Page 12 of 12 FirstFirst ... 289101112
Results 166 to 179 of 179

Thread: Gdpr

  1. #166
    Group Scout Leader
    Join Date
    Oct 2007
    Location
    Stanstead Abbotts, Hertfordshire
    Posts
    604
    Thanks
    82
    Thanked 202 Times in 113 Posts
    Just to put this GDPR thing into perspective, it’s starting to fall apart already.

    Last week I received an unsolicited personally addressed marketing letter to the Scout HQ, trying to sell me a credit card (I had been ‘pre-approved’!). I have never had any contact with the credit card company before this.

    Just out of curiosity, I sent them a well worded SAR asking to know what data they hold on me and on what lawful basis they process this.

    Their almost immediate response was a long but well written template, but it basically a said four key things:

    • They purchased my data from a third party, who they named and referred me to the third party's privacy policy (how did the third party get my data and on what basis do they process and sell it?)
    • They use ‘legitimate interest’ to process my data (really?)
    • They will only continue with my SAR if I confirm my identity by jumping through hoops including sending them a photo of my passport or driving licence (like I'm going to do that!)
    • I can opt out if I contact them (the opposite of what GDPR purports to require)


    So they are continuing to buy people’s data and send them unsolicited marketing irrespective of GDPR's intent.

    Business as usual.

  2. The Following User Says Thank You to pstretch For This Useful Post:

    pa_broon74 (19-06-2018)

  3. #167
    Senior Member
    Join Date
    Nov 2013
    Posts
    286
    Thanks
    157
    Thanked 201 Times in 95 Posts
    Quote Originally Posted by pstretch View Post
    Just to put this GDPR thing into perspective, it’s starting to fall apart already.

    Last week I received an unsolicited personally addressed marketing letter to the Scout HQ, trying to sell me a credit card (I had been ‘pre-approved’!). I have never had any contact with the credit card company before this.

    Just out of curiosity, I sent them a well worded SAR asking to know what data they hold on me and on what lawful basis they process this.

    Their almost immediate response was a long but well written template, but it basically a said four key things:

    • They purchased my data from a third party, who they named and referred me to the third party's privacy policy (how did the third party get my data and on what basis do they process and sell it?)
    • They use ‘legitimate interest’ to process my data (really?)
    • They will only continue with my SAR if I confirm my identity by jumping through hoops including sending them a photo of my passport or driving licence (like I'm going to do that!)
    • I can opt out if I contact them (the opposite of what GDPR purports to require)


    So they are continuing to buy people’s data and send them unsolicited marketing irrespective of GDPR's intent.

    Business as usual.
    I would report them to the ICO:

    https://ico.org.uk/make-a-complaint/...tion-concerns/

    And tell them that you have done so.

  4. The Following User Says Thank You to hippysurfer For This Useful Post:

    shiftypete (19-06-2018)

  5. #168
    Senior Member
    Join Date
    Sep 2009
    Posts
    9,741
    Thanks
    2,533
    Thanked 1,864 Times in 1,181 Posts
    Though to be fair they are quite right to request ID before divulging data - as you could be anyone.

  6. #169
    CSL (In training)
    Join Date
    Jun 2014
    Posts
    2,516
    Thanks
    2,033
    Thanked 568 Times in 422 Posts
    Quote Originally Posted by hippysurfer View Post
    I would report them to the ICO:

    https://ico.org.uk/make-a-complaint/...tion-concerns/

    And tell them that you have done so.
    This.

    I would also reiterate that the 28 day clock started ticking when they received your access request, and that if they fail to provide the details that will cause a second complaint to the ICO.

    It is sensible for them to want you to prove your ID, but you should be able to do that with information they already possess, not with a photo ID!


    Sent from my iPad using Tapatalk

  7. #170
    ESL and DESC ianw's Avatar
    Join Date
    Apr 2004
    Location
    Surrey
    Posts
    6,245
    Thanks
    1,408
    Thanked 1,920 Times in 1,115 Posts
    Quote Originally Posted by pstretch View Post
    [*]They use ‘legitimate interest’ to process my data (really?)
    Aye, they legitimately want to sell you a new credit card.

