Jump to content


Photo

New Data Protection Laws - GDPR - will affect us all. Here’s some help

Data Protection GDPR

  • Please log in to reply
261 replies to this topic

#76 BadStrad

BadStrad

    Virtuoso

  • Members
  • PipPipPipPipPip
  • 3979 posts
  • Member: 88756
    Joined: 28-January 10

Posted 23 March 2018 - 20:46

So in terms of answering the key question that is being asked the webcast was useless.
  • 2

#77 mel2

mel2

    Virtuoso

  • Members
  • PipPipPipPipPip
  • 4809 posts
  • Member: 6928
    Joined: 15-May 06
  • East Yorkshire

Posted 23 March 2018 - 21:08

Just wondering whether the ISM webcast last Tuesday shed any further light? I believe Mel had registered.

Yes! Sorry I didn't report back earlier, but I'm still not all that clear on it and sent an email to the ISM legal dept and they haven't yet sent a response other than the automatic acknowledgement.

I was hoping the webcast would be like others I've watched where people could fire off queries during the thing and get sensible answers but it wasn't like that. You needed to send in questions beforehand and I can scarcely believe, after all the stress and heartache this is causing, that there were only 3, and those from people who appeared to be on board with the registration thing.

It took the form of a woman reading bits from the ICO website, seemingly, in between swigs of coffee and so by the end I didn't feel reassured that this was just for big business.

It seems one should register if one records the personal data of living, identifiable individuals such as s client lists, plus any sensitive data like political affiliation, religion, ethnicity etc. I mean, who would?? But I can see that it could be a problem if one makes notes about learning difficulties, medical problems etc.

 

It then went on about the 7 principles of data protection, which we can all look up. We can see that people have a right to know what information we hold, have access to it, a right to object to it ( why would they tell us it in the first place? Oh, hang on, Cambridge Analytica and all that - we might have inferred it from something or harvested data from some other source), a right to erasure, portability and other concepts one would need a lawyer to define.

 

She breezed on about the requirement to register if one holds this sort of data and that failure to comply would be a criminal offence. I jotted down a note about an annual requirement, but whether that meant registration at £35 a throw, I can't remember.

 

There were references to our Privacy Policies (what Privacy Policy?) and what they should contain, and how specific consent should be sought for different purposes. By this time I had decided to give up teaching.

 

One thing that wasn't mentioned, as far as I recall, was that one didn't need to register if one held minimal data for 'core business purposes' like communication, marketing, and record-keeping (IIRC). The minute you enter a student for an exam or a festival or otherwise pass on their details, then it becomes a register-able activity.

 

I asked the legal team for clarification on the registration bit and also if there were plans to provide a 'model' Privacy Policy for those of us who need our hands holding with such things. I await the answer with interest and not a little gloom.

My only ray of hope is that having a laughably small client base and little likelihood of entering any of them for exams, I might just slip through if I delete all email addresses and phone numbers, and get them to fill in their own exam entry forms and post them.


  • 0

#78 HelenVJ

HelenVJ

    Virtuoso

  • Members
  • PipPipPipPipPip
  • 2185 posts
  • Member: 1265
    Joined: 03-May 04
  • South-East London ( OK - Penge)

Posted 23 March 2018 - 22:00

Thanks Mel - that's very informative smile.png. I'm going to wait for further clarification from EPTA and AoToS before I send anyone any money. The whole thing sounds like total overkill and as often happens the organisatiions with sinister intent will probably slip through the net.


  • 2

#79 sbhoa

sbhoa

    Maestro

  • Members
  • PipPipPipPipPipPip
  • 22935 posts
  • Member: 24
    Joined: 31-October 03
  • Tameside

Posted 23 March 2018 - 22:28

 

Just wondering whether the ISM webcast last Tuesday shed any further light? I believe Mel had registered.

Yes! Sorry I didn't report back earlier, but I'm still not all that clear on it and sent an email to the ISM legal dept and they haven't yet sent a response other than the automatic acknowledgement.

I was hoping the webcast would be like others I've watched where people could fire off queries during the thing and get sensible answers but it wasn't like that. You needed to send in questions beforehand and I can scarcely believe, after all the stress and heartache this is causing, that there were only 3, and those from people who appeared to be on board with the registration thing.

It took the form of a woman reading bits from the ICO website, seemingly, in between swigs of coffee and so by the end I didn't feel reassured that this was just for big business.

It seems one should register if one records the personal data of living, identifiable individuals such as s client lists, plus any sensitive data like political affiliation, religion, ethnicity etc. I mean, who would?? But I can see that it could be a problem if one makes notes about learning difficulties, medical problems etc.

 

It then went on about the 7 principles of data protection, which we can all look up. We can see that people have a right to know what information we hold, have access to it, a right to object to it ( why would they tell us it in the first place? Oh, hang on, Cambridge Analytica and all that - we might have inferred it from something or harvested data from some other source), a right to erasure, portability and other concepts one would need a lawyer to define.

