CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • General Discussion (please no support requests here!) (Moderator: Michał Mach) »
  • Data Protection Directive and other European Union legislation
Pages: [1]

Author Topic: Data Protection Directive and other European Union legislation  (Read 1080 times)

LA2

  • Guest
Data Protection Directive and other European Union legislation
July 30, 2010, 08:09:00 pm
According to the European Union's "Data Protection Directive" (95/46/EC, http://en.wikipedia.org/wiki/Data_Protection_Directive) individuals must give consent (opt-in) before having their personal information registered. This is compatible with membership in an association, because becoming a member is a conscious act and implies opting in to being registered. But how does it work for "contacts" that don't want to be members? What experience (good or bad) do organizations in the European Union have from using CiviCRM in this respect? I looked around the documentation and the wiki, but found no clues about this.

EdP

  • I post frequently
  • ***
  • Posts: 260
  • Karma: 7
  • CiviCRM version: 4.4
  • CMS version: Joomla 2.5.x
Re: Data Protection Directive and other European Union legislation
August 20, 2010, 03:34:32 am
Quote from: LA2 on July 30, 2010, 08:09:00 pm
According to the European Union's "Data Protection Directive" (95/46/EC, http://en.wikipedia.org/wiki/Data_Protection_Directive) individuals must give consent (opt-in) before having their personal information registered. This is compatible with membership in an association, because becoming a member is a conscious act and implies opting in to being registered. But how does it work for "contacts" that don't want to be members?

Sadly Directive 95/46 isn't quite as simple as 'consent or nothing' and anyway you've got to consider its interaction with the E-commerce Directive and Distance Selling Directive where you're talking about contacts who are contacting you for Events (a likely use case for non-member contacts). As implemented in the UK at least, any Personal Data (i.e. data about an identifiable living individual which is processed in a relevant filing system like CiviCRM) must be processed in accordance with the 8 Data Protection Principles and only if valid grounds under Schedule 2 exist. Consent is obviously one of the grounds under Schedule 2 and undoubtedly the best one. However, Schedule 2 does also include other grounds for valid processing, such as performing a contract with the data subject etc, and of course the E-commerce Directive and Distance Selling Directive give some idea of the level of customer records an organisation dealing with end-users at a distance will need to hold in order to be able to fulfill their obligations. Same goes for Sensitive Personal Data but with the further restrictions that go with that.

So it depends a lot on how you use CiviCRM, what data you choose to store in it, how securely you set it up, whether you've remembered to register with the Information Commissioner (if you need to, there are a bunch of voluntary organisation exceptions), whether contacts are being entered because they have contacted you, or whether you've hoovered them up from elsewhere etc. In many ways the issues are just the same as if you keep a customer/member/contact list in Access or Excel. Merely being a member does not give consent or reason to store any category of data, nor does not being a member necessarily prohibit it. Even for your members you are better to tell them what processing you do and get consent on your membership sign up form. We use a Custom Data field to collect DPA consent in sign up.

Consent isn't an absolute pre-requisite, but it is the best route, so it depends what data protection consents you have from contacts. CiviCRM allows you to group (via Groups, Tags, and specific DO NOT EMAIL contact markings) people into groups who have, or haven't consented to certain processing in respect of their data in certain ways. People can opt-out of mailings by taking themselves out of the newsletter mailing group, for example. CiviMail has all the necessary tokens to insert all the data and opt-outs needed for compliance with the Privacy and Electronic Commerce (EC Directive) Regulations 2003, for example, but it can't stop you spamming people if actually you don't have consent.

Deleting data you don't need any more, in accordance with the principle about not processing data for longer than is needed (where mere storage is regarded as processing) is more tricky as there is no automated process for this, although obviously you could have a policy of deleting all contacts who haven't been a member for a set period of time - but without logging or history this would wipe all records of the membership and activities out so your financial records would be wrong. It would also mean that if they came back you'd have no idea who they were.

I'd also mention that your experience may also vary in other places within the EU. Although of course this is supposed to be harmonised legislation throughout the union, national regulators vary wildly in how onerously they regard all this, with the UK at the softer end of the scale. The ICO tends to take a (pretty sensible) approach, but many of their counterparts in the Article 29 working group are much more hard-line and the guidance from the group and therefore the EU becomes stronger all the time.

This is not legal advice, blah, blah...
« Last Edit: August 20, 2010, 03:39:56 am by EdP »
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • General Discussion (please no support requests here!) (Moderator: Michał Mach) »
  • Data Protection Directive and other European Union legislation

This forum was archived on 2017-11-26.