And now (or in 2018) of course we have Article 2.1(d) of the Regulation which will remove those kinks.



Renzo 



Renzo Marchini

Special Counsel

Dechert LLP

+44 20 7184 7563 Direct



-----Original Message-----

From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Chris Pounder

Sent: 08 January 2016 15:01

To: [log in to unmask]

Subject: Re: [data-protection] Data Controller of forums



If you look at Lindqvist and Reynes, the two ECJ rulings on domestic purpose, the Court decided that it was very narrowly drawn and based on the processing being "purely personal". (see background in https://urldefense.proofpoint.com/v2/url?u=http-3A__amberhawk.typepad.com_amberhawk_2015_07_council-2Dof-2Dministers-2Dregulation-2Dtext-2Dnegates-2Decj-2Drulings-2Din-2Dlindqvist-2Dand-2Dryne-25C5-25A1.html&d=CwIFaQ&c=XHgqDMffAkUKcWDgZTAtfA&r=WA4vMljdqTypcda6BHAprb1VUCTP6WWutu0BST87unI&m=-V_IcGhI91-otOiyxI04ABoKEfFepinM8UJ35UwR3V4&s=e9Z0ozyIuV3AQT-RYXnX2q0RkETNINnwjd7w66WrdCs&e= ).  The GDPR maintains this "purely personal" construction but the relevant Recital say that limited social media activity can fall within the "purely personal".



The ICO has always got S.36 wrong (because the exemption does not reflect Directive 95/46/EC) and he shows no sign of correcting this (see https://urldefense.proofpoint.com/v2/url?u=http-3A__amberhawk.typepad.com_amberhawk_2012_01_judgement-2Dreinforces-2Dthe-2Dlink-2Dbetween-2Dlawful-2Dprocessing-2Dthe-2Dfirst-2Ddata-2Dprotection-2Dprinciple-2Dand-2Dhuman-2Drightsother-2Dlaw.html&d=CwIFaQ&c=XHgqDMffAkUKcWDgZTAtfA&r=WA4vMljdqTypcda6BHAprb1VUCTP6WWutu0BST87unI&m=-V_IcGhI91-otOiyxI04ABoKEfFepinM8UJ35UwR3V4&s=znA960Y1VQWzpxTCE3IVxnvTicJiwpgT1-RgMICb2nM&e=  or the judgement https://urldefense.proofpoint.com/v2/url?u=http-3A__amberhawk.typepad.com_files_jan2012-5Fsolfromhel.pdf&d=CwIFaQ&c=XHgqDMffAkUKcWDgZTAtfA&r=WA4vMljdqTypcda6BHAprb1VUCTP6WWutu0BST87unI&m=-V_IcGhI91-otOiyxI04ABoKEfFepinM8UJ35UwR3V4&s=KsIu_xx72i5qAX35nq8ZsTHvGJGamOsCDclwNTJ0uOg&e= ) until he is forced to by the GDPR.



The width of the S.36 exemption was one of the matters the EU complained about in their "intended" infraction proceedings (still "ongoing" according to the EU).



In short, don't stretch S.36 too far - "purely personal" means 100% personal.



C



-----Original Message-----

From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Lawrence Serewicz

Sent: 08 January 2016 12:19

To: [log in to unmask]

Subject: Re: [data-protection] Data Controller of forums



Adam,

An interesting situation, which will depend on the status of the group and the person creating it.



If the person is doing this outside of work. That is it is not in work time and it is not influenced by work, then yes it would be s.36.



The difficulty, though, is that if someone is discussing people they only know from work, then there is the issue of whether they have processed that personal data appropriately.



I might know someone through my professional work (applicant A), if I go on a different, private, forum and discuss Applicant A, I would argue that is a potential breach of the DPA. Would I be authorised to have discussions about Applicant A outside of work? If I am disclosing information without authorisation, then I have, potentially, committed a breach of the DPA.



If Applicant A is in the public domain, to the extent that the information is in the public domain it should not be a problem. For example, there are well known litigants who are discussed privately without creating a potential breach of the Act so long as the information is public and not simply from what I know at work.



A further concern, if the employee is discussing someone they only know through that person's relationship with their employer, is a breach of confidentiality. If the officer discusses someone's business with the organisation then they could be considered to have breached their duty of confidence to the organisation and the data subject.



