*Privacy and GDPR

Questions regarding use of any Version of Family Historian. Please ensure you have set your Version of Family Historian in your Profile
Gowermick
Megastar
Posts: 704
Joined: 13 Oct 2015 07:22
Family Historian: V6.2
Location: Swansea

Privacy and GDPR

Postby Gowermick » 10 Apr 2019 11:09

A recent post talked about seeing living people in an on-line tree, and got me thinking (dangerous I know :D )
Where does one draw the line?

An awful lot of personal data on living people is in official websites like gro.gov, (in the Public Domain), so if you obtained all your data via one of these sites, are you still in breach of GDPR if you publish the results of your research?
Mike Loney

Using FH 6.2.7, with CC 6.7.37 Windows 10.0.14393 Build14393, LibreOffice 6.1.4.1(x64), Firefox 67.0.1(64Bit) & Thunderbird 60.7.0
Website http://www.loney.tribalpages.com
http://www.mickloney.tribalpages.com

User avatar
ColeValleyGirl
Megastar
Posts: 1079
Joined: 28 Dec 2005 22:02
Family Historian: V6.2
Location: Cirencester, Gloucestershire
Contact:

Re: Privacy and GDPR

Postby ColeValleyGirl » 10 Apr 2019 11:27

IANAL but... if you're only publishing data that is openly available (and not adding any personal knowledge etc.) you're probably Ok.

However, I err on the side of caution (and prefer to not annoy my relatives -- for example one of my sisters died last year, but her daughter has asked that I don't publish any data "yet"). I don't publish details of anyone in the generations below my parents; and for those in previous generations that I do not know for sure to be dead, I only identify them by initials (and their relationships to dead people).

User avatar
tatewise
Megastar
Posts: 15908
Joined: 25 May 2010 11:00
Family Historian: V6.2
Location: Torbay, Devon, UK
Contact:

Re: Privacy and GDPR

Postby tatewise » 10 Apr 2019 11:46

The GDPR states it:
  • Does not apply to individuals purely for personal/household activities.
  • Does not apply to the data of deceased persons.
It may be argued that the personal hobby of genealogy is not governed by GDPR, and anyway only applies to living persons.

However, any source documents obtained may be covered by copyright so cannot be published online.
Mike Tate ~ researching the Tate and Scott family history ~ tatewise ancestry

User avatar
ColeValleyGirl
Megastar
Posts: 1079
Joined: 28 Dec 2005 22:02
Family Historian: V6.2
Location: Cirencester, Gloucestershire
Contact:

Re: Privacy and GDPR

Postby ColeValleyGirl » 10 Apr 2019 11:56

Mike, not sure that Family History qualifies as personal/household activities if you publish the data online... because at that point it ceases to be personal.

https://web.archive.org/web/20181207202 ... xemptions/ says:

Domestic purposes – personal data processed in the course of a purely personal or household activity, with no connection to a professional or commercial activity, is outside the GDPR’s scope. This means that if you only use personal data for such things as writing to friends and family or taking pictures for your own enjoyment, you are not subject to the GDPR.

Gowermick
Megastar
Posts: 704
Joined: 13 Oct 2015 07:22
Family Historian: V6.2
Location: Swansea

Re: Privacy and GDPR

Postby Gowermick » 10 Apr 2019 12:15

tatewise wrote:and anyway only applies to living persons.


That’s what I was talking about. When you pull birth data off the GRO website, it may be relating to a person who is still alive! Most sites have data referring to living people, which they might not be aware of. It is only in datasets like 1939 register that they take pains to redact. :D
Mike Loney

Using FH 6.2.7, with CC 6.7.37 Windows 10.0.14393 Build14393, LibreOffice 6.1.4.1(x64), Firefox 67.0.1(64Bit) & Thunderbird 60.7.0
Website http://www.loney.tribalpages.com
http://www.mickloney.tribalpages.com

User avatar
Valkrider
Megastar
Posts: 1001
Joined: 04 Jun 2012 19:03
Family Historian: V6.2
Location: Spain
Contact:

Re: Privacy and GDPR

Postby Valkrider » 10 Apr 2019 12:18

I agree with Helen that the moment you publish it online you are within the scope of GDPR. I did an online course on GDPR prior to it going live and asked this question as part of the interaction with the tutor and he was of the opinion that it would be within the scope but would probably need testing to confirm his belief. To that end I have erred on the side of caution due to the level of fine that can be levied.

