Hello
I run an email mailing list and am struggling to understand the DPA
implications of this. I will attempt to describe what happens and how in
the hope that you can give me some indication as to whether I need to
notify and if so, what.
The list is a discussion list primarily for UK based tree care professionals,
but includes a number of people in the US, Canada and New Zealand.
Theoretically, it could include people anywhere.
The list is strictly opt-in. Users must indicate that they wish to join,
and must then reply to a confirmation email in order to finalise their
membership. This confirmation email includes the Terms of Use and a
brief statement regarding privacy of email addresses.
Users must provide an email address, rather obviously. They may also
optionally provide a real name, industry sector, country and employer's
name. These data, together with data relating to their subscription
options and volume of mail they have sent through the list are stored on
a computer.
The email address is used to run the list. The other information is used
for statistical analysis only.
The results of statistical analysis are available to the world on the
web, but I do not believe this to be personal data as it says merely
"there are 218 subscribers in the UK", without saying who they are. Your
clarification on this would be appreciated.
All the data held on a particular data subject are available to and may
be edited by that data subject via the web. This is the case no matter
where they are. Hence, data are exported outside the EEA, but only to
the subject of that data.
In order to finance it, the list carries some advertising. Advertisers
are not told to whom their advertising has been sent - ie they are not
given a copy of the data, merely allowed to make use of its existence.
Would this lead me into the realms of Advertising, marketing and PR for
others?
So that's the basics of the list. Do I need to notify this? If so, do I
need to notify transfers outside the EEA given that the only data
transferred outside the EEA are to the data subject?
Second problem:
Following some recent disagreement between the list and a holiday auto-
responder whilst I myself was on holiday I am considering giving
administrative rights to a couple of other people so that such problems
can be sorted out in a timely manner. This would mean them having access
to much of the data held, and being able to edit it. The people involved
are all in the UK or Republic of Ireland.
I assume that if I do this I will need to list "Employees and agents of
the Data Controller" as recipients. These people are not employees - I'm
not paying them - but I guess they are agents. If I were to do this,
would they themselves have to notify, or does my notification suffice? I
assume I would need to make it clear to them that the data are to be
treated as confidential and not revealed to anyone, and would be doing
so anyway.
Third problem:
All messages sent to the list are archived on the web with public access
<http://lists.oak-wood.co.uk/uktc/archive>. This archive can be sorted
by author and can be searched on keywords. And it is most definitely
transferred outside the EEA. List members are made aware when joining
that this is the case. Does such an archive constitute processing
personal data? I do mung authors addresses in the headers, but nothing else.
Anything in the body of a message is available to the world as it was written.
Many thanks for your help
--
Chris Hastie
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|