11-08-2013, 11:14 AM
As far as the data protection act is concerned it is actually possible to forward some data to third parties. However when user submits data it generally has to be clearly defined at time. There should also be a choice and generally best approach is "opt in" approach rather than "opt out" approach as far as 3rd party contact is concerned. Information collected is often also constrained with uses and has to be used "Fairly". To summarise main things relevant for ChessScotland other than accuracy.
First Principle of Data Protection Act
Personal data shall be processed fairly and lawfully i.e.
- Be open and honest about your identity;
- Tell people how you intend to use any personal data you collect about them (unless this is obvious);
- Usually handle their personal data only in ways they would reasonably expect; and
- Above all, not use their information in ways that unjustifiably have a negative effect on them.
Second Principle of Data Protection Act
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Seventh Principle of Data Protection Act
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
I will also note that relying on fact that someone's e-mail can be found publically is a very fragile defence. For example if I set up my own domain for e-mails and then gave only ChessScotland an e-mail address of <!-- e --><a href="mailto:Chess@example.com">Chess@example.com</a><!-- e --> that was then rerouted to my main address of <!-- e --><a href="mailto:Email@example.com">Email@example.com</a><!-- e --> that would mean that next time widow of Nigerian president contacts me for help with transferring funds and a visa at <!-- e --><a href="mailto:Chess@Example.com">Chess@Example.com</a><!-- e --> I would then have a fairly robust case for proving that my information was leaked while ChessScotland was discussing things with Nigerian Chess Federation or someone associated with them.
As far as availability of private e-mails goes theoretically it shouldn't be revealed unless you gave consent elsewhere or that another place has breached data protection act. Of course if your e-mail is posted on a public facebook page or ends up on a shady mailing list of some sort then it would be rather unsurprising if you start getting loads of unsolicited mail.
Personally I've noticed that usually issue that is murkiest in terms of data protection is people sending e-mails advertising congresses. As far as my rough interpretation of scope of communications I should be receiving from ChessScotland as a member it mainly consist of reminders about renewing membership (if not a life member), player of the year voting, AGM information, changes to how ChessScotland will be run, perhaps a monthly newsletter (that I would have option to unsubscribe from) and any pertinent issues that require a response from me (e.g. I'm selected to represent country or gauging interest to represent country, ethics committees, replies to queries etc).
As far as how CS deals with DPA regulations at current and in future I'll pretty much list it here. On application form (<!-- m --><a class="postlink" href="http://www.chessscotland.com/membership/joinapp.pdf">http://www.chessscotland.com/membership/joinapp.pdf</a><!-- m -->) it states "All details are treated as confidential but may be used to further the promotion of chess in Scotland". This seems a bit vague and doesn't contain an opt in/out for marketing. In addition is promotion of chess in scotland sending e-mails to me about congresses or giving my e-mail address/details to journalists so they can question me about chess in general and publish interviews in national press raising profile of chess ;P As far as how people have used it up to know I'd like to think that most people have used it with best of intentions and an oversights were due to fact that scope wasn't necessarily clearly defined.
First Principle of Data Protection Act
Personal data shall be processed fairly and lawfully i.e.
- Be open and honest about your identity;
- Tell people how you intend to use any personal data you collect about them (unless this is obvious);
- Usually handle their personal data only in ways they would reasonably expect; and
- Above all, not use their information in ways that unjustifiably have a negative effect on them.
Second Principle of Data Protection Act
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Seventh Principle of Data Protection Act
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
I will also note that relying on fact that someone's e-mail can be found publically is a very fragile defence. For example if I set up my own domain for e-mails and then gave only ChessScotland an e-mail address of <!-- e --><a href="mailto:Chess@example.com">Chess@example.com</a><!-- e --> that was then rerouted to my main address of <!-- e --><a href="mailto:Email@example.com">Email@example.com</a><!-- e --> that would mean that next time widow of Nigerian president contacts me for help with transferring funds and a visa at <!-- e --><a href="mailto:Chess@Example.com">Chess@Example.com</a><!-- e --> I would then have a fairly robust case for proving that my information was leaked while ChessScotland was discussing things with Nigerian Chess Federation or someone associated with them.
As far as availability of private e-mails goes theoretically it shouldn't be revealed unless you gave consent elsewhere or that another place has breached data protection act. Of course if your e-mail is posted on a public facebook page or ends up on a shady mailing list of some sort then it would be rather unsurprising if you start getting loads of unsolicited mail.
Personally I've noticed that usually issue that is murkiest in terms of data protection is people sending e-mails advertising congresses. As far as my rough interpretation of scope of communications I should be receiving from ChessScotland as a member it mainly consist of reminders about renewing membership (if not a life member), player of the year voting, AGM information, changes to how ChessScotland will be run, perhaps a monthly newsletter (that I would have option to unsubscribe from) and any pertinent issues that require a response from me (e.g. I'm selected to represent country or gauging interest to represent country, ethics committees, replies to queries etc).
As far as how CS deals with DPA regulations at current and in future I'll pretty much list it here. On application form (<!-- m --><a class="postlink" href="http://www.chessscotland.com/membership/joinapp.pdf">http://www.chessscotland.com/membership/joinapp.pdf</a><!-- m -->) it states "All details are treated as confidential but may be used to further the promotion of chess in Scotland". This seems a bit vague and doesn't contain an opt in/out for marketing. In addition is promotion of chess in scotland sending e-mails to me about congresses or giving my e-mail address/details to journalists so they can question me about chess in general and publish interviews in national press raising profile of chess ;P As far as how people have used it up to know I'd like to think that most people have used it with best of intentions and an oversights were due to fact that scope wasn't necessarily clearly defined.