* Privacy and GDPR
Privacy and GDPR
A recent post talked about seeing living people in an on-line tree, and got me thinking (dangerous I know )
Where does one draw the line?
An awful lot of personal data on living people is in official websites like gro.gov, (in the Public Domain), so if you obtained all your data via one of these sites, are you still in breach of GDPR if you publish the results of your research?
Where does one draw the line?
An awful lot of personal data on living people is in official websites like gro.gov, (in the Public Domain), so if you obtained all your data via one of these sites, are you still in breach of GDPR if you publish the results of your research?
Mike Loney
Website http://www.loney.tribalpages.com
http://www.mickloney.tribalpages.com
Website http://www.loney.tribalpages.com
http://www.mickloney.tribalpages.com
- ColeValleyGirl
- Megastar
- Posts: 5499
- Joined: 28 Dec 2005 22:02
- Family Historian: V7
- Location: Cirencester, Gloucestershire
- Contact:
Re: Privacy and GDPR
IANAL but... if you're only publishing data that is openly available (and not adding any personal knowledge etc.) you're probably Ok.
However, I err on the side of caution (and prefer to not annoy my relatives -- for example one of my sisters died last year, but her daughter has asked that I don't publish any data "yet"). I don't publish details of anyone in the generations below my parents; and for those in previous generations that I do not know for sure to be dead, I only identify them by initials (and their relationships to dead people).
However, I err on the side of caution (and prefer to not annoy my relatives -- for example one of my sisters died last year, but her daughter has asked that I don't publish any data "yet"). I don't publish details of anyone in the generations below my parents; and for those in previous generations that I do not know for sure to be dead, I only identify them by initials (and their relationships to dead people).
Helen Wright
ColeValleyGirl's family history
ColeValleyGirl's family history
- tatewise
- Megastar
- Posts: 28410
- Joined: 25 May 2010 11:00
- Family Historian: V7
- Location: Torbay, Devon, UK
- Contact:
Re: Privacy and GDPR
The GDPR states it:
However, any source documents obtained may be covered by copyright so cannot be published online.
- Does not apply to individuals purely for personal/household activities.
- Does not apply to the data of deceased persons.
However, any source documents obtained may be covered by copyright so cannot be published online.
Mike Tate ~ researching the Tate and Scott family history ~ tatewise ancestry
- ColeValleyGirl
- Megastar
- Posts: 5499
- Joined: 28 Dec 2005 22:02
- Family Historian: V7
- Location: Cirencester, Gloucestershire
- Contact:
Re: Privacy and GDPR
Mike, not sure that Family History qualifies as personal/household activities if you publish the data online... because at that point it ceases to be personal.
https://web.archive.org/web/20181207202 ... xemptions/ says:
https://web.archive.org/web/20181207202 ... xemptions/ says:
Domestic purposes – personal data processed in the course of a purely personal or household activity, with no connection to a professional or commercial activity, is outside the GDPR’s scope. This means that if you only use personal data for such things as writing to friends and family or taking pictures for your own enjoyment, you are not subject to the GDPR.
Helen Wright
ColeValleyGirl's family history
ColeValleyGirl's family history
Re: Privacy and GDPR
That’s what I was talking about. When you pull birth data off the GRO website, it may be relating to a person who is still alive! Most sites have data referring to living people, which they might not be aware of. It is only in datasets like 1939 register that they take pains to redact.tatewise wrote: and anyway only applies to living persons.
Mike Loney
Website http://www.loney.tribalpages.com
http://www.mickloney.tribalpages.com
Website http://www.loney.tribalpages.com
http://www.mickloney.tribalpages.com
- Valkrider
- Megastar
- Posts: 1570
- Joined: 04 Jun 2012 19:03
- Family Historian: V7
- Location: Lincolnshire
- Contact:
Re: Privacy and GDPR
I agree with Helen that the moment you publish it online you are within the scope of GDPR. I did an online course on GDPR prior to it going live and asked this question as part of the interaction with the tutor and he was of the opinion that it would be within the scope but would probably need testing to confirm his belief. To that end I have erred on the side of caution due to the level of fine that can be levied.
- tatewise
- Megastar
- Posts: 28410
- Joined: 25 May 2010 11:00
- Family Historian: V7
- Location: Torbay, Devon, UK
- Contact:
Re: Privacy and GDPR
See FindMyPast What does GDPR mean for my family history research? that says:
So if FindMyPast can publish those records, then if individuals only reproduce identical data taken from those records, it surely falls outside the scope of GDPR.What does GDPR mean for my family history research? Will you be removing records from the site?
Answer:
The GDPR does not cover records related to deceased individuals, therefore, most of our historic records are not affected by the new regulation.
The records we do hold about living individuals have come to our site through partnerships with public institutions and have been legally allowed to open to the public.
Mike Tate ~ researching the Tate and Scott family history ~ tatewise ancestry
- ColeValleyGirl
- Megastar
- Posts: 5499
- Joined: 28 Dec 2005 22:02
- Family Historian: V7
- Location: Cirencester, Gloucestershire
- Contact:
Re: Privacy and GDPR
Depends what 'processing' you've done, Mike, and how identifiable the individual named is.
If you link a publicly available record to an identifiable living individual (probably -- given the nature of family history -- in conjunction with other data about that individual, in particular their relationships) and then publish it on the web, you're almost certainly within the scope of the act. (You've processed the data to link it to other data and then published it, so it isn't personal/household activities).
If you publish a single (publicly available) record without explicitly linking it to an identifiable individual, not so much. So the GRO website is in the clear.
But if somebody publishes my birth registration online and links it to details of my parents and my siblings and then publishes it without my consent? Not legal. (No problem if they just hold in on their personal PC).
