Do we break DPA a lot?

[lunchmoney]

Interesting thought that came to me after seeing this post, from Yogi, inthis tourney thread:

Winner - thanks Yogi. I was hoping to complete the 24 at the NAF Champs but I suspect it will happen at this tournament now

Good news bad news after speaking with LGT they can’t give me a list of names to publish due to data protection but I can confirm 50/72 places have been filled.

By putting a list of names in our tourney threads are we breaking DPA? Or is this organiser being over cautious?
Tourneys, of all types, all over the world publish their list of attendees and winners. Do we need to stop this?

Personally I don't think so (especially when we use anonymous pseudonyms [aka your forum user names]), but I'm not 100% conversant with GDPR (the new law around data protection).

[yogi]

My understanding is because it’s a convention rather then a tournament it’s being run by an organisation so they would have to apply for having open list. Sadly they didn’t for there first one however moving forward with this next time I imagine they will. Anyone NAF registered will have games recorded as normal after the event as NAF against other members as per usual. I can confirm there are several new players that are not NAF which I think is part of the problem. I will be doing sign ups on the day I have spoken to Phil about this briefly already this morning.

[lunchmoney]

Yogi, it wasn't meant as a dig at that event and the organisers, but a general conversation. I can understand their caution and it provoked a thought.

[yogi]

Hi Al god no I didn’t see it as a dig at all it’s perfectly valid topic. I just wanted to flesh out the explanation so people know what’s happened and why.

[hutchinsfairy]

I've been looking at GDPR for work recently and it seems to be significantly broader than DPA.

I'm fairly confident in saying that NAF usernames would now be considered "personal information" and should be treated as such. What I'm much less sure about is what that would actually mean with regards to whether tournaments can publicise them.

TOs might well have to start getting explicit permissions at the point of sign up before publishing them and also allow for attendees who wish to opt out.

[nazgob]

I would echo that. We use pseudonyms (technical term) which can be linked with real names with relatively little effort. That makes 'Nazgob' personal data.

I think it might be good practice for organisers to start having a positive opt in for tournaments - make it clear that winners will be published, etc. I may have a think on this.

[PeteW]

Sharing names of sign ups is a 'legitimate interest', so fine to do. (There are six bases for sharing or using data, consent is just one of them.)

If anyone minds, then they can ask for their name to be withdrawn. Not a big deal.

[Podfrey]

Perhaps a NAF doc that all tournaments can use? Agree with Pete to not use consent. Legitimate interest is likely to be the best. Fulfilment of contract is an outside potential but could reasonably argued against (don’t need to publicise winner to supply the service).

For Hall of Fame (Al), you may want to consider using consent as legal basis, unless you can think of a legitimate reason for publicising names.

And as has been said, NAF Nickname is definitely personal data as it can be converted back quite easily (eg NAF rankings)

[RoterSternHochdahl]

Contract is the most solid. Not necessarily on per tourney basis, though. Naf membership could be seen as that contract. Single Naf transparency document is suffici6then

[Podfrey]

Contract is the most solid. Not necessarily on per tourney basis, though. Naf membership could be seen as that contract. Single Naf transparency document is suffici6then

I like your thinking, but that would mean linking promotion / results on TFF with NAF contract. In which case, is it a TFF contract that’s needed?

[RoterSternHochdahl]

Contract is the most solid. Not necessarily on per tourney basis, though. Naf membership could be seen as that contract. Single Naf transparency document is suffici6then

I like your thinking, but that would mean linking promotion / results on TFF with NAF contract. In which case, is it a TFF contract that’s needed?

Naf publishes pseudonomous tourney data under contract, tff quotes public data - this does not necessarily have to happen in this order btw. Tff should think about its own site features first

[Jip]

Disclaimer: This is not meant to be inflammatory

Can someone tell me why, in this instance (Blood Bowl/TFF/NAF etc.), it actually matters?