 

She breezed on about the requirement to register if one holds this sort of data and that failure to comply would be a criminal offence. I jotted down a note about an annual requirement, but whether that meant registration at £35 a throw, I can't remember.

 

There were references to our Privacy Policies (what Privacy Policy?) and what they should contain, and how specific consent should be sought for different purposes. By this time I had decided to give up teaching.

 

One thing that wasn't mentioned, as far as I recall, was that one didn't need to register if one held minimal data for 'core business purposes' like communication, marketing, and record-keeping (IIRC). The minute you enter a student for an exam or a festival or otherwise pass on their details, then it becomes a register-able activity.

 

I asked the legal team for clarification on the registration bit and also if there were plans to provide a 'model' Privacy Policy for those of us who need our hands holding with such things. I await the answer with interest and not a little gloom.

My only ray of hope is that having a laughably small client base and little likelihood of entering any of them for exams, I might just slip through if I delete all email addresses and phone numbers, and get them to fill in their own exam entry forms and post them.

 

Apart from name I don't hold information that is needed for exam entries. I ask students/parents as I fill in the form. 

If I don't have phone numbers I can't let anyone know if I have to cancel a lesson. I could get by without email addresses as I only use them occasionally.


  • 1

#80 peri busy

peri busy

    Advanced Member

  • Members
  • PipPipPip
  • 459 posts
  • Member: 13449
    Joined: 21-July 07

Posted 24 March 2018 - 12:22

Is this applicable for just GB or is it UK wide, i.e. including Northern Ireland region?

 

I do appreciate the implications of possible misuse of personal data by huge companies etc but really, in the current digital climate, pretty much most folk (not just independents like us) have a plethera of personal contacts/email details held on a device. are we ALL to register now.... just in case??? This is again one of those instances when it sounds like the government is looking for yet another opportunity to levy a stealth tax on the working population- without spelling out their T&C's in layman's terms. 


  • 1

#81 Hedgehog

Hedgehog

    Virtuoso

  • Members
  • PipPipPipPipPip
  • 6550 posts
  • Member: 3747
    Joined: 25-May 05
  • Suburbia

Posted 24 March 2018 - 13:51

Is this applicable for just GB or is it UK wide, i.e. including Northern Ireland region?

 

I do appreciate the implications of possible misuse of personal data by huge companies etc but really, in the current digital climate, pretty much most folk (not just independents like us) have a plethera of personal contacts/email details held on a device. are we ALL to register now.... just in case??? This is again one of those instances when it sounds like the government is looking for yet another opportunity to levy a stealth tax on the working population- without spelling out their T&C's in layman's terms. 

What irritates me is that most teachers worth their salt behave in a professional manner and will look after pupils' data carefully. What this legislation will do is to give us as sole traders quite a lot more work, plus ask us to pay to be registered.  How is that going to improve the service we already give? - it will not improve the situation as I see it. 

And dastardly companies who want to slip under the net will do so - they'll either not register, or the ICO will have so much to do (look at how many of us contemplating registering there are already!) they won't be able to police the thing properly.mad.gif  Getting bad vibes from this.mad.gif

 

PS. Having just re-read this post I realise it isn't good English. Sorry.


Edited by Hedgehog, 24 March 2018 - 13:53 .

  • 3

#82 mel2

mel2

    Virtuoso

  • Members
  • PipPipPipPipPip
  • 4809 posts
  • Member: 6928
    Joined: 15-May 06
  • East Yorkshire

Posted 24 March 2018 - 14:11

As it is an EU directive that will remain in force after Brexit then I suppose it is UK -wide.
No one can defend the misuse of personal data and naturally we should comply with data protection law, but I wonder how many of us are likely to sell on our client lists to third parties or have the power to ensure that examining boards (for example) do not? I hasten to add that this latter case is most improbable because their organisation will have the benefit of expert legal and IT input to protect themselves as much as their stakeholders.
What annoys me is that miniscule operations are being held to the same standards and seemingly required to demonstrate compliance visibly. It is being made almost impossible (well, extremely inconvenient) to conduct one's business legally without registration.
  • 0

#83 Hildegard

Hildegard

    Prodigy

  • Members
  • PipPipPipPip
  • 1086 posts
  • Member: 887389
    Joined: 26-October 13

Posted 24 March 2018 - 14:13

Is this applicable for just GB or is it UK wide, i.e. including Northern Ireland region?

 

 

 

Its not just UK wide, it's EU wide. And it's not the government's doing, it is a regulation from Brussels.


  • 0

#84 Hildegard

Hildegard

    Prodigy

  • Members
  • PipPipPipPip
  • 1086 posts
  • Member: 887389
    Joined: 26-October 13

Posted 24 March 2018 - 14:15

What irritates me is that most teachers worth their salt behave in a professional manner and will look after pupils' data carefully. What this legislation will do is to give us as sole traders quite a lot more work, plus ask us to pay to be registered.  How is that going to improve the service we already give? - it will not improve the situation as I see it. 

