Page MenuHomePhabricator

Policy for members lacking essential information or consents
Closed, ResolvedPublic

Description

With GDPR we now need to ensure we have explicit consent for handling the personal data. But what do we do with members where this is lacking?

Since removal from the membership system equates to being removed as a member of the organisation a policy document is needed for this. Specifically it needs to deal with

  • Lack of general consent
  • Lack of parental consent (for members <13 years old)
  • Members who have not filled in a birth date (or filled in date which we could not reasonably assume to be true). [i.e. it could be argued we have not done our due diligence to ensure they are not <13]
  • What to do with received membership payments where the member had to be removed from our system for one of the above reasons

When a policy has been set a reminder e-mail should be scheduled explaining this to everyone who has yet to give consent (possibly limited to those who have paid for 2018).


Consclusion based on various decision.

No new policy needed (this is covered by our Privacy policy)

  • No general consent is needed. Membership data is handled with intresseavvägning as the legal basis
  • Minors (<13) which are known to the organisation (by entering their age, by telling us they are underage or by employees knowing them are required to have a consent form signed by their guardian.
  • Members (and ex-members) whom have not entered their age are required to self-report if they are minors. Information about this is sent up during sign-up.

Anyone requesting to have their data removed, or minors lacking parental consent loose their membership

Event Timeline

Lokal_Profil updated the task description. (Show Details)Mar 15 2018, 8:01 AM

@Jopparn This one might have to be bumped up to the board for a general outline

I am investigating if we can add keep a register of members offline (i.e. on paper) for the ones that hasn't agreed on us storing their data in accordance with the GDPR demands. I am hopeful that this will be only very few people after a few reminders.

Re offline storage:

Beträffande fysisk lagring, så är det också en behandling av personuppgifter. Naturligtvis kan vi erbjuda det för dem som inte vill finnas i ett dataregister. Dock bör vi ange i registerförteckningen på wikin att vi har ett sådant register, och det skall förvaras inlåst.

To summarise, it is something we can offer but we cannot do it as a fallback for users who have not given any consent.

Lokal_Profil triaged this task as High priority.Apr 16 2018, 8:31 AM
Lokal_Profil updated the task description. (Show Details)May 7 2018, 12:12 PM
Lokal_Profil added a subscriber: Historiker.

This one (or at least a skeleton) would be good to have in place so that we can refer to the consequences when sending out T194017: Send out call for giving consent in Zynatic this week

Jopparn moved this task from Backlog to This week on the User-LokalProfil board.May 14 2018, 8:50 AM
Lokal_Profil updated the task description. (Show Details)May 21 2018, 2:11 PM
Lokal_Profil updated the task description. (Show Details)
Lokal_Profil updated the task description. (Show Details)
Lokal_Profil added a subscriber: SaraMortsell.
  • Lack of general consent

The conclusion is that this is not needed for anyone who became a member before the introduction of GDPR. Instead we will rely on "intresseavvägning".
It is as of yet undecided if this also affects future members (who will be required to consent if they sign up online) or historical members who have not paid their 2018 fee.

  • Lack of parental consent (for members <13 years old)

There is a need for explicit parental consent. As a result these members would be removed.

  • Members who have not filled in a birth date (or filled in date which we could not reasonably assume to be true). [i.e. it could be argued we have not done our due diligence to ensure they are not <13]

The suggestion is that our basic assumption is that our members are of age. When signing up (and in a one-off e-mail) they will be asked to contact us if they are under 13.

  • What to do with received membership payments where the member had to be removed from our system for one of the above reasons

Undecided but per the above this would only affect underaged members.

When a policy has been set a reminder e-mail should be scheduled explaining this to everyone who has yet to give consent (possibly limited to those who have paid for 2018).

An e-mail is being prepared for everyone registered in our system informing them about the changes to our privacy policy, the reasoning behind it and information on how they can check the information that is registered about them. T194017: Send out call for giving consent in Zynatic

A second e-mail e-mail will be prepared to the few members registered as being under 13. It asks if the data we have about their age is correct, if so we need parental consent (form attached). If not then they need to log in and update their data. Failure to take action means loss of membership.T194033: Get parental consent for underaged members

Jopparn closed this task as Resolved.May 25 2018, 4:28 PM
Jopparn claimed this task.

See summary in task description.

Jopparn moved this task from This week to Done on the User-LokalProfil board.Aug 2 2018, 9:24 AM
Jopparn moved this task from Backlog to Done on the User-Evelina-Bang-WMSE board.May 6 2019, 12:34 PM
Jopparn moved this task from Backlog to Done on the User-Jopparn board.May 13 2019, 1:27 PM