Privacy and Data Protection : Preamble

New provisions relating the the Data Protection Act (DPA) which implement the General Data Protection Regulations (GDPR) come into force on 18 May 2018. The privacy and DPA policy relating to this website has been revised. Most associations or groups need to follow the requirements and for some groups this may warrant formal registration. The reader may browse these references :

http://www.legislation.gov.uk/ukpga/1998/29/contents This is the text of the DPA 1998.
https://www.gov.uk/data-protection This is a high level review of the provisions intended as a guidance.
ttps://ico.org.uk/for-organisations/guide-to-data-protection/ This is a very useful guidance document.
<https://ico.org.uk/for-organisations/register/self-assessment/> is a questionnaire aimed at ascertaining the need for registration for an organisation, association or data controller. It may indicate that, for most village social groups and associations there may be no need for formal registration. Formal registration may be voluntary. It does not provide exemption from the provisions of the DPA and GDPR.

The policy with respect to the Lockerley website set out below is thought to be practical and achievable. Where there are errors contact should be made with the administrator of the site at admin @ lockerley.org.uk. Correction will be applied as soon as reasonable. The website admin does not accept responsibility for the accuracy or the reflection of any opinion for the content provided for its use by individuals who have contributed content.

The DPA covers the capture – by a data controller - and use – by a processor – of information which can be identified with an individual irrespective of the scale of the organisation. The principles require an organisation, association, club, group &c to identify the types of lawful use to which the information may be put, to obtain explicit consent, to provide for removal, to implement correction and for reaction in the case of leakage.  An explicit exemption is made for personal address books however the information is recorded. See this URL <https://ico.org.uk/for-organisations/guide-to-data-protection/exemptions/> which deals with domestic purposes. See also https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/exemptions/ . This exemption is quite specific and, for example, does not extend to village associations, clubs or groups. See as the guidance at https://ico.org.uk/media/for-organisations/documents/1600/social-networking-and-online-forums-dpa-guidance.pdf paragraphs 15 thru’ 19 and example 2.

Lockerley website backend database

The website backend database – the location on a hosting server where the website scripts and content is held - does not store any personal information other than that which is provided by individuals either personally or on behalf of groups and associations with which they are engaged for use in the content of the web site. In general, except where expressly permitted by the individual, openly accessible email addresses are not intentionally provided on the website in the main body of content. There are some very obvious and ineluctable exceptions.
The website version of the current newsletter is a redaction of the print version so that it does not use, if possible, the email address of any individual; the relevant telephone number may be substituted. This helps to inhibit spam and junk email being sent to individuals. However the archive, <http://www.lockerley.org.uk/news/newsletter-archive>, which is a PDF of the original printed and distributed version, will contain email addresses and telephone numbers. Names, but more usually, rôles undertaken by persons, who wish to be contacted by email as the leader of any of the organisations, associations or groups usually have the contact made through the use of a Contact Me feature. The actual target email address of the individual is not displayed and is hidden within the website scripts.

Cookies

The website www.lockerley.org.uk does not insert tracking cookies on to users’ browsers or their machines as the website has no use for such action. Users should note that machines include PCs smart phones, tablets, Raspberry or other web access device such as heating controllers, security cameras, voice activated devices such as Siri and Alexa, speaking dolls and similar toys and IoT devices. Other web sites and web services accessed using these devices may use cookies and usage tracking software and, as a consequence may be tracking the user’s access to the Lockerley site. The user is responsible for establishing their desired privacy and security settings of any device or app which accesses the internet.

In adherence to legislation the website does include a warning that cookies could be used and that the user of a browser accepts that this is the case either by continuing browsing or by clicking on the OK button. The website does not use google ads, ad words or other commercially driven tracking scripts. However, accessing the Lockerley site through the use of commercial browsers, toys, household appliances or commercial search engines such as Google, Bing Yahoo etc, may result in cookies and monitoring scripts being placed on the browsing device and this may breach your privacy.

The website does not use social media including WhatsApp, FaceBook, SnapChat, Twitter and so on. The administration of the website has expressly determined not to use links to such commercial services on its pages. At the present time the Lockerley website does not use RSS and does not implement any tracking scripts.

Village centred associations and social groups and email

There is a number of social associations or groups within the surrounding villages and which may be referenced on the Lockerley website. Many use email for communication. The GDPR and DPA has clear implications for the organisers of such groups especially if this is done using social networks (google+, facebook, snapchat, whatsapp &c). The responsibility for the maintenance of privacy rests with their organisers and with those who use such lists. Technically any individual who is accessed in such a way by such a group may need to consent positively - not by default - to the use even of their email address. In many cases, the association organiser (also known as the data controller) may have other information relating to an individual and this emphasises the need to manage the data in accord with the DPA and GDPR. The organiser may also need to acquire positive assent that an individual’s name may be used for purposes other than that for which the association or group is established. Lending or selling an email list may require consent of each individual to be included or to be withdrawn from such use.

Oilbuying Group at Lockerley.org.uk

Amongst a range of principal requirements the DPA and GDPR require that consent to be contacted must be positive (it can not be assumed by default). Consent to the holding and processing of the information – and this may include the use of email for example - must be separate from the consent given by a participant to agree to the terms and conditions of taking part in a service such as the oilbuying group.

The information is used solely for the Oilbuying processes and it is not lent, given or sold to any other group for any other purpose or promotion. The information, and its backup which is expressly not stored “in the cloud” (because the country in which the cloud may be established can not be determined and thus the data exporting rules can be broken), is held offline within a password protected machine that does not use microsoft or apple systems.

Participants consent to the the lawful processing of this information by which purchase requirements and key address information are sent as a PDF file to the chosen heating oil supplier. This transmitted information does not include any individual email address. The supplier accepts the duty of care to respect the privacy of this information and not to use it for any other purpose than the determination of delivery and payment for heating oil. Participants also agree that the details of fellow participants such as email addresses - should it be accidentally released or stolen -  shall not be used for any other purpose other than oilbuying processes.

From the oilbuying perspective this constitutes a consent based lawful process and the scope and use of this information is set out in the document on the Lockerley website <http://www.lockerley.org.uk/social-groups/oilbuying/oilbuying-info> which describes he overall process. The chosen oil supply company is required to respect this provision and to adopt it within their own DPA and GDPR process. A historical record is retained of each round of oil deliveries initiated by the oilbuying group. This record is not released to any supply company or individual.

Emails to participants in the oilbuying group use BCC and an email process and hosting server which is privately managed. Oilbuying does not use a public service such as Hotmail, Outlook, Gmail, Btinternet &c as the terms of service of these “free” services can not guarantee the privacy of any information such as email address or email content.

To date there has not been an error in communications but, it is as sure as life that, it may happen. The organiser takes reasonable steps to assist in recovery and accepts no further liability. That said, the information relating to individuals that is held is less than would be the case if the individual were to negotiate directly with any of the oil suppliers.

Groups – for information and consideration of groups referenced on the Lockerley website

Many groups will receive email from their association either as an inclusion in the TO:, CC: or BCC: address fields of the email. Those included in such lists need to have given their explicit consent to the association for this information to be used in whatever manner the association determines.

An organisation must achieve the positive – not passive – consent of each individual to the use of their data – commonly this might simply be their email – and to ensure that all participants of that association accept the mode in which the data – again, principally email - is used. It should also set out the security process and any remedial action. The Lockerley website is not responsible for the performance of associations who are referenced on the site.  There may be members of a group who do not wish to share information overtly with others - the most basic possibly private information being their email address.  This may mean that blanket use CC: or TO: may not be acceptable for the organisation, or its participants, to use. Individuals may not relish their email address being publicly available especially given the greater risk of leakage from some of the public email systems and the increased risk in identity theft. It would clearly appear not to be acceptable for individuals of that group being in possesion of such an email list to break this guide. This does not prevent the circulation of membership lists as processed documents to members but it would seem that, logically, such a list carries the same obligations for security and the protection of privacy as those imposed on the organisation.

The association must make a record of such consent and its date. The association organiser may need to confirm that participants consent that their email and any other information that maybe included in the email content may be published in this way. In addition an individual has the right to know what information an association may hold and they have also the right to be removed from such lists.

This may raise an issue where the use of multiple sending is managed by associations who use publicly accessible remote hosted email services such as Yahoo, HotMail, Gmail and similar free services; note that BtInternet email services are outsourced to Yahoo. The potential problem arises because the association is not able to control the security of the email service provider and the association is dependent on the email service provider third party for such security.

Few people read the terms and conditions relating to the use of data and the content of emails that so called free email services offer. These uses commonly assign the right to use the addresses and content of any email for their own marketing and analytical purposes. Similar uses may be made of “free” cloud storage.

Further, it may not be possible to ensure that the email service is operated from within the UK and that the group of BCC To or CC addresses are held within the UK. For example … it may be “held in the cloud”. <https://ico.org.uk/for-organisations/guide-to-data-protection/principle-8-international/> may be a useful reference.