Post by vanpeebles » Fri May 25, 2018 8:27 am

Quite, a lot of what I have read, talks in terms of employees and numbers of employees etc, but very little if actually done as a hobby for free.

User avatar
Elminster
Posts: 3072
Joined: Wed Jun 20, 2012 8:09 am
Location: Essex, UK
Contact:

Re: Forum GDPR compliance?

Post by Elminster » Fri May 25, 2018 8:42 am

Other thing to bear in mind is who is hosting it, i.e. is that a commerical hosting company? They are probably classed as a Data Processor, so if they are doing anything with the data on stardots behalf they would be required to comply. And if there was no process in place on the stardot website, they could not allow the site to be hosted.

This is just hyperthetical I havent looked in depth for hobbists, I just work for a pre-cloud hosting company and as a processor we used to be able to ignore DP but not GDRP.

User avatar
Richard Russell
Posts: 501
Joined: Sun Feb 27, 2011 10:35 am
Location: Downham Market, Norfolk
Contact:

Re: Forum GDPR compliance?

Post by Richard Russell » Fri May 25, 2018 8:43 am

vanpeebles wrote:Quite, a lot of what I have read, talks in terms of employees and numbers of employees etc, but very little if actually done as a hobby for free.
I don't think it makes any difference. GDPR is there to protect the privacy of the user, so it applies to any entity that is collecting his personal data, whatever its size or status. For example here it states "The General Data Protection Regulation (GDPR) is applicable to any organization/business or individual who handles the personal data of European citizens".

User avatar
Richard Russell
Posts: 501
Joined: Sun Feb 27, 2011 10:35 am
Location: Downham Market, Norfolk
Contact:

Re: Forum GDPR compliance?

Post by Richard Russell » Fri May 25, 2018 8:45 am

danielj wrote:However, yes, will see about putting that module.
I think it is worth doing; if nothing else it demonstrates that you have made an effort to be compliant. I've installed it on both my phpBB forums without any obvious adverse effects, but it's early days. If you want to see how it affects the 'user experience' you can visit the BBC BASIC forum; the main thing you'll probably notice is that it requires visitors to accept the use of cookies.

Richard.

User avatar
danielj
Posts: 6582
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: Forum GDPR compliance?

Post by danielj » Fri May 25, 2018 8:47 am

The ICO have said that they're not going to be chasing people down with dogs, and especially not small organisations - I don't think we even count as one of those. I'll try and fathom how this applies to here - it may simply be that we have to make a statement about email addresses and IP addresses and how they're used.

In so far as that module, it probably will solve everything, I've got the database updated to the latest version (no idea why it didn't work before) - but we'll need to migrate to phpBB 3.2 - this will require a certain amount of bravery as pretty much everything has to be deleted. :?

d.

User avatar
Elminster
Posts: 3072
Joined: Wed Jun 20, 2012 8:09 am
Location: Essex, UK
Contact:

Re: Forum GDPR compliance?

Post by Elminster » Fri May 25, 2018 8:52 am

I agree (with Richard) better safe than sorry, if not much effort to do it. Also think about who, where and how long backups are kept for. And are an hosting services like web traffic analysers being used that might have personal data in and such like. Bit of a mine field.

Edit: I do like stardot as it is the only site the advert/tracking broswer extension reports 0 on :-)
Last edited by Elminster on Fri May 25, 2018 8:54 am, edited 1 time in total.

User avatar
danielj
Posts: 6582
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: Forum GDPR compliance?

Post by danielj » Fri May 25, 2018 8:54 am

Elminster wrote:Other thing to bear in mind is who is hosting it, i.e. is that a commerical hosting company? They are probably classed as a Data Processor, so if they are doing anything with the data on stardots behalf they would be required to comply. And if there was no process in place on the stardot website, they could not allow the site to be hosted.