 

 

I'm still not at all certain that any of it - and especially registering - applies to organisations with less than 250 employees. It seems a pity that nobody is at all clear.


  • 0

#85 mel2

mel2

    Virtuoso

  • Members
  • PipPipPipPipPip
  • 4809 posts
  • Member: 6928
    Joined: 15-May 06
  • East Yorkshire

Posted 24 March 2018 - 16:10

 

What irritates me is that most teachers worth their salt behave in a professional manner and will look after pupils' data carefully. What this legislation will do is to give us as sole traders quite a lot more work, plus ask us to pay to be registered.  How is that going to improve the service we already give? - it will not improve the situation as I see it. 

 

 

I'm still not at all certain that any of it - and especially registering - applies to organisations with less than 250 employees. It seems a pity that nobody is at all clear.

 

My understanding from the notes I took during the ISM webcast is that if you process data electronically or in a manual filing system the data controller (i.e 'you') can be an organisation or an individual.

 

I just wish they had been clearer on the 'core business purposes' bit, especially as these seem to be very limited indeed.


  • 1

#86 Hildegard

Hildegard

    Prodigy

  • Members
  • PipPipPipPip
  • 1086 posts
  • Member: 887389
    Joined: 26-October 13

Posted 25 March 2018 - 10:16

 

My understanding from the notes I took during the ISM webcast is that if you process data electronically or in a manual filing system the data controller (i.e 'you') can be an organisation or an individual. I just wish they had been clearer on the 'core business purposes' bit, especially as these seem to be very limited indeed.

 

 

So they are ignoring GDPR Article 30.5? (which says that the obligations of maintaining records "shall not apply to an enterprise or an organisation employing fewer than 250 persons" where the processing is only "occasional" unless said processing is likely to result in a risk to the rights and freedoms of data subjects etc.)

 

Is processing defined? Is occasional defined? So many questions ... so few answers ... rolleyes.gif


  • 0

#87 aje

aje

    Advanced Member

  • Members
  • PipPipPip
  • 151 posts
  • Member: 7146
    Joined: 13-June 06

Posted 25 March 2018 - 11:27

GDPR sub-article 30.5 (out of the 99 articles) refers itself specifically to sub-articles 30.1 and 30.2, which in turn detail requirements for internal monitoring and cross-border use of information by large international organisations. Obviously these don’t apply to smaller organisations and, read in context, the purpose of 30.5 is to clarify the cut-off point.

"Processing" is defined clearly in the article I linked in the OP, which is based on the information advised and provided by the ICO, when asked how GDPR specifically impacts private music teachers.
  • 0

#88 HelenVJ

HelenVJ

    Virtuoso

  • Members
  • PipPipPipPipPip
  • 2185 posts
  • Member: 1265
    Joined: 03-May 04
  • South-East London ( OK - Penge)

Posted 25 March 2018 - 12:29

It might be an EU directive, but I have asked a few colleagues teaching privately in France, Germany and Italy, and not one of them has heard anything about it.


  • 3

#89 linda.ff

linda.ff

    Maestro

  • Members
  • PipPipPipPipPipPip
  • 8034 posts
  • Member: 183500
    Joined: 04-January 11
  • Cambridge

Posted 25 March 2018 - 12:36

 

"No, our understanding is that it applies to the client, not to the provider."
The full wording on the form says:
"Do you only process information for one of the following purposes?
 

  • Judicial functions;
  • domestic or recreational reasons (ie information relating to a hobby); or
  • to maintain a public register (ie you are required by law to make the information publicly available)."
So it seems to be about the provider ;-) 
We are reading it differently. My understanding is that the hobby pertains to the data subject (= the student), not to the teacher. :-)

 

So if your student earns money from the music you teach them, you have to register and if they don't, you don't? I don't think that's the case, surely whether or not the client is paying you for their hobby or for serious study is irrelevant, you're doing the same job and keeping the same data. I was told years ago I had to register. I'm sure it refers to the provider.


  • 1

#90 linda.ff

linda.ff

    Maestro

  • Members
  • PipPipPipPipPipPip
  • 8034 posts
  • Member: 183500
    Joined: 04-January 11
  • Cambridge

Posted 25 March 2018 - 12:39

 

Sorry - I should clarify my earlier post.  Section 5 outlines exemptions, and within that question 8 discusses core business purposes.  

 

https://ico.org.uk/m...rs-20180221.pdf

Thank you. I've just read it - mainly out of interest. I would imagine that the exemption if you are only keeping data for "accounts and records" would apply to the vast majority of music teachers.

 

I was told several years ago that I needed to register, and have paid my £35 a year. The reason? I keep records of what grade exams my students have passed. Seriously.


  • 0