Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Updated GDPR policy and new Terms of Use

1356

Comments

  • Registered Users, Registered Users 2 Posts: 24,416 ✭✭✭✭Esel
    Not Your Ornery Onager


    There is no additional personal data within these moderator discussions that we don't already include in a subject access request, so no.
    Will any occurrence of the username in these discussions be anonymised if the user makes a deletion request under GDPR?

    Not your ornery onager



  • Registered Users, Registered Users 2 Posts: 33,451 ✭✭✭✭AndrewJRenko


    There is no additional personal data within these moderator discussions that we don't already include in a subject access request, so no.

    Thanks for getting back to me. How can you be sure that there is no additional personal data unless you check each discussion? If, for example, a moderator were to say that "I think that poster A is a rereg of poster B, that is personal data of both poster A and poster B".


  • Boards.ie Employee, Boards Employee 2, Boards Employee 3 Posts: 5,461 ✭✭✭✭✭Boards.ie: Mark
    Boards.ie Employee


    Esel wrote: »
    Will any occurrence of the username in these discussions be anonymised if the user makes a deletion request under GDPR?

    No, this will not be anonymised.
    Thanks for getting back to me. How can you be sure that there is no additional personal data unless you check each discussion? If, for example, a moderator were to say that "I think that poster A is a rereg of poster B, that is personal data of both poster A and poster B".

    Poster B is entitled to submit a Subject Access Request themselves through the various channels (PM to Boards.ie: GDPR or e-mailing datarequests@boards.ie), in which case they will be provided with the data that we hold on them. Poster A is not entitled to any Personal Data that we process with regard to another user.


  • Registered Users, Registered Users 2 Posts: 36,765 ✭✭✭✭LuckyLloyd


    I used the facility to delete posts in specific forums from a long time ago. I’m glad I got in on it while it was there. It was clear that it was already being abused and - like the close account feature - was proving detrimental for the flow of the site.


  • Registered Users, Registered Users 2 Posts: 33,518 ✭✭✭✭dudara


    Esel wrote: »
    Will any occurrence of the username in these discussions be anonymised if the user makes a deletion request under GDPR?

    Usernames will be deleted where they are part of post metadata (e.g. structured data which is easily searchable etc). But if a username appears within the text string of a post, then my understanding is that it will not be automatically deleted. The script does not, nor cannot, distinguish it from a regular word.

    In this case, the data subject should contact Boards and ask for it to be manually removed.

    IMPO, while I am not a lawyer or qualified in data privacy but I did gain a lot of in-depth experience in past year through work, this is a good solution. It’s practical and represents a commitment from Boards to address personal data concerns. It works for the site in that posts and discussion flow will be largely maintained while still giving data subjects the ability to request the exercise of their rights.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 11,589 ✭✭✭✭Necronomicon


    Can I ask what device, browser, and OS you're using? And are you logged in or out, are you using incognito mode, and do you have any addons such as Privacy Badger or Ad Blockers running? Thanks.

    Sorry I forgot about my previous post, just opened the mobile site again and the banner popped up, reminding me.

    Device: iPhone 8
    Browser: Chrome
    OS: iOS12


  • Registered Users, Registered Users 2 Posts: 33,451 ✭✭✭✭AndrewJRenko


    No, this will not be anonymised.



    Poster B is entitled to submit a Subject Access Request themselves through the various channels (PM to Boards.ie: GDPR or e-mailing datarequests@boards.ie), in which case they will be provided with the data that we hold on them. Poster A is not entitled to any Personal Data that we process with regard to another user.

    A statement that links Person A to Person B is personal data of both Person A AND Person B equally. How can you possibly say that such a statement refers to one and not the other?


  • Registered Users, Registered Users 2, Paid Member Posts: 9,847 ✭✭✭blackwhite


    A statement that links Person A to Person B is personal data of both Person A AND Person B equally. How can you possibly say that such a statement refers to one and not the other?

    It's only personal data if it's identifiable.

    If all means of identifying Person A has been scrubbed from the site - then one-off references to their username are highly unlikely to qualify as identifiable.


  • Registered Users, Registered Users 2 Posts: 33,451 ✭✭✭✭AndrewJRenko


    blackwhite wrote: »
    It's only personal data if it's identifiable.

