The implementation of the General Data Protection Regulation and Parkswatch and the LLTNPA
Anyone is who a member of an organisation or who subscribes to blogs is likely to have been bombarded recently with communications about the new General Data Protection Regulation which came into force last week.
Parkswatchscotland is a blog, not an organisation, has no access to the personal information of people who read it (cookies generate statistics about the number of people reading posts and their country of origin) and the only personal information it does hold are the names and email addresses of subscribers and people who choose to contribute posts or comments. These contact details will never be shared without permission.
The GDPR rightly requires people to be more transparent about how and why personal data is collected and used – rather than treat this as a matter of faith – so I added a privacy page last week https://parkswatchscotland.co.uk/data-protection/. The GDPR has also encouraged me to review the information collected and stored by Mailchimp – which I, like many others, use to manage subscriptions – which by default stores the emails but not names of people who unsubscribe. I have, as a consequence, deleted all archived email subscription data. I have not asked current email subscribers to confirm what information they want to receive because this consists solely of post notifications, which can be terminated at any time. Emails, as well as names of subscribers, will now be permanently deleted from Mailchimp.
I hope this is simple enough. If you have questions which are not answered on the privacy page do contact me nickkempe@parkswatchscotland.co.uk
Implementation of the GDPR at the Loch Lomond and Trossachs National Park Authority
Meantime, while the Loch Lomond and Trossachs National Park Authority has, like many other organisations, asked people if they wish to stay in contact by email (see here). On 21st May I copied their Privacy policy, which dated from 2011, before it was replaced by an updated its privacy and cookie statement (see here) just before the GDPR came into effect. This says the LLTNPA is currently updating its data protection policies.
The revised statement fails to explain clearly what personal data the LLTNPA is collecting and holding about people and the camping byelaws, how this is then used and the legal authority for doing so. This raises serious civil liberties and governance issues, the subject of my next post.
LLTNPA is certainly confused. I’ve been trying to make a subject access request (to find out what personal information they hold on me). Firstly the Privacy Policy linked to when you make a camping permit order states that “We will hold your information from the end of the year it was provided for a period of 3 years. Your information will be retained for the minimum period necessary.” I’m not sure whether this means they’ll hold it for more than three years if necessary, or less if not – or three years whatever. In any case I (like you) fail to see why they need my personal information for three years after a camping permit booking.
Also, anywhere that the Subject Access Request form is linked to (like the Privacy Policy or their Freedom of Information page) is broken. This page doesn’t exist: http://www.lochlomond-trossachs.org/park-authority/freedom-of-information/accessing-personalinformation/
Finally, their “Guide to Information” is linked from the FoI page (http://www.lochlomond-trossachs.org/park-authority/freedom-of-information/make-freedom-information-request/) and claims that LLTNPA is compliant with “Scottish Information Commissioner’s Model Publication Scheme updated July 2017 – but the Guide states that “An administration fee of £10 is levied for all requests” which is now illegal under GDPR – subsequent requests may be charged for, but the first request must be free. See here for the Information Commissioners clear statement on this matter: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/
So whilst you might have been able to charge for a SAR in the past, you can’t under GDPR. But the LLTNPA’s SAR page is broken, so you can’t anyway (at least not that way). However “The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point.” So I’ll be testing that!
Thanks Andrew, it looks from all you have said that the Park is in chaos about the GDPR – there should have been a paper to their Board earlier this year and it will be interesting to see if there is one to their June meeting.
In respect of information on people who have booked permits, if the Park was going to produce statistics on how many people who booked permits were repeat visitors, holding this information to the end of the season OR possibly for the three year period before the byelaws are formally reviewed, would I think be justifiable. However, the LLTNPA has not done for this for the first year of the byelaws and as a result I cannot see why they need to hold the information at all once the booking is complete – especially because so far they have been saying they will not refund people if they don’t turn up or the permit area is unusable (eg under water)