User avatar
tatewise
Megastar
Posts: 15908
Joined: 25 May 2010 11:00
Family Historian: V6.2
Location: Torbay, Devon, UK
Contact:

Re: Privacy and GDPR

Postby tatewise » 10 Apr 2019 12:52

See FindMyPast What does GDPR mean for my family history research? that says:
What does GDPR mean for my family history research? Will you be removing records from the site?
Answer:
The GDPR does not cover records related to deceased individuals, therefore, most of our historic records are not affected by the new regulation.
The records we do hold about living individuals have come to our site through partnerships with public institutions and have been legally allowed to open to the public.
So if FindMyPast can publish those records, then if individuals only reproduce identical data taken from those records, it surely falls outside the scope of GDPR.
Mike Tate ~ researching the Tate and Scott family history ~ tatewise ancestry

User avatar
ColeValleyGirl
Megastar
Posts: 1079
Joined: 28 Dec 2005 22:02
Family Historian: V6.2
Location: Cirencester, Gloucestershire
Contact:

Re: Privacy and GDPR

Postby ColeValleyGirl » 10 Apr 2019 13:09

Depends what 'processing' you've done, Mike, and how identifiable the individual named is.

If you link a publicly available record to an identifiable living individual (probably -- given the nature of family history -- in conjunction with other data about that individual, in particular their relationships) and then publish it on the web, you're almost certainly within the scope of the act. (You've processed the data to link it to other data and then published it, so it isn't personal/household activities).

If you publish a single (publicly available) record without explicitly linking it to an identifiable individual, not so much. So the GRO website is in the clear.

But if somebody publishes my birth registration online and links it to details of my parents and my siblings and then publishes it without my consent? Not legal. (No problem if they just hold in on their personal PC).

It isn't a single record that matters, it's the 'processing' that links it to other records and to an identifiable individual and then 'publishing' (so it's no longer personal).

User avatar
AdrianBruce
Megastar
Posts: 790
Joined: 09 Aug 2003 21:02
Family Historian: V6.2
Location: South Cheshire
Contact:

Re: Privacy and GDPR

Postby AdrianBruce » 10 Apr 2019 20:29

ColeValleyGirl wrote:... If you publish a single (publicly available) record without explicitly linking it to an identifiable individual, not so much. So the GRO website is in the clear. ...

Also the GRO is intended to compile this data, index it and publish those indexes. But certainly, I would agree that compiling "authorised" snippets and linking them together is a different matter as it's creating information(?).
Adrian

User avatar
David2416
Famous
Posts: 131
Joined: 12 Nov 2017 16:37
Family Historian: V6.2

Re: Privacy and GDPR

Postby David2416 » 11 Apr 2019 06:43

If we collect data from various sources about living individual, and then publish these data together then I would argue we are subject to GDPR. Particularly if that person is identifiable from the information we have published.
Last edited by David2416 on 12 Apr 2019 07:17, edited 1 time in total.

DonF
Diamond
Posts: 78
Joined: 07 Dec 2014 00:31
Family Historian: V6.2
Contact:

Re: Privacy and GDPR

Postby DonF » 12 Apr 2019 01:45

I would agree.
If we presume your reference site IS complying with the GDPR, then the person whose details they published will have given their approval for that publication. They have not given you approval to publish the same information, which makes you in breach of GDPR unless you get that person's explicit agreement.