I work in a school and frequently see data protection strangle systems to the point of actually damaging outcomes and putting people at risk. That's not people being over-zealous, it's just following policies that make sense theoretically, but not practically.

Just wondered if this was just another case, as we're all often guilty of on TFF, of people over-analysing something just because it's there.

Again, not looking to appear dismissive or take the piss, I'm genuinely interested what people's fears are around this, relating to us as players.

[lunchmoney]

Can someone tell me why, in this instance (Blood Bowl/TFF/NAF etc.), it actually matters?

See my first post in the thread. The organisers of the BBGT have declared they cant give out names etc due to DPA. That prompted the conversation.

Again, not looking to appear dismissive or take the piss, I'm genuinely interested what people's fears are around this, relating to us as players.

Some people are incredibly fearful of what data is held about them (and with the Cam An thing hitting the headlines still I can understand why). So this is about what data we, as TO's hold, and what we do with it.
For EG, with people paying me via PayPal I get a real name, an email address and sometimes an actual home address of the person in question. If I were so inclined I could commit many a nefarious act with that data (I've seen my company's crime team do lots with less).
However a lot of that info can be found elsewhere - so is it really a problem that we have this info via this route?

By publishing a list of names are we making private data public? I dont think so, but it's an interesting conversation and I am open to change my views by reasoned debate.

.... people over-analysing something just because it's there.

Something to do rather than working?

[Wulfyn]

Lunchmoney, you'll be absolutely fine. Firstly DPA does not extend to individuals. If you told me your phone number I am free to write it in any toilet cubicle I like. It only affects companies and organisations.

I'd also take a different perspective to hitchins in that I feel that GDPR is a tweak to DPA rather than being significantly broader. Maybe that's because I work in insurance so this type of thing has been super serious for years. It also does not extend to individuals. I could not SAR yogi to find all the shit he talks about me in messages to others.

Furthermore even for people it does affect as long as you are clear about your inyention of use of the data and you have gained valid method of consent you are free to use it. London GT are legally allowed to freely publish that data as long as they have your consent to do so, which may be a term and condition of you buying a ticket. The only difference GDPR brings for this is that you have to be more upfront about it (i.e. stick it in an obvious and plain english privacy notice rather than at the back of your TOBA).

So really the only organisation it affects is the NAF. They probably need to be a bit clearer on the use of your data, specifically at the point they take a membership fee. Having the correct policies in place, including definitions of who are valid data controllers and processors is important to remain GDPR compliant. The most complicated part is that tournaments are NAF "approved" not NAF run, so whilst TOs are free to give the information to the NAF, it is trickier to define the NAF's rights to use it.

Jip: almost certainly it doesn't matter. This regulation is not aimed at organisations like the NAF. But it is UK law, so there is an obligation to follow it if you want to remain clear of repercussions.

[Podfrey]

Hi all,

I think, from a TFF perspective of putting names in posts, I can close this argument down now (sorry, I needed to have a think about what processing TFF was doing first).

Before I do that, I don’t believe that being an individual makes you except. Article 2.2 (c) - which is what I believe Wulfyn is identifying as “an individual” - only provides excemption “by a natural person in the course of purely personal or household activity”. The question here would be whether hosting (and charging) for a tournament counts as “purely personal” or whether it is some form of commercial activity.

That aside, the reason I believe it is OK for posting names in threads is because the scope of the Regulation only applies “to the processing of personal data wholly or partly by AUTOMATED means and to the processing other than by automated means of personal data which form part of a FILING SYSTEM or are intended to form part of a filing system” (CAPS is my emphasis) as per Article 2.1.

As neither posting a list of entrants nor posting a list of winners is done by automated means or constitutes a filing system, then it is my belief that this sort of activity is not in scope for GDPR.

Given that the BBGT organisers probably use the entrants details in a filing system, then they WOULD come into scope themselves, hence why they have taken the stance not to share any personal data out.

Hope that helps clarify a few points.

G