Creating a private network does not exempt a person from the DPA, a duty of confidence, or the potential for defamation.  As an employee, their comments could make their organisation vicariously liable. *** For more detailed information on forums or hosting see this helpful guidance from JISC. https://urldefense.proofpoint.com/v2/url?u=https-3A__www.jisc.ac.uk_guides_hosting-2Dliability&d=CwIFaQ&c=XHgqDMffAkUKcWDgZTAtfA&r=WA4vMljdqTypcda6BHAprb1VUCTP6WWutu0BST87unI&m=-V_IcGhI91-otOiyxI04ABoKEfFepinM8UJ35UwR3V4&s=yBk-7vYyhCq3Pjibjgf9dLTyBAfYdEpUG-xcpzCVSUI&e= 



I would caution strongly against creating such a forum. If it is to discuss official business then it needs to be done officially. If it is to be done privately, then it needs to avoid anything that would process personal data of data subjects only known through employment, bring the organisation into disrepute, or breach a duty of confidence.



I would also suggest that the organisation wants to have a clear social media policy as well as a policy covering the duty of confidentiality so that these situations are covered. However, for detailed guidance, you would want to consult an employment law solicitor.



Just some thoughts and others may have views that correct them.



Best,



Lawrence

*** https://urldefense.proofpoint.com/v2/url?u=http-3A__www.blakemorgan.co.uk_training-2Dknowledge_articles_employees-2Dbad-2Dmouthing-2Dorganisation-2Dfacebook_&d=CwIFaQ&c=XHgqDMffAkUKcWDgZTAtfA&r=WA4vMljdqTypcda6BHAprb1VUCTP6WWutu0BST87unI&m=-V_IcGhI91-otOiyxI04ABoKEfFepinM8UJ35UwR3V4&s=CYxgA5tzNpbkttIzKZVYLILaJex57Tb-EcVOcPmLqG8&e=

https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_Vicarious-5Fliability-5Fin-5FEnglish-5Flaw&d=CwIFaQ&c=XHgqDMffAkUKcWDgZTAtfA&r=WA4vMljdqTypcda6BHAprb1VUCTP6WWutu0BST87unI&m=-V_IcGhI91-otOiyxI04ABoKEfFepinM8UJ35UwR3V4&s=wC9Aa1mI71o--nlmZSQGdSVB501wNEF3Wh1xjV45KDg&e= 



-----Original Message-----

From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Adam Rezazadeh

Sent: 08 January 2016 09:52

To: [log in to unmask]

Subject: Data Controller of forums



Good Morning all,



As someone new to this list, I thought I would introduce myself by way of a Friday morning brainteaser.



Scenario:



A member of staff is considering creating a professional forum/network with other professionals which plans to hold annual meetings and use an online forum to enable fellow professionals from other local authorities to discuss ideas, issues and topics related to their areas of expertise/business. It is planned to be a closed group and people will only be invited to join it and join the online web discussion site by invite as well.



He plans to create this network as a professional and not as a representative of his current role in the local authority.



Questions:



1. Hyperthetically, if a member of the public discovers their name is raised/discussed in a conversation on the forum, but they can not see the content as its a closed group are they able to submit a SAR for a copy of the discussion?



2. Who would be the data controller to provide this information? - The Local Authority the staff member is employed at? the forum group? or the website hosting the discussions?



3. Would this be considered exempt as domestic purposes (s36) as its like minded people sharing professional ideas and problems?



Obviously, there are other things that would need to be considered regarding setting up relevant policies, potentially registering with the ICO etc.



I would be grateful for any ideas, advice or comments.



Many thanks and have a good weekend!



Adam Rezazadeh

Information Governance Officer

Brighton & Hove City Council



^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

     All archives of messages are stored permanently and are

      available to the world wide web community at large at

      https://urldefense.proofpoint.com/v2/url?u=http-3A__www.jiscmail.ac.uk_lists_data-2Dprotection.html&d=CwIFaQ&c=XHgqDMffAkUKcWDgZTAtfA&r=WA4vMljdqTypcda6BHAprb1VUCTP6WWutu0BST87unI&m=-V_IcGhI91-otOiyxI04ABoKEfFepinM8UJ35UwR3V4&s=PYK89LePt3GZVLHr4vV77FFvqaTl3NfrYmTwa0K44hM&e= 

     If you wish to leave this list please send the command

       leave data-protection to [log in to unmask] All user commands can be found at https://urldefense.proofpoint.com/v2/url?u=http-3A__www.jiscmail.ac.uk_help_commandref.htm&d=CwIFaQ&c=XHgqDMffAkUKcWDgZTAtfA&r=WA4vMljdqTypcda6BHAprb1VUCTP6WWutu0BST87unI&m=-V_IcGhI91-otOiyxI04ABoKEfFepinM8UJ35UwR3V4&s=KXTIKcHChs_Hv-Q9fSlYYuhF0F5vvUfcCne-KsyNVIQ&e=

 Any queries about sending or receiving messages please send to the list owner

              [log in to unmask]

  Full help Desk - please email [log in to unmask] describing your needs

        To receive these emails in HTML format send the command:

         SET data-protection HTML to [log in to unmask]

   (all commands go to [log in to unmask] not the list please)

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^



________________________________





Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.