AnneEast
Superstar
Posts: 271
Joined: 20 Jul 2005 23:39
Family Historian: V6
Location: Cumbria

Re: Privacy and GDPR

Postby AnneEast » 12 Apr 2019 21:24

Hmmm! I don't recall giving the GRO permission to publish my birth and marriage on their indexes? I don't suppose any of us have. Not that I'm bothered but it raises interesting questions.
Anne

User avatar
ColeValleyGirl
Megastar
Posts: 1079
Joined: 28 Dec 2005 22:02
Family Historian: V6.2
Location: Cirencester, Gloucestershire
Contact:

Re: Privacy and GDPR

Postby ColeValleyGirl » 13 Apr 2019 07:12

Anne, by law that information is public -- there's no question of permission.

User avatar
mjashby
Superstar
Posts: 404
Joined: 23 Oct 2004 10:45
Family Historian: V6.2
Location: Yorkshire

Re: Privacy and GDPR

Postby mjashby » 13 Apr 2019 09:32

There is also the fact that the GRO Indexes don't directly identify specific individuals. They just state that the Birth, Death or Marriage of a person named 'X' was registered within a particular period in time in a specific Registration District. It's applying (processing) that data alongside some other knowledge that leads to the conclusion that the Index Entry relates to a specific person. That conclusion may, of course, be accurate or entirely inaccurate; and will also be based partly on the assumption that the Index Entry itself was entered accurately!

Mervyn

User avatar
gusgorilla
Newbie
Posts: 1
Joined: 14 Apr 2019 16:58
Family Historian: V6
Contact:

Re: Privacy and GDPR

Postby gusgorilla » 14 Apr 2019 17:43

I work for a probate genealogy company and in several areas we rely on the "legitimate business interests" part of the regulations. There is a particular requirement to be extra careful with children's data. It's rather long-winded but here is the relevant page on the Information Commissioner's Office website.

Gary

User avatar
jimlad68
Megastar
Posts: 616
Joined: 18 May 2014 21:01
Family Historian: V6.2
Location: Sheffield, Yorkshire, UK (but from Lancashire)
Contact:

Re: Privacy and GDPR

Postby jimlad68 » 21 May 2019 01:25

sorry to be late to this topic,

So, if I share "living" digital information via an email or say onedrive to selected person(s) via a non public link with/without a password. Is that OK.

I can imagine that if another person then made it public, they might be in trouble.
Jim Orrell - researching: see - but way out of date http://wc.rootsweb.com/cgi-bin/igm.cgi?db=james-orrell3

User avatar
tatewise
Megastar
Posts: 15908
Joined: 25 May 2010 11:00
Family Historian: V6.2
Location: Torbay, Devon, UK
Contact:

Re: Privacy and GDPR

Postby tatewise » 21 May 2019 09:51

I think it hinges on whether both your use and the other person's use falls with the GDPR definition of a purely personal or household activity.

It also depends on exactly what living person information is involved, and whether they are children for which GDPR is much more rigorous.

It would be safer if you obtained permission for that use of the information.
Mike Tate ~ researching the Tate and Scott family history ~ tatewise ancestry

User avatar
jimlad68
Megastar
Posts: 616
Joined: 18 May 2014 21:01
Family Historian: V6.2
Location: Sheffield, Yorkshire, UK (but from Lancashire)
Contact:

Re: Privacy and GDPR

Postby jimlad68 » 21 May 2019 13:02

Thanks Mike and everyone else on this topic. Can of worms, and as ever lots of work for those in the legal etc professions (can't blame them for doing their job). Reminds me of one of those Orwellian states where if the authorities (or rich individuals) wants to get you, there will be some law they could get everyone with.
Jim Orrell - researching: see - but way out of date http://wc.rootsweb.com/cgi-bin/igm.cgi?db=james-orrell3


Return to “General Usage”

Who is online

Users browsing this forum: Rodley and 8 guests