Data Protection Act 2018

Good evening folks! A good friend recently drew my attention to the significant law that will come into place on the 25th May this year. Officially it's called the "General Data Protection Regulation" (GDPR), and it's designed to help everyone keep their personal information safe online. Although this forum is not a commercial website, the rules will still apply to me, and I'll need to provide you all with proof and reassurance that I can keep your data safe and, if requested, can delete anything you ask me to. In the case of this forum there isn't as much to worry about as some other sites, because there's nothing financial involved, so any data that could be vulnerable would have a relatively small impact on the individual. However, I thought I'd get the ball rolling and start a discussion here, because I'm not any kind of expert regarding the law, and I'm happy to take advice from any of you that might be able to offer help and suggestions. First of all, I'll list here the information that my forum database stores on each of you.... Username: This can be anything you choose, so does not need to be personally sensitive and may be changed at any time. Password: This is "one-way encrypted" and cannot be decrypted by anybody. Even I, with full access to the database, am completely unable to decrypt any of your passwords, hence the reason for you needing to reset it if forgotten. Here is an example of a password - 29fa5d948f39aa8uc82891fa93se6a5be382f3b2 The original might only be a few characters long in reality, but the encryption algorithm makes the stored string much longer. Location: Again, this can be a vague as you like and is unlikely to be sensitive. Email address: Although this can be decoded as part of the administration of this forum, the storage of your email address on the database is encoded in several stages and, I hope, is not possible to be used by anyone with ill intent if they somehow get stolen. Below is an example of an encoded email address - a free breakfast for anyone who is able to work it out! (And no, it's not mine!) PT1RYnZObUxrRldab2RXYWlCMGNuOUdiakpYWjJWR2JqVm1idlJHYnNWMmQ Any member, once logged in and active, may delete their own email address if desired. This, however, is risky, because if you subsequently forget your password then you'll have no means of retrieving it ! IP Address: These are only stored to help with some of the "niceties" of the forum. i.e. if you enter an incorrect username when logging in, your IP address is compared to the database entry and is used to show you a reminder of which username you probably last used. IP addresses can be dynamic and change regularly, which can render this feature useless, but it's there to help if possible none-the-less. Not very much can be discerned from your IP address - mainly the location of your internet provider, and possibly your hometown, but any of you who are worried about it being stored in the database can let me know and I can see about removing it. It's not publicly visible, though. I welcome your thoughts on how I can make anything safer, or how best to present the information about your data.

After the discovery of the Spectre and Meltdown vulnerabilities in December, no current computers with Intel, AMD or ARM processors are immune from hacking and this will remain the case until redesigned versions are available sometime later this year. Windows, Linux, Android, MacOS, iOS and Chrome are all affected. However it is unlikely anyone would expend any effort on attacking a computer with no potential of financial reward.

I've known for a while that internet security was going to be a nightmare. To avoid trouble I have several strategies. I have multiple emails and use them for different levels of security. They have different passwords and different logins. The passwords and names aren't the same for different sites. I try (not always successfully) not to give too much away about my movements. I don't have a Facebook page because it's too easy to give information to strangers who might use it to make me vulnerable to plots. Amusingly the email I use for this site has almost no spam, even though I use it for all sorts of amateur sites. So Rob and the others are doing something right. One my shopping emails is littered with all sorts of sinister junk. Shops aren't your best security friend. Might those who use their full name, want to edit them to aid you in keeping people's details secure? ie if people can't be easily identifed with a real person then it's harder for their details to be hacked. A little difficult for those looking for family members to avoid listing their family connections but perhaps we could come up with a way to protect people from revealing too much?

Thanks Helen, some more good points there. At least the small amount of information held by this site makes it relatively easy to administrate, and is also controllable by each individual member. Additionally, if anyone is sensitive about being contacted by others, then every member is able, via their profile, to switch off their "private contact" availability. Just a thought on that actually, which has just crossed my mind (and fortunately stopped halfway - it usually keeps going and disappears!).... part of the new data protection act states that any "contact me" choices should default to "No", leaving the individual to positively select to be contacted. To that end, I've just this minute changed the registration page's default to "No" for new members registering.... but does anyone here think that as an extension of that, I ought to do a mass "switch off" of all contact buttons for all members - and then let you all take the conscious decision to switch back on again in your profiles if desired? That would, at least, be making me comply with the new law - as I read it, anyway!

Hmmm. There are arguments for and against. I can see an issue with people discovering old posts and responding to the original poster by message eg 'your aunty Doreen was a friend of mine' sort of thing. Potentially the poster might want to hear from the person or, if the post was 5 years ago and they haven't posted since, they might be unsettled by a mail message out of the blue. I'm getting messages from old sites to see if I'm still interested and other sites are deleting accounts through inactivity. Is it worth turning off the off site messaging but sending an email to the effect that if they want to be contacted they need to change the setting personally. Since I've not changed the settings, does the system allow messages to just be delivered to the site mailbox or do they always copy to the member's email too? If it was possible to just put a mail message in a member's site box, then people could leave a message and they might read it if they ever log in again? Another possibility is to inactivate accounts unused for x years? I know that I wonder about all the things my Dad signed up to that are now flapping around without an owner. A bit weird. It would be good to keep the information and pictures people left but the links to old emails/departed members is unsuitable.

Once again you make some great points Helen, and I fully agree with your reasoning. You see, I just knew we had members that could help me with this! This was basically the idea I had in mind, but couldn't decide how best to execute it. It probably is best if I switch all contacts to "off" for now, and then let each member switch theirs back on if desired. I can then either try to email everyone (over 2,000 members - I'll have to learn how best to do that!) - or create some kind of cookie that detects if a member has been to their profile, and then show a reminder if they haven't. Don't worry folks, I'm not going to do this just yet - I'll give some warning! You have also jogged me into thinking about another member choice for messaging. At the moment all messages get saved in a forum mail database AND sent via normal email, too. It's probably best to add another selection in the personal profile page, so a member can decide: (a) If they want ANY contacts at all, and if so - (b) If they want messages to only go into their forum mail, to be picked up whenever they log on, but NOT send an actual email. This is something I look at periodically. Every now and again I look down the member list to see who's registered 2 years or more ago but never posted on the forum - then delete the account if it's never been used. Chances are, if ever those people tried to log on in future, they'd have forgotten their original username & password anyway, so would probably have created a second account. I've seen that many times! Many thanks again Helen for such helpful ideas... we'll get there!

I've set my messaging to inbox only. Somebody send me a message please.

If you want to email all members, does the admin allow you to send a message to all inboxes? If so, they will then relay to all email addresses who have not set 'no messaging' or 'only send to inbox' which you've just added.

That's a good question Helen. However, I've never created a "message to all" feature for this forum, so fortunately (for me) I've not needed to cross that particular technical minefield! Whenever I've wished to "speak" to all members, I've always simply used the open forum and posted an "information" message.

The messages to inbox only worked

I know this subject is not to everyone's interest including mine, but it is important that we all take note and assist Rob with this. Interference from our 'betters' has thrown an increasing load of extra work on to Rob, so, let us all make this load as light as possible for him. He will guide us in what is required, so, if he asks us to jump, we just ask, how high

Although this topic is not exactly the sort of thing that gets us excited, me included, it is something that needs to be given some thought, so I'll alter the date of this post to keep it in view for a week or so, just to give everyone the opportunity to view it. If anyone has any suggestions as to how I ought to deal with the forthcoming changes to the law, or not, as the case may be, please feel welcome to voice an opinion.

I hope I've just made a change that allows that choice now! In everyone's profile is now a three-way selection, to choose: No (Not able to send or receive personal messages) Yes (Message to forum inbox ONLY - No email) Yes (Message to forum inbox AND receive email) Until these personal selections are made and then some messages are received by any members I won't know if this works or not ! Over to you folks!

Hi Rob I've also been looking into GDPR, in connection with indie publishing and mailing lists, and wondered if you might find the following link useful: https://www.disclaimertemplate.com/privacy-notice-consent-methods-updated-gdpr/ Regards

Thank you Yanster - yes, that's a very useful link indeed. It lists the points very clearly, unlike some other sites I've seen where it's just one long essay! I'll try to work my way through them to see what more I need to do before the 25th of next month.