^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

     All archives of messages are stored permanently and are

      available to the world wide web community at large at

      https://urldefense.proofpoint.com/v2/url?u=http-3A__www.jiscmail.ac.uk_lists_data-2Dprotection.html&d=CwIFaQ&c=XHgqDMffAkUKcWDgZTAtfA&r=WA4vMljdqTypcda6BHAprb1VUCTP6WWutu0BST87unI&m=-V_IcGhI91-otOiyxI04ABoKEfFepinM8UJ35UwR3V4&s=PYK89LePt3GZVLHr4vV77FFvqaTl3NfrYmTwa0K44hM&e= 

     If you wish to leave this list please send the command

       leave data-protection to [log in to unmask] All user commands can be found at https://urldefense.proofpoint.com/v2/url?u=http-3A__www.jiscmail.ac.uk_help_commandref.htm&d=CwIFaQ&c=XHgqDMffAkUKcWDgZTAtfA&r=WA4vMljdqTypcda6BHAprb1VUCTP6WWutu0BST87unI&m=-V_IcGhI91-otOiyxI04ABoKEfFepinM8UJ35UwR3V4&s=KXTIKcHChs_Hv-Q9fSlYYuhF0F5vvUfcCne-KsyNVIQ&e=

 Any queries about sending or receiving messages please send to the list owner

              [log in to unmask]

  Full help Desk - please email [log in to unmask] describing your needs

        To receive these emails in HTML format send the command:

         SET data-protection HTML to [log in to unmask]

   (all commands go to [log in to unmask] not the list please)

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^



^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

     All archives of messages are stored permanently and are

      available to the world wide web community at large at

      https://urldefense.proofpoint.com/v2/url?u=http-3A__www.jiscmail.ac.uk_lists_data-2Dprotection.html&d=CwIFaQ&c=XHgqDMffAkUKcWDgZTAtfA&r=WA4vMljdqTypcda6BHAprb1VUCTP6WWutu0BST87unI&m=-V_IcGhI91-otOiyxI04ABoKEfFepinM8UJ35UwR3V4&s=PYK89LePt3GZVLHr4vV77FFvqaTl3NfrYmTwa0K44hM&e= 

     If you wish to leave this list please send the command

       leave data-protection to [log in to unmask] All user commands can be found at https://urldefense.proofpoint.com/v2/url?u=http-3A__www.jiscmail.ac.uk_help_commandref.htm&d=CwIFaQ&c=XHgqDMffAkUKcWDgZTAtfA&r=WA4vMljdqTypcda6BHAprb1VUCTP6WWutu0BST87unI&m=-V_IcGhI91-otOiyxI04ABoKEfFepinM8UJ35UwR3V4&s=KXTIKcHChs_Hv-Q9fSlYYuhF0F5vvUfcCne-KsyNVIQ&e=

 Any queries about sending or receiving messages please send to the list owner

              [log in to unmask]

  Full help Desk - please email [log in to unmask] describing your needs

        To receive these emails in HTML format send the command:

         SET data-protection HTML to [log in to unmask]

   (all commands go to [log in to unmask] not the list please)

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


**********************************************************************
This e-mail is from Dechert LLP, a law firm, and may contain information that is confidential or privileged. If you are not the intended recipient, please delete the e-mail and any attachments, and notify the sender. Dechert LLP is a limited liability partnership registered in England & Wales (Registered No. OC306029) and is authorised and regulated by the Solicitors Regulation Authority. A list of names of the members of Dechert LLP (who are solicitors or registered foreign lawyers) is available for inspection at its registered office, 160 Queen Victoria Street, London EC4V 4QQ.




^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

     All archives of messages are stored permanently and are

      available to the world wide web community at large at

      http://www.jiscmail.ac.uk/lists/data-protection.html

     If you wish to leave this list please send the command

       leave data-protection to [log in to unmask]

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm

 Any queries about sending or receiving messages please send to the list owner

              [log in to unmask]

  Full help Desk - please email [log in to unmask] describing your needs

        To receive these emails in HTML format send the command:

         SET data-protection HTML to [log in to unmask]

   (all commands go to [log in to unmask] not the list please)

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^