Thursday, 20 October 2016

Another RSGB Data Cock-Up

Back in 2012, the RSGB's Len Paget sent out my personal data, without my consent, whilst representing the RSGB, to an external organisation that had absolutely nothing to do with amateur radio, and an organisation of which he wrongly assumed I was a member.  Only Len Paget can explain why that happened.

Following this incident, the Information Commissioner's Office censured the RSGB as having been "unlikely" to have been compliant with the Data Protection Act 1998.  Short of a legal determination by a Court, those words are the closest the ICO can come to saying there was no compliance.

The RSGB at the time said it hired consultants to advise them on this issue, and that data controls would be improved.  After weeks of saying nothing to me, I asked whether the RSGB thought an apology might be in order.  Evenutally, an apology was issued, but with the legal disclaimer of 'without prejudice'. 

Yesterday, in an entirely different and certainly not deliberate set of circumstances, the RSGB's ARISS coordinator, Ciaran Morgan, sent out an e-mail to multiple recipients without blind carbon copying.  As a result, each recipient could see the whole list of private e-mail accounts to which the e-mail had been sent.

It's twenty years since the Data Protection Act came into being and, whilst this latest incident is accepted as a genuine accident and an apology issed by the RSGB, it does show the RSGB, like many organisations, is very slow to adhere to the law.  I can't comment on Ciaran Morgan's thinking at the time, but one of the hardest issues to overcome with e-mail is where the individual 'forgets' he is part of a wider organisation that has serious legal obligations, and sees e-mail as informal.

What the RSGB seems in need of is getting all its staff and volunteers who handle personal data to understand very well they are not sending e-mails on behalf of themselves.

Whilst some of these inadvertent data releases might appear trivial to the outsider, it may not necessarily be so.  More than one of the e-mail addresses released were state school accounts. Others may have concerns about abusive partners discovering their private e-mail addresses.

In the end, however serious or not you might think these things are, it is the law, and it is not for the RSGB to assume you are 'OK' with passing personal data around to people you don't know, unless specific consent has been given.  Neither is it 'OK' for the RSGB to think this is just radio talk amongst friends.

The ICO has received a referral, asking them to ensure the new General Manager - and the RSGB as a whole - is clear as to its legal duties.  Both Morgan and the General Manager have issued immediate apologies over this latest incident.  On my suggestion, they also issued an apology to all the other recipients who had their data released.

Those mentioned in this post have a right of reply, noting that I retain all correspondence in both cases with the RSGB and the ICO as conclusive evidence of truth in reporting.


No comments: