General Data Protection Regulation

I saw that release from SO1 Coord and was amazed at the arrogance of it.

Companies around the western World are throwing money and resources in all directions to get compliant with resulting discussions and training identifying the seriousness of the implications. Meanwhile HQAC bangs out a statement vis … ‘we’re alright co’s we have tight system already and if you don’t want us to have your details you can leave’.

Make no mistake this is yet another example of HQAC floundering against the law because it cannot cope.

FACT: GDPR places the control squarely into the hands of the individual. Companies, Charities, and Organisations such as RAFAC are legal bound to DEMONSTRATE compliance.

FACT: Any organisation must meet at least one of four legal tests to hold ANY personal information. If it does not, then it is unlawful in holding that information. Quite apart from the current position, this means HQAC should be reviewing and removing all past cadet data held not just on computer but on paper also.

FACT : HQAC will be under legal duty to respond within 30 days with information about any or all information it holds on volunteer staff or cadets.

FACT: It is for the individual concerned - not HQAC to decide on what is permissible to hold - unless of course they can demonstrate that individual has given explicit consent. This is deliberately defined in the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

FACT: Consent is one of the four legal test for holding data, the second is ‘for the performance of a contract involving the individual’. This would be the basis for holding data in terms of providing a cadet ‘service’ under contract of membership. However, this data should be specified up front by HQAC at the point of agreement and it is specifically unlawful to presume agreement by implication (you signed to volunteer so automatically agreed to us having your next of kin on file’).

It is therefore for HQAC to review the data that it holds, decide on whether it is necessary to hold it and then remove what cannot be demonstrably justified. Not issuing blunt statements.

Personally I really think that HQAC are flying very close to the line on this. I cannot see that they have any legal basis to hold CivCom personal data, and even some delicate cadet data might be difficult above squadron level. Summary data … yes. But where data is passed to third-parties and beyond (i.e. Squadron to Wing to Region to HQ) then responsibility of control remains with the squadron. So if someone locally leaves the cadets and says ‘remove all my data’ to the squadron (who then do), what is their mechanism of assurance that this has been done throughout the whole RAFAC? It won’t happen.

This brings up another discussion … part of the up-front declarations at point of receiving consent must be the identification of the Data Controller and if relevant the (independent 'ish) Data Protection Officer. These are formal requirements … any one else using the info is regarded as a Data-Processor.

So one might believe that HQAC is naturally defined as the Data Controller and the squadron is the Data-Processor. But the squadron technically could be argued to have more of a lawful purpose than the more removed HQAC.

I could go on, but I’m sure these points demonstrate that this is a massive area and RAFAC are way off-line sending out such banal (and frankly ignorant) messages.

More likely is that they have eventually realised that if too many personnel make information requests, they simply will not cope and there would be a flood of complaints to the Information Commissioner (which is your legal right and they are legally required to notify you of that option). Depending on the quantity received, the IC would probably then investigate the whole shebang.

I’m not saying it can’t be sorted, but there is more finesse and leadership required. Bader isn’t the answer to everything and after the falling staff/cadet numbers of recent years, I don’t see it as particularly constructive to just tell people to shut up or leave.

But you have to have the paper version for evac purposes. We’ve always kept 6 months of these and then consigned them to the shredder for use as pet bedding or various compost bins. It’s only put on SMS just to keep Wing up happy.

We have a ‘login’ card system at work AND an in/out tick list for fire purposes. We have that as they can’t print lists quick enough for evac drills.

Don’t have to, we use a tablet which has the SMS register on it.
It means any staff which are free can update instead of bothering other staff.

Your squadron isn’t where we are. Our wifi struggles when you’re a couple of feet outside the hut let alone the evac point which is about 200ft from the hut and you’d need a shave, by the time you’d logged on.

I’ve worked on the legislation for implementing the GDPR. I’m not going to get into this whole debate other than to say that there is some absolute nonsense being written on here by barrack room lawyers.

Par for the course!

How does it compare with what is being written by HQAC?

The underlying point I seem to take is that organisations can no longer assume they have consent from individuals, hence the emails from organisations asking me to confirm that I am happy for them to contact me. Consent lies very much wholly with the individual, even as I understand down to the level of giving specific consent for individual pieces of information to be used and this has to be a positive consent, not by phrases written in a way where not ticking the box means you have given consent. I would say if I feel it is in MY interest people can have it, if not in my interest, then I need to decide. Why does for instance HQAC need medical details on SMS? Or more than a postal address for contacting people?

The email from HQAC exemplifies the petulance that you have come to expect, when faced with something they don’t like. We’ve been given a print out of the information the company holds and asked to say which we are happy for them to continue holding. Will get something similar from HQAC?

Looking at the ICO website children over 13 should be asked to give specific consent about personal information held and this is written in a clear way they can understand.

It would appear that Facebook are having to get specific consent for their face recognition in Europe and Canada, rather than just assuming they can do what they want. Why they need this baffles me. It seems an unregulated company having more information about people, than is healthy.

Bang on Teflon.

Don’t presume that ‘Barrack Room’ lawyers are not involved deeply in the subject elsewhere themselves. There will always be a degree of interpretation, but as Teflon points out, there are certain areas pertaining to the Air Cadets which are clear and unequivocal. At the lowest of levels this starts with the transfer of control away from the organisation to the individual.

The core principle of GDPR is that personal information is the property of the individual who loans it to the organisation for a specific and up-front agreed purpose. Any deviation from that is unlawful and where a privacy policy is varied at a later date, then the organisation may be required to seek renewed consent.

In the wider world, companies are having to accept that employment contracts may not contain sufficient consent for all the details held on an employment file, and the same will apply to HQAC in all but that which can be demonstrated to be necessary. What is the legal basis for a company placing the records of a retired employee into an old filing cabinet for later reference rather than destroying them? None without consent (which is the first legal test of lawful possession). The same would be true of any old staff or cadets who have left. I doubt anyone on this forum can give a 100% assurance that HQAC has not got old data on individuals in this category.

And that is my point which Teflon distils - there is a process which HQAC are legally subject to comply with. But it is uncomfortable as it probably requires staff they haven’t got to review the operation to compliance and then it is unpalatable for them to accept the loss of control. My repeated professional experience in a number of EU regulation scenarios is that doing nothing and blagging it is the worst option. Far better to do something right to the principle and then refine it.

On the subject of children, the current legal age of consent within the GDPR is 16. However, there is provision for member states modifying that to anywhere between 13 and 16. The UK Government have already pronounced they will be opting for 13.

So in the interest of discussion, who would HQAC seek to gain new cadet agreement from? The parent or the cadet?

We return to the simple principle that the organisation needs to be transparent, non-ambiguous and up-front so that consent may be given to the official definition in my previous post.

It is not for any of us (except perhaps those members who are from HQAC monitoring these discussions) to make the call and I do not do so beyond highlighting that a bullish and ignorant attitude does little to help squadrons who will have parents, or maybe former staff, who are more on the case than the organisation.

As for incubus’s comment “How does it compare with what is being written by HQAC?” … as far as I am aware this forum and the email from SO1 Coord are the only availabel information relating to Air Cadets and GDPR.

What about our cadets that join at 12, and then turn 13… Is that now 2 forms for some joiners?

I would suggest that common-sense/law (not always the same thing!) dictates that parental consent at 12 would remain valid, but on reaching 13 the cadet would be able to exercise any of the 8 individual rights identified in the GDPR. If they don’t then the former consent remains valid until they or the parent does (up to 18).

However it ends up, this is a fair example of an item that HQAC should refer to in its published policy. In general, parents too should be wary that in principle at least a 15 year old (i.e. any minor) could give consent that the parent is legally bound by. I think RAFAC is less likely to be hampered by that, but again it would be an opportunity to be helpful in stating the organisations position on it.

Actually … thinking a little more generally, where people in this thread are suggesting different means to comply or avoid GDPR, it is worth pointing out that this isn’t the whole story.

There is a second regulation intended to work in tandem with GDPR and this is known as the ePR or Electronic Privacy Regulation. In simple terms you might like to think of it as GDPR regulating what and how we hold and whether we hold it whereas ePR is more about improving privacy around how we communicate it.

The focus on GDPR has shielded ePR which has got a bit bogged down in debate over cookie handling, but when it comes it will widen the Government’s Electronic Communications Regulations 2011 and will cover mobile phones, email, Gmail, Whats App, Facebook Messenger and so on and on. Essentially introducing stern minimum standards for protecting individual privacy in methods of communication.

Incidentally, I came across a mailing from the East Anglian RFCA here

https://mailchi.mp/4d53e148b698/the-latest-news-from-east-anglia-rfca-544377

which I suggest is a pretty good example of how not to do it on your squadron website - the info is incomplete, there is no policy to agree to nor time limits or in fact any of the statutory info required in such a message or agreement.

Interestingly, I’ve noticed that that FCA (my governing body at least) has said that their laws overrule certain aspects of GDPR.

Primarily it states that none of our clients can have a full right to erasure as we need proof of correct sale should a complaint arise in the future (akin to PPI not being mis-sold).

Following on from this, would GDPR only count for “customers” and not necessarily all consumers? Personal opinions aside, if RAFAC say they have to hold certain information and they have a valid reason, could there be a challenge?

Department of Education and Department of Health have issued a similar memo relating to primary legislation in their specific areas overruling elements of GDPR. The DfE chap was minuted saying “Legislation beats Regulation”.

Wonder if MoD are taking the same line?

Hmmm … I would totally agree with that except for one massive point.

When it comes to EU Regulations they are legislation - don’t be fooled by the name.

An EU Directive is a directive to each member country to take the principle of the directive concerned and tranpose it into national law. The country concern has some latitude over the implementation but the end result must be the same.

An EU Regulation is a legally binding set of rules in EU law that each country must observe direct from the EU. It is a convenience that each country adopts it into their own statute book (as here in the UK) as much as it politically demonstrates retained control. But fact remains it is law.

A regulatory body on the other hand is an organisation set up to produce guidelines. Most regulatory bodies such as CC or DfE are not prosecuting authorities and therefore must stand back when the trouble starts.

So the DfE chap is right, but only in his own context. Same for the FCA because of the four lawful purposes for holding data, theirs would probably be covered, especially if they write it into their policy.

Ultimately the FCA are responsible to the Government … who in GDPR terms are responsible to the EU.

The MOD might have some caveats they feel hold water in terms of national security, but remember we are talking here of volunteers and cadets not professionally enlisted staff (where it wouldn’t count).

Ultimately GDPR doesn’t say that any body needs to try to over-rule or anything … and it is true that they are not the primary targets of the GDPR. But with gained permission it all goes away …

I think I’d adopt the same lines as the FCA - need to hold the data indefinitely incase of a complaint down the line.

Say a cadet suffers an injury at a RAFAC event, if we don’t hold any data then we don’t know if procedure was followed with respect to authorisations, qualifications and HSE form filling. If we did hold the data then at least an investigation could be conducted (even down to contacting staff that were at the event).

As far as I’m aware, there’s no time limit on complaints so I’d say that outweighs GDPR.

But then again I’m not a lawyer and this is all conjecture and assumptions!

Interestingly this seems to mean in the UK a plethora of jobsworths up the ante in the UK making it more difficult and therefore expensive, so for UK organisations to say that they are going to in effect ignore or say they are doing enough or have to do things in a certain way is somewhat against the grain.
I think the problem with GDPR is giving the ordinary folk control and ironically many of those proposing they don’t have to abide by this, are at some point going to be ‘ordinary folk’.

Ahhh … but this strikes at the core of the issue.

I totally understand you point about indefinite and there is provision to allow for the organisation to specify lengths of time.

But at any point the individual can withdraw consent or request that the organisation removes all personal data held. The legal principle at stake here is that the information, by virtue of being able to identify an individual from any part of it, is the property of the individual not the organisation.

So the organisation can certainly set out for agreement (and remember that will be fresh agreement where existing terms are varied) any time limits it wishes and then receive agreement, but the individual retains the absolute right at any moment to request copies of that information held on file and to withdraw consent for it to be held which then must be respected and acted on by the organisation within a set time-frame.

The over-riding principle is that any organisation … FCA, DfE RAFAC no longer owns the personal information and only has a right to hold while the individual consents or is performing a contract for or involving that individual.

So RAFAC clearly offers membership and an agreement is made between it and a cadet or staff member (I say ‘agreement’ advisedly because RAFAC is not a legal entity and therefore cannot be party to a contract). Within that agreement, RAFAC is given permission to collect and hold any personal data which can be checked or removed at any time.

In real terms I would think that there will need to be later refinement to GDPR because it isn’t hard to see that a malicious individual could secure the removal of personal information from an organisation, and then 6 months later proceed to make a complaint.

They’re not. Try and find my home address on SMS (Matt Bowyer, 2293).

Doesn’t that cause the UniVerse link to panic?

Teflon, you do talk a lot of rubbish. If they don’t have our email they cannot contact us. If they don’t have our national insurance or bank details they can’t pay us VA… If they really do hold some information they don’t need we can get them to delete it, but they need most of what they hold to run our membership of the ATC.