    Ian
    Ian Wilkins
    Farnham District Explorer Scout Commissioner

    Jambowlree - Worldwide Scout Ten Pin Bowling Competition
    All sections, all countries, runs December 2017 - May 2018
    http://www.jambowlree.org

  8. #171
    Group Scout Leader
    Join Date
    Oct 2007
    Location
    Stanstead Abbotts, Hertfordshire
    Posts
    604
    Thanks
    82
    Thanked 202 Times in 113 Posts
    Quote Originally Posted by nevynxxx View Post
    I would also reiterate that the 28 day clock started ticking when they received your access request, and that if they fail to provide the details that will cause a second complaint to the ICO.

    It is sensible for them to want you to prove your ID, but you should be able to do that with information they already possess, not with a photo ID!
    The use of photo ID seems to rapidly becoming the norm for accepting a SAR. I can see that Processors faces a potential data breach situation if they release personal data without confirming identity. I've heard of others asking for similar proof of ID. Even UK Gov are asking for it e.g. https://www.gov.uk/government/public...s-request-form.

    Re timescales, the ICO's website seems to contradict itself on this (my underline for emphasis):

    'Can we extend the time for a response?

    You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary.
    However, it is the ICO's view that it is unlikely to be reasonable to extend the time limit if:

    • it is manifestly unfounded or excessive;
    • an exemption applies; or
    • you are requesting proof of identity before considering the request.

    Can we ask an individual for ID?

    If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.
    You need to let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information
    .'

    https://ico.org.uk/for-organisations...ght-of-access/

  9. The Following User Says Thank You to pstretch For This Useful Post:

    nevynxxx (19-06-2018)

  10. #172
    CSL (In training)
    Join Date
    Jun 2014
    Posts
    2,516
    Thanks
    2,033
    Thanked 568 Times in 422 Posts
    Quote Originally Posted by pstretch View Post
    The use of photo ID seems to rapidly becoming the norm for accepting a SAR. I can see that Processors faces a potential data breach situation if they release personal data without confirming identity. I've heard of others asking for similar proof of ID. Even UK Gov are asking for it e.g. https://www.gov.uk/government/public...s-request-form.

    Re timescales, the ICO's website seems to contradict itself on this (my underline for emphasis):

    'Can we extend the time for a response?

    You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary.
    However, it is the ICO's view that it is unlikely to be reasonable to extend the time limit if:

    • it is manifestly unfounded or excessive;
    • an exemption applies; or
    • you are requesting proof of identity before considering the request.

    Can we ask an individual for ID?

    If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.
    You need to let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information
    .'

    https://ico.org.uk/for-organisations...ght-of-access/
    I would argue that in the case of gov etc, they already have your photo I’d if it exists, so it’s reasonable. Asking for *more* information, to tell someone what information you have seems unreasonable.....


    Sent from my iPad using Tapatalk

  11. #173
    Member
    Join Date
    May 2017
    Posts
    26
    Thanks
    0
    Thanked 13 Times in 10 Posts
    Quote Originally Posted by pstretch View Post
    Just to put this GDPR thing into perspective, it’s starting to fall apart already. Last week I received an unsolicited personally addressed marketing letter to the Scout HQ, trying to sell me a credit card (I had been ‘pre-approved’!). I have never had any contact with the credit card company before this. Just out of curiosity, I sent them a well worded SAR asking to know what data they hold on me and on what lawful basis they process this. Their almost immediate response was a long but well written template, but it basically a said four key things:
    • They purchased my data from a third party, who they named and referred me to the third party's privacy policy (how did the third party get my data and on what basis do they process and sell it?)
    • They use ‘legitimate interest’ to process my data (really?)
    • They will only continue with my SAR if I confirm my identity by jumping through hoops including sending them a photo of my passport or driving licence (like I'm going to do that!)
    • I can opt out if I contact them (the opposite of what GDPR purports to require)

    So they are continuing to buy people’s data and send them unsolicited marketing irrespective of GDPR's intent. Business as usual.
    The Legitimate Interests thing is garbage. Report them to the ICO, then repeat the process with the third party that provided the data.

  12. The Following 3 Users Say Thank You to bluesam3 For This Useful Post:

    hippysurfer (19-06-2018),Neil Williams (19-06-2018),shiftypete (19-06-2018)

  13. #174
    Senior Member
    Join Date
    Sep 2009
    Posts
    9,741
    Thanks
    2,533
    Thanked 1,864 Times in 1,181 Posts
    Quote Originally Posted by bluesam3 View Post
    The Legitimate Interests thing is garbage. Report them to the ICO, then repeat the process with the third party that provided the data.
    Quite. Somebody has no concept of the legitimate interests test, or wishes to deliberately disregard it.

    And I bet someone somewhere is fishing for a test case

  14. #175
    ADC Cubs abram_akela's Avatar
    Join Date
    Oct 2009
    Location
    Wigan
    Posts
    96
    Thanks
    0
    Thanked 4 Times in 3 Posts
    So if a scout leader is going off camp site with one group of scouts and another group are on camp. Is it a breach of GDPR if a list of emergency contacts is left in mess tent in case of issues with those still on camp
    Abram Akela
    GNAS Archery Instructor
    GSL
    ADC Cubs

  15. #176
    AESL & AGSL shiftypete's Avatar
    Join Date
    Jul 2004
    Location
    Leeds
    Posts
    12,101
    Thanks
    3,174
    Thanked 1,065 Times in 703 Posts
    Quote Originally Posted by abram_akela View Post
    So if a scout leader is going off camp site with one group of scouts and another group are on camp. Is it a breach of GDPR if a list of emergency contacts is left in mess tent in case of issues with those still on camp
    Not so long as reasonable measures were made to ensure the contact list was kept secure (in a folder at least)

    Peter Andrews AESL of Headingley Pirates ESU, Assistant Group Scout Leader & Webmaster of Falkoner Scout Group
    www.falkonerscouts.org.uk

    Wike, North Leeds District Campsite - www.wikecampsite.org.uk
    www.leeds-solar.co.uk
    Please note all views expressed are my own and not those of any organisation I'm associated with

  16. The Following 2 Users Say Thank You to shiftypete For This Useful Post:

    big chris (11-07-2018),Neil Williams (11-07-2018)

  17. #177
    Senior Member
    Join Date
    Aug 2009
    Posts
    2,882
    Thanks
    11
    Thanked 160 Times in 114 Posts
    Quote Originally Posted by shiftypete View Post
    Not so long as reasonable measures were made to ensure the contact list was kept secure (in a folder at least)
    Whilst I would agree, it has been suggested here that it would be safer on the cloud and accessed by tablet or phone.

    The suggester has probably never tried to access the info online from a Scout Camp Site :-)

  18. #178
    Senior Member big chris's Avatar
    Join Date
    Jan 2005
    Posts
    11,928
    Thanks
    1,646
    Thanked 3,096 Times in 1,307 Posts
    if you want to be super careful... and i would not do this

    tell the parents that the data will be stored in paper form during the camp and deleted after the event. It will be accessible to adults on the camp for the purposes of looking after their children.

  19. #179
    AESL & AGSL shiftypete's Avatar
    Join Date
    Jul 2004
    Location
    Leeds
    Posts
    12,101
    Thanks
    3,174
    Thanked 1,065 Times in 703 Posts
    Quote Originally Posted by big chris View Post
    if you want to be super careful... and i would not do this

    tell the parents that the data will be stored in paper form during the camp and deleted after the event. It will be accessible to adults on the camp for the purposes of looking after their children.
    That is precisely what we have done. We also have paper copies of parent/guardian contact details at weekly meetings (they are kept in locked cupboards during the week and updated whenever a new member joins or someone changes their details on OSM) as there is no internet or phone line at our meeting place and don't want to be entirely reliant on Leaders phones having data/charge having OSM anywhere bookmarked etc.

    Peter Andrews AESL of Headingley Pirates ESU, Assistant Group Scout Leader & Webmaster of Falkoner Scout Group
    www.falkonerscouts.org.uk

    Wike, North Leeds District Campsite - www.wikecampsite.org.uk
    www.leeds-solar.co.uk
    Please note all views expressed are my own and not those of any organisation I'm associated with

  20. The Following 2 Users Say Thank You to shiftypete For This Useful Post:

    big chris (11-07-2018),Neil Williams (11-07-2018)

Page 12 of 12 FirstFirst ... 289101112

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •