Kitz Forum
Announcements => Site Announcements => Topic started by: kitz on May 24, 2018, 06:08:21 PM
-
As our service provider is based in the UK and we serve individuals within the European Union (including, for now, the UK), we will, from 25 May 2018, be bound by the General Data Protection Regulations (GDPR, Regulation (EU) 2016/679) (http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679). The GDPR will apply to kitz.co.uk as a Data Controller.
Our lawful basis for processing data is consent. We provide a cookie notice (https://kitz.co.uk/sites/policy.htm#cookies) at first contact to the site and all forum users are required to agree to terms and conditions prior to registering (https://forum.kitz.co.uk/index.php?action=register) for the forum.
Following the GDPR, each individual has the right to: be informed, access, rectification, erasure, restricted processing, data portability and object. This post will outline how we intend to allow members to exercise their rights under this Regulation.
The right to be informed
The right to be informed encompasses our obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how we use personal data.
In terms of personal data, the only data we collect is data in which you supply, with the exception of your IP address, hostname and your most recent click. As we are an anonymous forum, little personal data is collected and we do not require you to provide any additional personal data, with the exception of your email address. We also collect your IP address/hostname (in the event of a ban needing to be placed on your account, for the purposes of dealing with hacking, and if we are required to contact your ISP), and your username (for post identification). Further, the forum automatically uses a cookie, a text file containing bits of information (such as your username and password), in your browser's cache. This is ONLY used to keep you logged in/out. The software does not collect or send any other form of information to your computer.
Any formal requests should be made to forum @ kitz.co.uk. All emails must come form the email associated with your account.
The right of access
The right of access means you have the right to: confirmation that their data is being processed and access to your personal data.
Your data is being processed. Any personal data we have is accessible via your profile (https://forum.kitz.co.uk/index.php?action=profile).
If you want us to provide you with additional information (such as your IP address), then please use the contact email above.
The right to rectification
This gives you the right to have your personal data rectified. Personal data can be rectified if it is inaccurate or incomplete.
The right to erase
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
On the forum, this can be dealt with by requesting to delete your account. A deletion will have to be approved by an administrator (to protect against accounts being deleted maliciously). We will deal with this by transferring your username to a Guest account which has no user associated profile and all posts previously made will be attributed to the Guest account.
Blanket removal of individual posts is not seen as a compelling reason as it breaks up the thread and seriously affects readability and continuity of technical information data for our other members. We may also consider a change of username if this is preferred.
The right to restrict processing
You have a right to ‘block’ or suppress processing of personal data. When processing is restricted, we are permitted to store the personal data, but not further process it.
Our data processing is as restricted as possible. Processing generally requires you to act on our website, therefore not using the website will cease such processing.
The right to data portability
This allows you to obtain and reuse your personal data for your own purposes across different services. This allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
Ultimately all posts you make, unless made in a restricted forum where you have lost access, and other information you provide are all accessible. If you wish for us to send you the data we hold, a request should be made to the email above. There will be an administration fee of £10 for this service.
Please note that if your account has been anonymised to a Guest account, we have no way of tracking which posts have been made by you and will be unable to identify which posts you have made.
The right to object
You have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), direct marketing (including profiling), and processing for purposes of scientific/historical research and statistics.
We do not generally process data for these purposes.
More information on your rights can be found here (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/)
Data breaches
In accordance with GDPR, if we become aware of a data breach, we are obliged, within 72 hours, to notify any users involved. As we do not believe such a breach would result in a risk to the rights and freedoms of individuals, breaches will not be reported to the supervisory authority.
Children
The GDPR contains new provisions intended to enhance the protection of children’s personal data. As we do not identify individual's beyond their IP address, username and email address, we do not believe any action is required.
Other provisions
As our data processing does not possess a high risk to the rights and freedoms of individuals, we are not required to undertake a Data Protection Impact Assessment (DPIA), nor are we required to appoint a Data Protection Officer (DPO). We reserve the right to reveal information we hold about you (or any other related information collected on this service) in the event of a formal complaint or legal action arising from any situation caused by your use of this forum, in accordance with the laws of the United Kingdom.
Administration Fees
As a user you have direct access to your profile information and can yourself search for any/all posts you have made using the Profile > Show Posts section. This facility is available free of charge. Under the GDPR we are allowed to charge a "reasonable fee based on administrative costs” for further copies which is how we treat manual requests. We are also within our rights to refuse to act on a request if it is "manifestly unfounded or excessive, in particular because of their repetitive character"
We will consider on an ongoing basis all other requirements.
