Updated GDPR policy and new Terms of Use

Esel · 06-12-2018 4:20pm

Boards.ie: Mark wrote: »

There is no additional personal data within these moderator discussions that we don't already include in a subject access request, so no.

Will any occurrence of the username in these discussions be anonymised if the user makes a deletion request under GDPR?

AndrewJRenko · 06-12-2018 9:15pm

Boards.ie: Mark wrote: »

There is no additional personal data within these moderator discussions that we don't already include in a subject access request, so no.

Thanks for getting back to me. How can you be sure that there is no additional personal data unless you check each discussion? If, for example, a moderator were to say that "I think that poster A is a rereg of poster B, that is personal data of both poster A and poster B".

Boards.ie: Mark · 07-12-2018 1:38pm

Esel wrote: »

Will any occurrence of the username in these discussions be anonymised if the user makes a deletion request under GDPR?

No, this will not be anonymised.

AndrewJRenko wrote: »

Thanks for getting back to me. How can you be sure that there is no additional personal data unless you check each discussion? If, for example, a moderator were to say that "I think that poster A is a rereg of poster B, that is personal data of both poster A and poster B".

Poster B is entitled to submit a Subject Access Request themselves through the various channels (PM to Boards.ie: GDPR or e-mailing datarequests@boards.ie), in which case they will be provided with the data that we hold on them. Poster A is not entitled to any Personal Data that we process with regard to another user.

LuckyLloyd · 07-12-2018 10:01pm

I used the facility to delete posts in specific forums from a long time ago. I’m glad I got in on it while it was there. It was clear that it was already being abused and - like the close account feature - was proving detrimental for the flow of the site.

dudara · 08-12-2018 10:39am

Esel wrote: »

Will any occurrence of the username in these discussions be anonymised if the user makes a deletion request under GDPR?

Usernames will be deleted where they are part of post metadata (e.g. structured data which is easily searchable etc). But if a username appears within the text string of a post, then my understanding is that it will not be automatically deleted. The script does not, nor cannot, distinguish it from a regular word.

In this case, the data subject should contact Boards and ask for it to be manually removed.

IMPO, while I am not a lawyer or qualified in data privacy but I did gain a lot of in-depth experience in past year through work, this is a good solution. It’s practical and represents a commitment from Boards to address personal data concerns. It works for the site in that posts and discussion flow will be largely maintained while still giving data subjects the ability to request the exercise of their rights.

Necronomicon · 08-12-2018 1:05pm

Boards.ie: Mark wrote: »

Can I ask what device, browser, and OS you're using? And are you logged in or out, are you using incognito mode, and do you have any addons such as Privacy Badger or Ad Blockers running? Thanks.

Sorry I forgot about my previous post, just opened the mobile site again and the banner popped up, reminding me.

Device: iPhone 8
Browser: Chrome
OS: iOS12

AndrewJRenko · 08-12-2018 1:13pm

Boards.ie: Mark wrote: »

No, this will not be anonymised.

Poster B is entitled to submit a Subject Access Request themselves through the various channels (PM to Boards.ie: GDPR or e-mailing datarequests@boards.ie), in which case they will be provided with the data that we hold on them. Poster A is not entitled to any Personal Data that we process with regard to another user.

A statement that links Person A to Person B is personal data of both Person A AND Person B equally. How can you possibly say that such a statement refers to one and not the other?

blackwhite · 10-12-2018 10:35am

AndrewJRenko wrote: »

A statement that links Person A to Person B is personal data of both Person A AND Person B equally. How can you possibly say that such a statement refers to one and not the other?

It's only personal data if it's identifiable.

If all means of identifying Person A has been scrubbed from the site - then one-off references to their username are highly unlikely to qualify as identifiable.

AndrewJRenko · 10-12-2018 3:36pm

blackwhite wrote: »

It's only personal data if it's identifiable.

If all means of identifying Person A has been scrubbed from the site - then one-off references to their username are highly unlikely to qualify as identifiable.

I'm not talking about a deletion request scenario.

I'm talking about current data, without any scrubbing.

Ken. · 13-12-2018 9:32pm

Something that just came to my mind and might have been answered already. Lets say AJR above gdpr's his posts and ye do what ye do. Can I then after that request a name change to his name?

Beasty · 13-12-2018 9:45pm

Grinchbot wrote: »

Something that just came to my mind and might have been answered already. Lets say AJR above gdpr's his posts and ye do what ye do. Can I then after that request a name change to his name?

I can't see how we could stop a new user signing up with that name, so equally unless we maintain a list of all usernames where such an "anonimisation" request was made, I can't see how we could prevent anyone wanting to use the name

AndrewJRenko · 15-12-2018 12:29am

AndrewJRenko wrote: »

A statement that links Person A to Person B is personal data of both Person A AND Person B equally. How can you possibly say that such a statement refers to one and not the other?

Can I please get a response to this query. This isn't about deletion requests - just a general GDPR access request.

Beasty · 15-12-2018 11:16am

AndrewJRenko wrote: »

Can I please get a response to this query. This isn't about deletion requests - just a general GDPR access request.

Unless there is irrefutable proof the two accounts have been set up and used by the same person, surely the site cannot reveal details of discussion about user B to user A

In that situation is it not necessary for both user A and user B to submit separate requests?

the_pen_turner · 15-12-2018 11:19am

i can see that you cannont say who you thought the poster was but surely you have to tell them you thought they were another poster

Beasty · 15-12-2018 11:28am

the_pen_turner wrote: »

i can see that you cannont say who you thought the poster was but surely you have to tell them you thought they were another poster

I don't know, and I am not a lawyer. Even if I was I suspect we could be in unchartered legal territory

I continue to struggle to understand how discussion about anonymous users can be considered personal data in the first place. However ultimately that's for the site and it's employees to consider - it's certainly above an Admin's paygrade

droidman123 · 15-12-2018 1:29pm

Just to make you all aware,not really related to gdpr,but those admins have access to all your email address,s

hullaballoo · 15-12-2018 2:09pm

I for one sell penis enlargement equipment at a hefty profit with this invaluable resource.

ezra_ · 15-12-2018 2:22pm

droidman123 wrote: »

Just to make you all aware,not really related to gdpr,but those admins have access to all your email address,s

Access to a person's email address (and what is done with that knowledge) pretty much cuts to the heart of principles of GDPR...

oscarBravo · 15-12-2018 5:02pm

ezra_ wrote: »

Access to a person's email address (and what is done with that knowledge) pretty much cuts to the heart of principles of GDPR...

More so the latter. I have access to all sorts of personal data in my day job. It's what I do with that data that primarily concerns GDPR.

As an admin, I could find out what your email address is. I won't, because I don't care and it's none of my business. Even if I did, I couldn't and wouldn't disclose it or do anything nefarious with it, because that would be a GDPR breach.

AndrewJRenko · 15-12-2018 11:12pm

oscarBravo wrote: »

More so the latter. I have access to all sorts of personal data in my day job. It's what I do with that data that primarily concerns GDPR.

As an admin, I could find out what your email address is. I won't, because I don't care and it's none of my business. Even if I did, I couldn't and wouldn't disclose it or do anything nefarious with it, because that would be a GDPR breach.

No, it's not just 'what you do'. GDPR requires 'privacy by design'. So if you don't NEED access to the email address to do your job, you shouldn't have access to it. It shouldn't rely on your professionalism and goodwill, because someday, there will be someone in the role who doesn't have that professionalism and goodwill.

Beasty wrote: »

I continue to struggle to understand how discussion about anonymous users can be considered personal data in the first place. However ultimately that's for the site and it's employees to consider - it's certainly above an Admin's paygrade

They're not anonymous once you link them to real people, using email or other connections.

Beasty wrote: »

Unless there is irrefutable proof the two accounts have been set up and used by the same person, surely the site cannot reveal details of discussion about user B to user A

In that situation is it not necessary for both user A and user B to submit separate requests?

The issue, as you presumably have worked out, is that the standard used by moderators to link two users is not the 'irrefutable proof' standard you mention.

So if moderators are using a different standard to link two users, they can't then turn around later for GDPR purposes and say 'we didn't know it was the same person', shortly after they said 'you're the same person'.

xi5yvm0owc1s2b · 17-12-2018 10:31am

Beasty wrote: »

I continue to struggle to understand how discussion about anonymous users can be considered personal data in the first place.

The GDPR defines personal data as "any information relating to an identified or identifiable natural person," while Boards' own privacy policy defines it as "information that identifies you as an individual or is capable of doing so."

Boards users are not anonymous. As the site's own terms of use state: "we cannot guarantee that other users will not be able to determine your identity."

Any information that can help determine a person's identity is personal data. If I know that someone has red hair, drives a Ford Focus, works in IT, is married to an accountant, lives in Galway, has two children, and voted Yes to repeal the 8th Amendment, well, that's all personal data under law, because it all relates to an identifiable natural person.

Mod/admin discussions about a poster may also contain personal data. It's quite easy to imagine how this is the case. For example, Account A might be linked to Account B because they share the same interests, post in the same forums, express a similar social or political viewpoint, and so on. Those interests and viewpoints are expressly defined under the GDPR as personal data.

seamus · 17-12-2018 10:58am

AndrewJRenko wrote: »

The issue, as you presumably have worked out, is that the standard used by moderators to link two users is not the 'irrefutable proof' standard you mention.

So if moderators are using a different standard to link two users, they can't then turn around later for GDPR purposes and say 'we didn't know it was the same person', shortly after they said 'you're the same person'.

Now you're making a bit of a leap Andrew.

Admins / mods don't require "irrefutable proof" that two users are the same. It's a "best guess". For the purposes of banning and sanctioning, this is good enough.

For GDPR purposes, a "best guess" wouldn't be good enough to risk a breach.

At best you could probably be provided with a list of users whom the site thinks are linked to your account, but with the other names anonymised. Numbered, maybe.

ezra_ · 17-12-2018 11:17am

oscarBravo wrote: »

More so the latter. I have access to all sorts of personal data in my day job. It's what I do with that data that primarily concerns GDPR.

As an admin, I could find out what your email address is. I won't, because I don't care and it's none of my business. Even if I did, I couldn't and wouldn't disclose it or do anything nefarious with it, because that would be a GDPR breach.

Yes and no, I think on this one.

Yes - you are 100% spot on from your perspective.

No, in that if Boards.ie Ltd gives access by default to admins and employees then that access, in and of itself, may come under scrutiny, especially given that for such scrutiny to occur, someone has goofed (or is thought to have goofed).

Beasty · 17-12-2018 12:23pm

Jay Gigantic Plantation wrote: »

Boards users are not anonymous. As the site's own terms of use state: "we cannot guarantee that other users will not be able to determine your identity."

Anyone who wishes to be anonymous can be anonymous on all public parts of the site. If people believe they have posted any information that may be Personally Identifiable Information they can ask for it to be removed

What constitutes Personally Identifiable Information is always going to be a matter of conjecture within certain grey areas. It may well be that some court ultimately decides that anything you have ever written in an internet chat-room is considered personally identifiable, but we are no-where near that at this stage.

Regardless of all of this, you cannot wipe another person's mind as easily as you can delete online content, and there is always likely to be some "intelligence" out there that you simply cannot have removed

xi5yvm0owc1s2b · 17-12-2018 12:51pm

Beasty wrote: »

If people believe they have posted any information that may be Personally Identifiable Information they can ask for it to be removed

See, that sounds great in theory. But look at a poster above like seamus, who has been a member of Boards since July 2001 and has 59,515 posts.

What if seamus wanted to remove all potentially identifying information from Boards? He'd have to go through his entire 17.5-year posting history -- which, even at a rate of 1 minute per post, would take him almost a thousand hours, or the equivalent of working 40 hours a week for around six months. He would then submit an enormous list of requested deletions that would give a coronary to whatever poor Boards staffer received it.

It's easy to locate personally identifying information if one has a few hundred posts. It becomes more difficult if one has a few thousand posts. And it becomes impossibly burdensome if one has tens of thousands of posts, as some posters do.

In short, there are some situations where blanket deletion is the only viable strategy for deleting all personally identifying information.

seamus · 17-12-2018 1:07pm

^^^
How would I prove that identifying information has been left behind unless I spend a thousand hours going through my post history?

Beasty · 17-12-2018 1:14pm

I know I have left plenty of PII about myself over the years. The onus is on me to find it if I would like it deleting though - only I posted it, and only I would have the remotest idea of where it may be

Regardless, the site has indicated in the OP a change in approach. I am not a lawyer, but I am one of those "charged" with helping the site run smoothly in line with its ToU and policies. There is nothing I have seen either here or elsewhere that suggests the site's approach is incorrect, other that statements made by certain posters who, it appears, think they know all there is to know about the topic

AndrewJRenko · 17-12-2018 11:13pm

seamus wrote: »

Now you're making a bit of a leap Andrew.

Admins / mods don't require "irrefutable proof" that two users are the same. It's a "best guess". For the purposes of banning and sanctioning, this is good enough.

For GDPR purposes, a "best guess" wouldn't be good enough to risk a breach.

At best you could probably be provided with a list of users whom the site thinks are linked to your account, but with the other names anonymised. Numbered, maybe.

There is no leap. There is no provision in GDPR for differing standards of proof. If there were, it would undermine the whole principle of GDPR - every data processor in Europe would come up with different standards to ensure that data linked for operational reasons is not linked for GDPR purposes.

If you are linking, for example, me as being the same person as other user(s) for operating purposes, and there is any correspondence that refers to me, including correspondence setting out details of this linkage, that data is my PII, and must be provided to me in an access request. This is NOT about releasing data of those users - it is about releasing data about the linking to those users.

I'd be fairly confident the DPC would confirm this if an access request were referred to them.

seamus · 18-12-2018 9:23am

AndrewJRenko wrote: »

I'd be fairly confident the DPC would confirm this if an access request were referred to them.

Well, until that point, boards is entitled to maintain its GDPR policy.

Boards.ie: Mark · 18-12-2018 10:27am

AndrewJRenko wrote: »

If you are linking, for example, me as being the same person as other user(s) for operating purposes, and there is any correspondence that refers to me, including correspondence setting out details of this linkage, that data is my PII, and must be provided to me in an access request. This is NOT about releasing data of those users - it is about releasing data about the linking to those users.

I'd be fairly confident the DPC would confirm this if an access request were referred to them.

You are not entitled to the personal data of another user. If we were to provide you with another username on the back of an IP address, for example, and you're not that other user, then that would be a breach.

We have set out our legal position, and you have provided feedback, but with all due respect this is not something that is going to be changed as a result of debate.

Updated GDPR policy and new Terms of Use

Comments