This is just hyperthetical I havent looked in depth for hobbists, I just work for a pre-cloud hosting company and as a processor we used to be able to ignore DP but not GDRP.
They're not the data processor, the people who run the forum are really... I suspect the hosting platform has a duty to request that people using it are moving to be GDPR compliant, and also has to get a retention schedule in place for data relating to their clients, but I don't think they can be held responsible for how people who lease space from them process data. I could be wrong though!

d.

User avatar
vanpeebles
Posts: 467
Joined: Wed Nov 28, 2012 10:01 am
Location: UK
Contact:

Re: Forum GDPR compliance?

Post by vanpeebles » Fri May 25, 2018 8:57 am

Hopefully, it won't make running hobbyist sites into more trouble than it's worth, and then end up driving more people on horrible places like facecrook.
Last edited by vanpeebles on Fri May 25, 2018 8:58 am, edited 1 time in total.

User avatar
pau1ie
Posts: 552
Joined: Thu May 10, 2012 9:48 pm
Location: Bedford
Contact:

Re: Forum GDPR compliance?

Post by pau1ie » Fri May 25, 2018 8:57 am

A recent episode of money box spoke to people running an allotment association, the consensus was that it did apply to non commercial entities, but wasn't too hard to comply. I think the forum is pretty self service, we can delete our posts if we want, and can correct our own information. It's not like you are using the forum to scrape all our data and sell it to the highest bidder...

Or are you? :twisted:
I'm working on http://bbcmicro.co.uk

User avatar
Elminster
Posts: 3072
Joined: Wed Jun 20, 2012 8:09 am
Location: Essex, UK
Contact:

Re: Forum GDPR compliance?

Post by Elminster » Fri May 25, 2018 8:59 am

danielj wrote:
Elminster wrote:Other thing to bear in mind is who is hosting it, i.e. is that a commerical hosting company? They are probably classed as a Data Processor, so if they are doing anything with the data on stardots behalf they would be required to comply. And if there was no process in place on the stardot website, they could not allow the site to be hosted.

This is just hyperthetical I havent looked in depth for hobbists, I just work for a pre-cloud hosting company and as a processor we used to be able to ignore DP but not GDRP.
They're not the data processor, the people who run the forum are really... I suspect the hosting platform has a duty to request that people using it are moving to be GDPR compliant, and also has to get a retention schedule in place for data relating to their clients, but I don't think they can be held responsible for how people who lease space from them process data. I could be wrong though!

d.
I am afraid not the hosting company is definitely a processor. I know I work for one and we had to go through a load of retraining. Any hosting or cloud company is a GDRP processor.

The forum is the data controller (as well as a processor).

Edit: Do the hosting compnay have a GDRP statement, I jus off to look to see if mine doen, but I shut my website down, so not an issue only of interest.
Last edited by Elminster on Fri May 25, 2018 9:14 am, edited 2 times in total.

User avatar
Elminster
Posts: 3072
Joined: Wed Jun 20, 2012 8:09 am
Location: Essex, UK
Contact:

Re: Forum GDPR compliance?

Post by Elminster » Fri May 25, 2018 8:59 am

pau1ie wrote:A recent episode of money box spoke to people running an allotment association, the consensus was that it did apply to non commercial entities, but wasn't too hard to comply. I think the forum is pretty self service, we can delete our posts if we want, and can correct our own information. It's not like you are using the forum to scrape all our data and sell it to the highest bidder...

Or are you? :twisted:
It is the right to be forgotten that is the pain.

User avatar
danielj
Posts: 6582
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: Forum GDPR compliance?

Post by danielj » Fri May 25, 2018 9:14 am

Email the admin and ask us to delete you and all your posts. Simples.
d.

User avatar
Elminster
Posts: 3072
Joined: Wed Jun 20, 2012 8:09 am
Location: Essex, UK
Contact:

Re: Forum GDPR compliance?

Post by Elminster » Fri May 25, 2018 9:19 am

danielj wrote:Email the admin and ask us to delete you and all your posts. Simples.
d.
Probably for here yes.

We have multi terabyte HR systems, with data integrating built around users and 20 years of backups split across random tapes stored in a castle somewhere with man eating crocodiles and a grumpy troll. And not even sure the mould hasnt eaten the tapes.

User avatar
Elminster
Posts: 3072
Joined: Wed Jun 20, 2012 8:09 am
Location: Essex, UK
Contact:

Re: Forum GDPR compliance?

Post by Elminster » Fri May 25, 2018 9:23 am

There is an opportunity here. You could buy an island, setup a hosting company, and charge out a premium price to GDRP evaders.

User avatar
vanpeebles
Posts: 467
Joined: Wed Nov 28, 2012 10:01 am
Location: UK
Contact:

Re: Forum GDPR compliance?

Post by vanpeebles » Fri May 25, 2018 9:31 am

Someone could do an internets boat like the old radio stations :lol:

User avatar
jgharston
Posts: 3211
Joined: Thu Sep 24, 2009 11:22 am
Location: Whitby/Sheffield
Contact:

Re: Forum GDPR compliance?

Post by jgharston » Fri May 25, 2018 9:38 am

Elminster wrote:in a castle somewhere with man eating crocodiles and a grumpy troll.
Are the crocodiles tasty? ;)

Code: Select all

$ bbcbasic
PDP11 BBC BASIC IV Version 0.25
(C) Copyright J.G.Harston 1989,2005-2015
>_

User avatar
Elminster
Posts: 3072
Joined: Wed Jun 20, 2012 8:09 am
Location: Essex, UK
Contact:

Re: Forum GDPR compliance?

Post by Elminster » Fri May 25, 2018 9:49 am

jgharston wrote:
Elminster wrote:in a castle somewhere with man eating crocodiles and a grumpy troll.
Are the crocodiles tasty? ;)
Yes. I remember getting some free crocodile burgers when we got our Weber Gas BBQ.

User avatar
jgharston
Posts: 3211
Joined: Thu Sep 24, 2009 11:22 am
Location: Whitby/Sheffield
Contact:

Re: Forum GDPR compliance?

Post by jgharston » Fri May 25, 2018 10:03 am

Due to a lack of interest last year I ended up on my parish council's Finance Committee which has been going through the GDPR stuff. I've just had a quick skim through our stuff and for StarDot the main questions are:
* do we hold personal data on more than 5000 people?
* do we use that data to send communications to them?

A quick squint at my User Control Panel shows that we hold:
required:
* users' email address that was used to join the forum
* user's timezone settings
optional:
* interests, website address, personal location, facebook youtube, etc. addresses, all of which I have left blank other than location.
* the option for the user's email address to be used to send the user a notification that they have been sent a private message, or that somebody has replied to their posts.

I don't see any ability for the forum to use the personal data collected to target communications with them, and there is no requirement for users to supply data that personally identifies them.

Code: Select all

$ bbcbasic
PDP11 BBC BASIC IV Version 0.25
(C) Copyright J.G.Harston 1989,2005-2015
>_

User avatar
BigEd
Posts: 2091
Joined: Sun Jan 24, 2010 10:24 am
Location: West
Contact:

Re: Forum GDPR compliance?

Post by BigEd » Fri May 25, 2018 10:20 am

I see mentions of 'economic activity' as being relevant to the GDPR - we don't have membership fees and stardot as a forum isn't any kind of business. So possibly exempt? (Then again, it's not a personal or household activity...)

Any business conducted on the forum - buying, selling, subs for meetups - is presumably the business of the people involved, not the forum's own business.

User avatar
1024MAK
Posts: 7868
Joined: Mon Apr 18, 2011 4:46 pm
Location: Looking forward to summer in Somerset, UK...
Contact:

Re: Forum GDPR compliance?

Post by 1024MAK » Fri May 25, 2018 10:28 am

For organisations that don't sell data, don't provide data for other organisations or companies, don't send out 'marketing' emails, text messages, letters etc, and where they already use an opt-in system, there is not that much to change.

As with any new legislation, there is some interpretation, and some mis-information (over reaction).

I do however advise that the site adds a suitable statement to both the introduction email and on the home page stating that personal information will not be passed to other organisations or companies. And that by providing an email address, you are agreeing to StarDot sending relevent emails to you. Also that if you wish, you may contact the administrator if you want your personal details removed.

I also suggest that a statement is added to the effect that the text and picture content provided by users to StarDot becomes the copyright of StarDot. This then means that if a user asks for all their posts to be removed, the administrators may not have to remove all of the posts. As removing some posts in some threads will break the thread and it's context. Also it means the administrators don't have to edit out quotes from other users posts.

Mark
For a "Complete BBC Games Archive" visit www.bbcmicro.co.uk NOW!
BeebWiki‬ - for answers to many questions...

User avatar
davidb
Posts: 2191
Joined: Sun Nov 11, 2007 10:11 pm
Contact:

Re: Forum GDPR compliance?

Post by davidb » Fri May 25, 2018 2:46 pm

1024MAK wrote:I also suggest that a statement is added to the effect that the text and picture content provided by users to StarDot becomes the copyright of StarDot. This then means that if a user asks for all their posts to be removed, the administrators may not have to remove all of the posts. As removing some posts in some threads will break the thread and it's context. Also it means the administrators don't have to edit out quotes from other users posts.
I would recommend against this. Apart from being overreaching it is probably also unnecessary and certainly undesirable. If users assign copyright of their contributions to the forum (if that's even possible in such a minimal way) then the forum may be viewed as a publisher of that information in its own right instead of being a mere bit pipe. I would expect it to be easier to disclaim responsibility for user content if you don't hold the copyright for it.

Lots of services basically just get the user to grant a non-exclusive license to reproduce user content for the purpose of providing the service and to agree that the service may remove content subject to terms and conditions.

User avatar
jgharston
Posts: 3211
Joined: Thu Sep 24, 2009 11:22 am
Location: Whitby/Sheffield
Contact:

Re: Forum GDPR compliance?

Post by jgharston » Fri May 25, 2018 2:54 pm

Somebody demanding that an event be removed from history gives me the collie wobbles. My inclination is to ask: ok, lend me your time machine and advise when I should travel to to stop you causing that event to happen.

If on 23rd Feb 2018 Fred Jones said Boo! then on 23rd Feb 2018 Fred Jones said Boo!. Nothing can change that.

Code: Select all

$ bbcbasic
PDP11 BBC BASIC IV Version 0.25
(C) Copyright J.G.Harston 1989,2005-2015
>_

User avatar
1024MAK
Posts: 7868
Joined: Mon Apr 18, 2011 4:46 pm
Location: Looking forward to summer in Somerset, UK...
Contact:

Re: Forum GDPR compliance?

Post by 1024MAK » Fri May 25, 2018 3:13 pm

davidb wrote:
1024MAK wrote:I also suggest that a statement is added to the effect that the text and picture content provided by users to StarDot becomes the copyright of StarDot. This then means that if a user asks for all their posts to be removed, the administrators may not have to remove all of the posts. As removing some posts in some threads will break the thread and it's context. Also it means the administrators don't have to edit out quotes from other users posts.
I would recommend against this. Apart from being overreaching it is probably also unnecessary and certainly undesirable. If users assign copyright of their contributions to the forum (if that's even possible in such a minimal way) then the forum may be viewed as a publisher of that information in its own right instead of being a mere bit pipe. I would expect it to be easier to disclaim responsibility for user content if you don't hold the copyright for it.

Lots of services basically just get the user to grant a non-exclusive license to reproduce user content for the purpose of providing the service and to agree that the service may remove content subject to terms and conditions.
I was just looking at how StarDot could protect itself from the occasional trouble maker who may demand that ALL their posts are deleted. This has happened on other forums and if you now read back a thread when such a user had a number of relevant posts, the flow of the thread is now rather broken. Other suggestions on how we can protect StarDot are welcome.

Mark
For a "Complete BBC Games Archive" visit www.bbcmicro.co.uk NOW!
BeebWiki‬ - for answers to many questions...

User avatar
jonb
Posts: 2244
Joined: Sat May 21, 2011 12:42 pm
Location: South Coast of England
Contact:

Re: Forum GDPR compliance?

Post by jonb » Fri May 25, 2018 3:21 pm

jgharston wrote: I don't see any ability for the forum to use the personal data collected to target communications with them, and there is no requirement for users to supply data that personally identifies them.
Doesn't my email address personally identify me? After all, it is unique and I can be identified with it. And what about my IP address, which, despite being a "rolling" address, never changes in practice.

Not concerned, just curious.

Edit, hang on. The forum needs these data because they are essential to the service being provided. So these at least are exempt from opt-in.

User avatar
danielj
Posts: 6582
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: Forum GDPR compliance?

Post by danielj » Fri May 25, 2018 3:53 pm

IP address and email are indeed personally identifying information!

I think if the use agreement says that by posting they agree that all posts are made under a cc-by-sa license then that should sort it?

d.

User avatar
BigEd
Posts: 2091
Joined: Sun Jan 24, 2010 10:24 am
Location: West
Contact:

Re: Forum GDPR compliance?

Post by BigEd » Fri May 25, 2018 4:08 pm

I see the plugin's text as linked by Russell declares that a member's posts are considered public information, as they will have been indexed and may have been archived by third parties. So, one's posts are not affected by GDPR.

I agree with the idea that it's unwelcome for a user to delete their comments, or mass-edit them into nothingness, and it would be preferable for comments to remain (perhaps now by a <deleted user>) if an account is deleted. Ideally there'd be phpBB addins to do this.

I checked a couple of comment policies elsewhere. They look a little unwelcoming but I think the idea is sound:
You or the owner of the content still own the copyright in the content sent to us, but by submitting content to us, you are granting us an unconditional, irrevocable, non-exclusive, royalty-free, fully transferable, perpetual worldwide licence to use, publish and/or transmit, and to authorise third-parties to use, publish and/or transmit your content in any format and on any platform, either now known or hereinafter invented.

We, or authorised third parties, reserve the right to cut, crop, edit or refuse to publish, your content at our or their sole discretion. We may remove your content from use at any time.
By submitting a Message to a Forum you are granting The Economist a perpetual, irrevocable, royalty free non-exclusive licence to reproduce, modify, translate, make available, distribute and sub-license the Message in whole or in part, and in any form. This may include personal information such as your user or pen name and your expressions of opinion. The Economist reserves the right to contact you by e-mail about your use of the Forums. You waive any moral rights that you may have in regard to the Messages you submit.
I'm not sure I like using Creative Commons for user content, as it means everything here could be scraped and republished elsewhere by third parties. There's also an issue, whatever you do, in that previously-posted messages are arguably not covered by a new terms of service.

User avatar
Richard Russell
Posts: 501
Joined: Sun Feb 27, 2011 10:35 am
Location: Downham Market, Norfolk
Contact:

Re: Forum GDPR compliance?

Post by Richard Russell » Fri May 25, 2018 5:22 pm

jgharston wrote:do we hold personal data on more than 5000 people?
GDPR applies irrespective of the number (the 5000 figure apparently appeared in an early draft as a threshold above which an independent Data Protection Officer needs to be appointed).
there is no requirement for users to supply data that personally identifies them.
As noted elsewhere your email address and (in some circumstances) your IP address, both of which are stored by the forum, do personally identify you.

User avatar
danielj
Posts: 6582
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester
Contact:

Re: Forum GDPR compliance?

Post by danielj » Fri May 25, 2018 5:36 pm

So, I can attempt to update the forum to 3.2 this evening following these instructions:
https://www.phpbb.com/support/docs/en/3 ... upgrade31/

I'll back up the database now, and the board files. If it goes wrong I'll just re-instate things as were :|
d.

Post Reply