-
Privacy Policy
The forum privacy policy can be viewed here (https://forum.kitz.co.uk/index.php?action=agreement).
The main site privacy policy can be viewed here (https://kitz.co.uk/sites/policy.htm).
Cookie Policy
The site cookie policy can be viewed here (https://kitz.co.uk/sites/policy.htm#cookies).
Forum Registration Agreement
The forum registration agreement can be viewed here (https://forum.kitz.co.uk/index.php?action=agreement). You may have to log out to view this information.
------
Edited by admin to update link for privacy policy after SMF update.
-
Although the GDPR privacy policy has been available for a while, I shall be attempting a forced change which will require your agreement to acknowledge that it has been read.
I shall also attempt to force a re-read of the registration agreement. It's basically the same but has an additional paragraph about GDPR Data Protection at the bottom.
Hopefully if I'm quick enough (I have everything prepped), I can force both at the same time.
-
Both appeared for me.
Duly accepted :)
-
Likewise
-
And here for me......
Stuart
-
Cheers guys.
I believe the software should automatically place a marker against your account to record that you have read the new policy so that the forum is compliant with the new GDPR rules. Because the forum stores personal info (eg email) it has different requirements from the main site.
I've no idea how I would pull info for who has read and who hasn't, but the main thing is that the software knows and wont let you proceed to make a post etc until you have read it. Someone kindly wrote a quick mod hack for SMF forums which enables admins to force users to accept the updated policy changes after I bought the topic up on SMF about GDPR.
-
Both the Privacy Policy & the Registration Agreement appeared at first site viewing. Both accepted.
Good work, kitz!
-
Both here too.
-
Both appeared for me.
Duly accepted :)
Me too. Keep doing what you do Kitz. :)
-
Both accepted. Many thanks for your work Kitz.
-
Hi kitz
Kudos to you
Sorry, Tapatalk did not display them sorry
Interestingly, just watched bbc and IC stated most not needed, and as example, those who joined a membership (which I think a forum could be classed as loosely), do not require to make any real change, or seek new confirmation from its users. All they need to do is update the privacy policy etc as you have, but do not need detailed information who has accepted the new policies
Many thanks
John
-
Sorry, Tapatalk did not display them sorry
Not sure what I can do about that as the tapatalk software sits on top and I presume they will have to have their own policy changes.
Interestingly, just watched bbc and IC stated most not needed
What program was that. I'd like to see if its on iplayer. The problem is a lot of us have been left in the dark not knowing what applies to whom. A lot of advice is undecided and the fact that the IC only today came up with this on d-day shows how little info there is. I spent an hour hanging on their help line a few days ago to try get clarification on something, but every time you call they are constantly engaged.
I'm part of a large discussion for SMF forum owners who are trying to seek clarification... and a couple of other owners are talking about more in-depth stuff which I don't personally feel will apply such as portability of PMs. To be quite frank I hope its not because as it currently stands admin doesnt have access to PMs and I have absolutely no interest in something which may be able to do so. Yet some are saying we should be able to because the likes of FB provide this function. If there is something from the ICO that says we have done sufficient then I'd love to feed that back.
-
Hi kitz
Many thanks
It was bbc news/morning on weekdays between 6 - 9.15. Sorry breakfast tv.
They had the IC on the sofa and had a general talk/questions
Only lasted a few minutes but this is where she stated - most do not need to send emails/take all this action, mentioning as example hairdressers, membership etc who have an ongoing relationship with the user/client and should continue to communicate as they previously did eg appointment reminders etc... and importantly do not have to gain explicit permission to do so, as it is ongoing relationship
I am not sure if it is on iPlayer but guess it would be or on bbc.co.uk
Many thanks
John
Oops sorry, it was about 7.40 ish time I think
-
Cheers :)
-
-------------------------
Notice for transparency.
-------------------------
SMF update 2.0.16 released 27 Dec 2019 made significant changes to support GDPR compliance within the SMF Core.
