This is one for UK and other EU based list managers, so apologies to all
those elsewhere to whom it has no relevance.
Has anyone managed to get a good grasp of the implications on mailing
lists of the Data Protection Act 1998 in the UK, or equivalent
legislation elsewhere in the EU made as a result of the same EU
Directive?
There are a number of areas where I have concerns. Clearly, subscription
information is 'personal data'. Also clearly, it is processed. Which
pretty much is all that is needed to bring the operation under the DPA.
Normal good practice should go a long way towards satisfying basic
requirements. The requirement to obtain the subject's consent to the
processing of data, for example, is met by an opt-in list requiring
mail-back confirmation, certainly so if the mail requesting confirmation
is explicit about this.
One of the lists I run occasionally includes short advertising messages
in order to help finance it. Users are made aware of this possibility
when they subscribe. It seems to me that this fact adds the purpose
"Advertising, marketing and PR for others" to the list's operation and
therefore brings with it the need to notify the Information
Commissioner.
Another issue is that of other admins. Following an unpleasant
altercation between the list and a subscriber's holiday auto-responder,
whilst I was away camping and unable to get to a machine to sort it out,
I want to give admin rights to a couple of trusted subscribers so that
there are other people on hand to sort out such things in future. I
don't employ these people, I don't pay them anything, but they will be
acting under my instructions, so effectively, I hope, as my agents. Are
separate notifications required from them, or will my notification be
suffice?
Now the one I'm really having difficulty getting my head around. The
list's publicly accessibly web based archive.
So a list member has to confirm their subscription, effectively
consenting to the processing of their personal data. They are told that
any post they make will be placed in the archive, so can be deemed to
have consented to this if they choose to post. It is also made clear to
them that a web archive can be accessed from anywhere. So I'm arguing in
posting they have consented to the transfer of any personal data in that
message outside of the European Economic Area (the DPA requires consent
for such transfers). Am I on reasonable ground here?
But it gets worse. What if Joe includes in his post something like "Mr
So-and-so is an expert in this field. You may like to try dropping him a
line at soandso@someisp.net".
This, it seems to me, is personal data relating to Mr So-and-so. Any
good search engine will retrieve it on a search for So-and-so. It is
processed into the archive, and it is transferred outside the EEA in
both the archive and in transmission to non EEA subscribers. But Mr
So-and-so may never have consented to this. Has the law been broken? If
so, who broke it, me as the list-manager or Joe as the person who sent
the message.
Anyone got any ideas???
--
Chris Hastie
|
|