    If all means of identifying Person A has been scrubbed from the site - then one-off references to their username are highly unlikely to qualify as identifiable.

    I'm not talking about a deletion request scenario.

    I'm talking about current data, without any scrubbing.


  • Closed Accounts Posts: 12,898 ✭✭✭✭Ken.


    Something that just came to my mind and might have been answered already. Lets say AJR above gdpr's his posts and ye do what ye do. Can I then after that request a name change to his name?


  • Advertisement
  • Administrators, Social & Fun Moderators, Sports Moderators, Paid Member Posts: 78,495 Admin ✭✭✭✭✭Beasty


    Grinchbot wrote: »
    Something that just came to my mind and might have been answered already. Lets say AJR above gdpr's his posts and ye do what ye do. Can I then after that request a name change to his name?
    I can't see how we could stop a new user signing up with that name, so equally unless we maintain a list of all usernames where such an "anonimisation" request was made, I can't see how we could prevent anyone wanting to use the name


  • Registered Users, Registered Users 2 Posts: 33,451 ✭✭✭✭AndrewJRenko


    A statement that links Person A to Person B is personal data of both Person A AND Person B equally. How can you possibly say that such a statement refers to one and not the other?
    Can I please get a response to this query. This isn't about deletion requests - just a general GDPR access request.


  • Administrators, Social & Fun Moderators, Sports Moderators, Paid Member Posts: 78,495 Admin ✭✭✭✭✭Beasty


    Can I please get a response to this query. This isn't about deletion requests - just a general GDPR access request.
    Unless there is irrefutable proof the two accounts have been set up and used by the same person, surely the site cannot reveal details of discussion about user B to user A

    In that situation is it not necessary for both user A and user B to submit separate requests?


  • Registered Users, Registered Users 2 Posts: 7,698 ✭✭✭the_pen_turner


    i can see that you cannont say who you thought the poster was but surely you have to tell them you thought they were another poster


  • Administrators, Social & Fun Moderators, Sports Moderators, Paid Member Posts: 78,495 Admin ✭✭✭✭✭Beasty


    i can see that you cannont say who you thought the poster was but surely you have to tell them you thought they were another poster
    I don't know, and I am not a lawyer. Even if I was I suspect we could be in unchartered legal territory

    I continue to struggle to understand how discussion about anonymous users can be considered personal data in the first place. However ultimately that's for the site and it's employees to consider - it's certainly above an Admin's paygrade


  • Posts: 5,557 ✭✭✭ [Deleted User]


    Just to make you all aware,not really related to gdpr,but those admins have access to all your email address,s


  • Administrators, Entertainment Moderators, Social & Fun Moderators, Society & Culture Moderators, Paid Member Posts: 18,830 Admin ✭✭✭✭✭hullaballoo


    I for one sell penis enlargement equipment at a hefty profit with this invaluable resource.


  • Registered Users, Registered Users 2 Posts: 1,369 ✭✭✭ezra_


    Just to make you all aware,not really related to gdpr,but those admins have access to all your email address,s

    Access to a person's email address (and what is done with that knowledge) pretty much cuts to the heart of principles of GDPR...


  • Technology & Internet Moderators Posts: 28,862 Mod ✭✭✭✭oscarBravo


    ezra_ wrote: »
    Access to a person's email address (and what is done with that knowledge) pretty much cuts to the heart of principles of GDPR...

    More so the latter. I have access to all sorts of personal data in my day job. It's what I do with that data that primarily concerns GDPR.

    As an admin, I could find out what your email address is. I won't, because I don't care and it's none of my business. Even if I did, I couldn't and wouldn't disclose it or do anything nefarious with it, because that would be a GDPR breach.


  • Registered Users, Registered Users 2 Posts: 33,451 ✭✭✭✭AndrewJRenko


    oscarBravo wrote: »
    More so the latter. I have access to all sorts of personal data in my day job. It's what I do with that data that primarily concerns GDPR.

    As an admin, I could find out what your email address is. I won't, because I don't care and it's none of my business. Even if I did, I couldn't and wouldn't disclose it or do anything nefarious with it, because that would be a GDPR breach.


    No, it's not just 'what you do'. GDPR requires 'privacy by design'. So if you don't NEED access to the email address to do your job, you shouldn't have access to it. It shouldn't rely on your professionalism and goodwill, because someday, there will be someone in the role who doesn't have that professionalism and goodwill.

    Beasty wrote: »
    I continue to struggle to understand how discussion about anonymous users can be considered personal data in the first place. However ultimately that's for the site and it's employees to consider - it's certainly above an Admin's paygrade
    They're not anonymous once you link them to real people, using email or other connections.

    Beasty wrote: »
    Unless there is irrefutable proof the two accounts have been set up and used by the same person, surely the site cannot reveal details of discussion about user B to user A

    In that situation is it not necessary for both user A and user B to submit separate requests?
    The issue, as you presumably have worked out, is that the standard used by moderators to link two users is not the 'irrefutable proof' standard you mention.



    So if moderators are using a different standard to link two users, they can't then turn around later for GDPR purposes and say 'we didn't know it was the same person', shortly after they said 'you're the same person'.


  • Advertisement
  • Closed Accounts Posts: 1,325 ✭✭✭xi5yvm0owc1s2b


    Beasty wrote: »
    I continue to struggle to understand how discussion about anonymous users can be considered personal data in the first place.

    The GDPR defines personal data as "any information relating to an identified or identifiable natural person," while Boards' own privacy policy defines it as "information that identifies you as an individual or is capable of doing so."

    Boards users are not anonymous. As the site's own terms of use state: "we cannot guarantee that other users will not be able to determine your identity."

    Any information that can help determine a person's identity is personal data. If I know that someone has red hair, drives a Ford Focus, works in IT, is married to an accountant, lives in Galway, has two children, and voted Yes to repeal the 8th Amendment, well, that's all personal data under law, because it all relates to an identifiable natural person.

    Mod/admin discussions about a poster may also contain personal data. It's quite easy to imagine how this is the case. For example, Account A might be linked to Account B because they share the same interests, post in the same forums, express a similar social or political viewpoint, and so on. Those interests and viewpoints are expressly defined under the GDPR as personal data.


  • Registered Users, Registered Users 2 Posts: 68,173 ✭✭✭✭seamus


    The issue, as you presumably have worked out, is that the standard used by moderators to link two users is not the 'irrefutable proof' standard you mention.

    So if moderators are using a different standard to link two users, they can't then turn around later for GDPR purposes and say 'we didn't know it was the same person', shortly after they said 'you're the same person'.
    Now you're making a bit of a leap Andrew.

    Admins / mods don't require "irrefutable proof" that two users are the same. It's a "best guess". For the purposes of banning and sanctioning, this is good enough.

    For GDPR purposes, a "best guess" wouldn't be good enough to risk a breach.

    At best you could probably be provided with a list of users whom the site thinks are linked to your account, but with the other names anonymised. Numbered, maybe.


  • Registered Users, Registered Users 2 Posts: 1,369 ✭✭✭ezra_


    oscarBravo wrote: »
    More so the latter. I have access to all sorts of personal data in my day job. It's what I do with that data that primarily concerns GDPR.

    As an admin, I could find out what your email address is. I won't, because I don't care and it's none of my business. Even if I did, I couldn't and wouldn't disclose it or do anything nefarious with it, because that would be a GDPR breach.

    Yes and no, I think on this one.

    Yes - you are 100% spot on from your perspective.

    No, in that if Boards.ie Ltd gives access by default to admins and employees then that access, in and of itself, may come under scrutiny, especially given that for such scrutiny to occur, someone has goofed (or is thought to have goofed).


  • Administrators, Social & Fun Moderators, Sports Moderators, Paid Member Posts: 78,495 Admin ✭✭✭✭✭Beasty


    Boards users are not anonymous. As the site's own terms of use state: "we cannot guarantee that other users will not be able to determine your identity."

    Anyone who wishes to be anonymous can be anonymous on all public parts of the site. If people believe they have posted any information that may be Personally Identifiable Information they can ask for it to be removed

    What constitutes Personally Identifiable Information is always going to be a matter of conjecture within certain grey areas. It may well be that some court ultimately decides that anything you have ever written in an internet chat-room is considered personally identifiable, but we are no-where near that at this stage.

    Regardless of all of this, you cannot wipe another person's mind as easily as you can delete online content, and there is always likely to be some "intelligence" out there that you simply cannot have removed


  • Closed Accounts Posts: 1,325 ✭✭✭xi5yvm0owc1s2b


    Beasty wrote: »
    If people believe they have posted any information that may be Personally Identifiable Information they can ask for it to be removed

    See, that sounds great in theory. But look at a poster above like seamus, who has been a member of Boards since July 2001 and has 59,515 posts.

    What if seamus wanted to remove all potentially identifying information from Boards? He'd have to go through his entire 17.5-year posting history -- which, even at a rate of 1 minute per post, would take him almost a thousand hours, or the equivalent of working 40 hours a week for around six months. He would then submit an enormous list of requested deletions that would give a coronary to whatever poor Boards staffer received it.

    It's easy to locate personally identifying information if one has a few hundred posts. It becomes more difficult if one has a few thousand posts. And it becomes impossibly burdensome if one has tens of thousands of posts, as some posters do.

    In short, there are some situations where blanket deletion is the only viable strategy for deleting all personally identifying information.


  • Registered Users, Registered Users 2 Posts: 68,173 ✭✭✭✭seamus


    ^^^
    How would I prove that identifying information has been left behind unless I spend a thousand hours going through my post history?


  • Administrators, Social & Fun Moderators, Sports Moderators, Paid Member Posts: 78,495 Admin ✭✭✭✭✭Beasty


    I know I have left plenty of PII about myself over the years. The onus is on me to find it if I would like it deleting though - only I posted it, and only I would have the remotest idea of where it may be

    Regardless, the site has indicated in the OP a change in approach. I am not a lawyer, but I am one of those "charged" with helping the site run smoothly in line with its ToU and policies. There is nothing I have seen either here or elsewhere that suggests the site's approach is incorrect, other that statements made by certain posters who, it appears, think they know all there is to know about the topic


  • Registered Users, Registered Users 2 Posts: 33,451 ✭✭✭✭AndrewJRenko


    seamus wrote: »
    Now you're making a bit of a leap Andrew.

    Admins / mods don't require "irrefutable proof" that two users are the same. It's a "best guess". For the purposes of banning and sanctioning, this is good enough.

    For GDPR purposes, a "best guess" wouldn't be good enough to risk a breach.

    At best you could probably be provided with a list of users whom the site thinks are linked to your account, but with the other names anonymised. Numbered, maybe.


    There is no leap. There is no provision in GDPR for differing standards of proof. If there were, it would undermine the whole principle of GDPR - every data processor in Europe would come up with different standards to ensure that data linked for operational reasons is not linked for GDPR purposes.



    If you are linking, for example, me as being the same person as other user(s) for operating purposes, and there is any correspondence that refers to me, including correspondence setting out details of this linkage, that data is my PII, and must be provided to me in an access request. This is NOT about releasing data of those users - it is about releasing data about the linking to those users.


    I'd be fairly confident the DPC would confirm this if an access request were referred to them.


  • Registered Users, Registered Users 2 Posts: 68,173 ✭✭✭✭seamus


    I'd be fairly confident the DPC would confirm this if an access request were referred to them.
    Well, until that point, boards is entitled to maintain its GDPR policy.


  • Advertisement
  • Boards.ie Employee, Boards Employee 2, Boards Employee 3 Posts: 5,461 ✭✭✭✭✭Boards.ie: Mark
    Boards.ie Employee


    If you are linking, for example, me as being the same person as other user(s) for operating purposes, and there is any correspondence that refers to me, including correspondence setting out details of this linkage, that data is my PII, and must be provided to me in an access request. This is NOT about releasing data of those users - it is about releasing data about the linking to those users.


    I'd be fairly confident the DPC would confirm this if an access request were referred to them.

    You are not entitled to the personal data of another user. If we were to provide you with another username on the back of an IP address, for example, and you're not that other user, then that would be a breach.

    We have set out our legal position, and you have provided feedback, but with all due respect this is not something that is going to be changed as a result of debate.


This discussion has been closed.
Advertisement