There are new data protection rules coming into force in May 2018, and while I thought they only applied to companies, they apply to clubs and societies as well. I'm not sure if it applies to individuals acting on their own, unless they are involved in some economic activity, but that's a side issue.
Anyway, as it applies to chess in Ireland,
I have 2 proper questions:
Do the ICU have any guidance for clubs/tournament organisers etc. for the new GDPR rules coming in next year? Mainly around renewing consent for mailing list etc.
Is the age on the junior ratings list static or dynamic (i.e. can the date of birth be derived)?
and 1/3 rambling ridiculous questions:
What happens if a player requests their data to be deleted, especially around ratings? Does consent need to be given to use your rating in calculations, given that it's stored in a database and involves an algorithm (and that algorithm is implemented in software, rather than done on pen and paper)? Given that a rating and club can currently unique identify everyone above 1780, is it personal information?
I believe that by entering any of the normal competitions, weekenders, leagues, ICU run events, all of which are known to be rated by the ICU, then you have agreed to your name being published with the result of your games, and the publication of your new rating.
It is very difficult to remove a person from the rating system, as all of their games were played against other players, who, presumably, want their ratings to be accurate. On a very few occasions, the rating officer has obfuscated a player's name, which leaves the results of their games intact, but removes their name from access by search engines.
The GDPR will mean this will have to be clearly written, though in ICU membership notice rather than individual tournaments, and members should have to complete some action (checkbox, not pre checked) to allow your data into the database, with parental constent for <13. Implicit or fine print is gone when it comes to databases with real people. However you will be entitled to opt-out of the database at anytime, so what this means for rating calculations is interesting.
I think it is stupid as all this used to be down on pen and paper, and if it still was none of this would be an issue.
I agree it's difficult, and nearly go as far as say farcical, but as the ICU rating allows you to be identified, it could fall under the new rules, and so name obfuscation may not be sufficient. [There are some exceptions for historical importance etc., but the exceptions aren't clear to a non-legal head like me.]
In any case this example is the extreme one. I'm mainly wondering if the ICU/LCU have examined the impact of GDPR both for themselves, and any guidelines for clubs, before it comes into effect next May.
If you check you will find that data protection also applies to lists using pencil and paper. So that wouldn't help.
In fact if you keep a list of kids to invite to your child's birthday party it is probably covered.
The scope of data protection is truly amazing yet it fails to do anything effective about SPAM and similar problems.
However you are allowed 'process' personal data for legitimate reasons, so I doubt that someone can demand to be removed from a ratings database since maintaining that database is a legitimate purpose for the ICU. However it may well be necessary to get explicit consent from players whatever that means.