Notable changes in 2.0.16
Support for privacy policy in addition to registration agreement
GDPR Compliance toggle in Core Features
Enabling this configures multiple settings and new features to comply with the GDPR, including:
Requiring members to accept the current privacy policy in order to use the forum
Asking during registration whether the new member wants to receive announcements via email
Enabling token-based unsubscribe links in emails so members can unsubscribe without logging in
Allowing members to download a copy of their profile information
Adjusting the behaviour of a number of other features in minor ways as necessary
PHP 7.2 support
Improved security hashes for the image proxy
Improved security for the login cookie
Assorted other security improvements
Various improvements for both the installer and upgrader
These changes made little GDPR differences to forums (such as kitz.co.uk) who have been GDPR compliant pre May 2018 content wise, but it did mean we had some problems being able to update because of the mod.
Someone kindly wrote a quick mod hack for SMF forums which enables admins to force users to accept the updated policy changes after I bought the topic up on SMF about GDPR.
In order to update to 2.0.17 I had to remove the GDPR helper modification (https://custom.simplemachines.org/mods/index.php?mod=4183). Because I was one of those still having problems updating, I made some manual adjustments which mean GDPR helper data collected by the mod was also removed.
Now that the latest version of SMF is GDPR compliant without this mod, I have no intention of re-installing GDPR helper, as it would force all users to re-read & agree to the privacy policy and registration form that have had no change to content.
The only change for our members is that the forum privacy policy can now be viewed here (https://forum.kitz.co.uk/index.php?action=agreement).
I only noticed the url change yesterday and will update the relevant post above with the new url - which is why Im making this post now.
The new merged page is (and has been) linked in the footer the bottom of each page under Terms and Policies (https://forum.kitz.co.uk/index.php?action=agreement) since the update(s).
TLDR version;
- SMF 2.0.16/2.0.17 updated Dec 2019
- GDPR compliance included in the SMF Core code.
- GDPR Helper modification uninstalled.
- Forum Registration Agreement & Forum Privacy Policy merged into the one page - presumably to make it easier for new registrations.
- Neither of these had content changed since May 2018.
-
Whilst posting about GDPR, I take the opportunity to remind members of the forum policy regarding some of the GDPR policies namely:
The right to restrict processing
You have a right to ‘block’ or suppress processing of personal data. When processing is restricted, we are permitted to store the personal data, but not further process it.
Our data processing is as restricted as possible. Processing generally requires you to act on our website, therefore not using the website will cease such processing.
As above, processing requires you to act on our website as a logged in member. Once you are logged out then there is no further processing by the server.
The right to erase
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
On the forum, this can be dealt with by requesting to delete your account. A deletion will have to be approved by an administrator (to protect against accounts being deleted maliciously). We will deal with this by transferring your username to a Guest account which has no user associated profile and all posts previously made will be attributed to the Guest account.
Blanket removal of individual posts is not seen as a compelling reason as it breaks up the thread and seriously affects readability and continuity of technical information data for our other members. We may also consider a change of username if this is preferred.
We do not blanket remove all posts for the reasons stated above, but are willing to remove or edit individual posts that may contain personally identifying information.
Anonymity
If you wish to retain anonymity - for example if you have used your real name instead of an alias - then admin can change your 'display name'. The display name is self explanatory, but to clarify this is the name appended to any posts you make.
Personal data & account deletion
The forum has no facility for members to delete their account themselves. However, this can be done by a forum administrator. We do this by re-assigning your account to a [special] guest account that will remove all personal data from our servers (such as email and IP addresses) and will asign the attribute 'guest' to any posts you have made in the past. Because this action assigns you to a guest account that has no personal data, the database treats your posts and any other deleted accounts as the same account. As such, there is absolutely no going back from this action.
The only personal data that we do hold on our servers for members is your email address & any IP addresses associated with any posts you make. Both of these and any other information such as user/display name, av, forum signature, registration date etc are deleted when merging to the guest account.
If you wish, you can download a copy of your personal data from Profile > Actions > Download profile data.
Any posts you have made can be viewed from Profile > Profile Info > Show Posts.
-
This sounds like a sensible approach. The reason I ditched my own login facility on my sites is I honestly didn't want to have to deal with this problem as like you said, deleting user data would completely break the site.
Arguably I still might have to on my legacy sites if an old user requests it, although I don't think I logged IPs anyway. My biggest gripe with GDPR is how unclear it is what is and is not considered personal data. As my sites were compatibility lists for emulators, I always considered anything posted to the sites as then belonging to the site, but GDPR seemed to step on this assumption.