It isn't a single record that matters, it's the 'processing' that links it to other records and to an identifiable individual and then 'publishing' (so it's no longer personal).
If you link a publicly available record to an identifiable living individual (probably -- given the nature of family history -- in conjunction with other data about that individual, in particular their relationships) and then publish it on the web, you're almost certainly within the scope of the act. (You've processed the data to link it to other data and then published it, so it isn't personal/household activities).
If you publish a single (publicly available) record without explicitly linking it to an identifiable individual, not so much. So the GRO website is in the clear.
But if somebody publishes my birth registration online and links it to details of my parents and my siblings and then publishes it without my consent? Not legal. (No problem if they just hold in on their personal PC).
It isn't a single record that matters, it's the 'processing' that links it to other records and to an identifiable individual and then 'publishing' (so it's no longer personal).
Helen Wright
ColeValleyGirl's family history
ColeValleyGirl's family history
- AdrianBruce
- Megastar
- Posts: 2107
- Joined: 09 Aug 2003 21:02
- Family Historian: V7
- Location: South Cheshire
- Contact:
Re: Privacy and GDPR
Also the GRO is intended to compile this data, index it and publish those indexes. But certainly, I would agree that compiling "authorised" snippets and linking them together is a different matter as it's creating information(?).ColeValleyGirl wrote:... If you publish a single (publicly available) record without explicitly linking it to an identifiable individual, not so much. So the GRO website is in the clear. ...
Adrian
Re: Privacy and GDPR
If we collect data from various sources about living individual, and then publish these data together then I would argue we are subject to GDPR. Particularly if that person is identifiable from the information we have published.
Last edited by David2416 on 12 Apr 2019 07:17, edited 1 time in total.
Re: Privacy and GDPR
I would agree.
If we presume your reference site IS complying with the GDPR, then the person whose details they published will have given their approval for that publication. They have not given you approval to publish the same information, which makes you in breach of GDPR unless you get that person's explicit agreement.
If we presume your reference site IS complying with the GDPR, then the person whose details they published will have given their approval for that publication. They have not given you approval to publish the same information, which makes you in breach of GDPR unless you get that person's explicit agreement.
Re: Privacy and GDPR
Hmmm! I don't recall giving the GRO permission to publish my birth and marriage on their indexes? I don't suppose any of us have. Not that I'm bothered but it raises interesting questions.
Anne
Anne
- ColeValleyGirl
- Megastar
- Posts: 5499
- Joined: 28 Dec 2005 22:02
- Family Historian: V7
- Location: Cirencester, Gloucestershire
- Contact:
Re: Privacy and GDPR
Anne, by law that information is public -- there's no question of permission.
Helen Wright
ColeValleyGirl's family history
ColeValleyGirl's family history
Re: Privacy and GDPR
There is also the fact that the GRO Indexes don't directly identify specific individuals. They just state that the Birth, Death or Marriage of a person named 'X' was registered within a particular period in time in a specific Registration District. It's applying (processing) that data alongside some other knowledge that leads to the conclusion that the Index Entry relates to a specific person. That conclusion may, of course, be accurate or entirely inaccurate; and will also be based partly on the assumption that the Index Entry itself was entered accurately!
Mervyn
Mervyn
- gusgorilla
- Newbie
- Posts: 1
- Joined: 14 Apr 2019 16:58
- Family Historian: V6
- Contact:
Re: Privacy and GDPR
I work for a probate genealogy company and in several areas we rely on the "legitimate business interests" part of the regulations. There is a particular requirement to be extra careful with children's data. It's rather long-winded but here is the relevant page on the Information Commissioner's Office website.
Gary
Gary
- jimlad68
- Megastar
- Posts: 921
- Joined: 18 May 2014 21:01
- Family Historian: V7
- Location: Sheffield, Yorkshire, UK (but from Lancashire)
- Contact:
Re: Privacy and GDPR
sorry to be late to this topic,
So, if I share "living" digital information via an email or say onedrive to selected person(s) via a non public link with/without a password. Is that OK.
I can imagine that if another person then made it public, they might be in trouble.
So, if I share "living" digital information via an email or say onedrive to selected person(s) via a non public link with/without a password. Is that OK.
I can imagine that if another person then made it public, they might be in trouble.
Jim Orrell - researching: see - but probably out of date https://gw.geneanet.org/jimlad68
- tatewise
- Megastar
- Posts: 28410
- Joined: 25 May 2010 11:00
- Family Historian: V7
- Location: Torbay, Devon, UK
- Contact:
Re: Privacy and GDPR
I think it hinges on whether both your use and the other person's use falls with the GDPR definition of a purely personal or household activity.
It also depends on exactly what living person information is involved, and whether they are children for which GDPR is much more rigorous.
It would be safer if you obtained permission for that use of the information.
It also depends on exactly what living person information is involved, and whether they are children for which GDPR is much more rigorous.
It would be safer if you obtained permission for that use of the information.
Mike Tate ~ researching the Tate and Scott family history ~ tatewise ancestry
- jimlad68
- Megastar
- Posts: 921
- Joined: 18 May 2014 21:01
- Family Historian: V7
- Location: Sheffield, Yorkshire, UK (but from Lancashire)
- Contact:
Re: Privacy and GDPR
Thanks Mike and everyone else on this topic. Can of worms, and as ever lots of work for those in the legal etc professions (can't blame them for doing their job). Reminds me of one of those Orwellian states where if the authorities (or rich individuals) wants to get you, there will be some law they could get everyone with.
Jim Orrell - researching: see - but probably out of date https://gw.geneanet.org/jimlad68