GDPR and Boards.ie post removal policy **update linked in OP 24/5/18**

Sleeper12

Franz Von Peppercorn wrote:

No disputing that. Merely wondering whether a permanent delete button would be alllowable in lieu of a blanket request to delete posts.

That wouldn't be workable imo. I couldn't post some outrageously offensive posts, possibly illegal posts & delete them before a mod saw it. Obviously boards.ie need to see these posts so they can't be permanently deleted under the legislation.

There is a massive difference between removing posts and permanently deleting posts under the legislation

Boards.ie: Sean

Just to note that our updated Terms of Use, Privacy Notice and Cookie Policy are now live. This may help give some clarity on some on GDPR issues being discussed on this thread.

Boards.ie: Sean

Permabear wrote: »

This post had been deleted.

As long as we can verifying the identity of the person making the request (i.e. that the person making the request is the author of the posts in question) then that person can request deletion of specific individual posts or mass deletion of posts. This process is now live and requests will be accepted regarding deletion of posts.

If we can't verify the identity of the person making the request then, in general, we will not be in a position to action requests for deletion of posts as we do not know if they are the author of the posts.

Quoting from the updated Privacy Notice

"If you have an active boards.ie account you can request that your posts be edited or deleted. This can be done by sending a Private Message (PM) to “Boards.ie: GDPR” (if for any reason you are unable to access or send a PM please email datarequests@boards.ie and we will get back to you with further instructions).

For closed accounts all personal data (other than users’ posts) will be deleted. Therefore, posts made by users whose accounts were subsequently closed cannot be associated with other information held by Boards that relates to an identified or identifiable natural person and as such are not considered personal data.

In specific instances where the content of a post contains sensitive data or data that could be used to identify an individual and where the original poster no longer has an active boards.ie account you can request that we edit or delete the post; these requests will be dealt with on a case-by-case basis."

In terms of what happens if a post is quoted another user's post, currently the quote remains within the second user's post after a deletion of the original post. We are awaiting additional feedback from our legal team as to whether GDPR requires us to amend the current procedure and, if required, we will amend our procedures around deletion of quotes as appropriate once we have received the feedback.

Boards.ie: Sean

Bob24 wrote: »

Thanks for the update.

Just a clarification on the above: does this mean that boards see itself as a data processor solely for registered users and will therefore only process GDPR related requests from registered users?

(the underlying question being: if a post contains personal information about someone who is not a registered user, will boards treat that person as a data subject in the sense of the GDPR?)

Boards is a data controller for any user with an active Boards account. For closed accounts, during account closure we delete all personal data associated with that account other than any posts that user has made and the IP address associated with that post. To quote from our updated Terms of Use

"The posts are retained as they are an intrinsic part of the thread in which they are posted and removing may make the thread unreadable or make the other posts difficult to understand or follow. The IP addresses captured with each post are retained for anti-spamming purposes. It should be noted that post IP address cannot be linked with other data to identify the individual who made the post as all other data concerning that individual will have been permanently deleted upon account closure."

For previous closed accounts all personal data (other than users’ posts) will be deleted. Therefore, posts made by users whose accounts were subsequently closed cannot be associated with other information held by Boards that relates to an identified or identifiable natural person and as such are not considered personal data. Therefore in this case GDPR does not apply.

However, we do understand that at times posts may contain sensitive data or data that could be used to identify an individual. In the case of a user with an active Boards account GDPR applies and they can request deletion of the post. In this case where the original poster no longer has an active Boards account they can request that we edit or delete the post and we will deal with these requests will be dealt with on a case-by-case basis.

Bob24

Sleeper12 wrote: »

This is the big question for me.
I personally believe that if I quote a poster that it is now my data & not theirs. Obviously I don't know this as a fact but it seems logical to me.

I think boards would have to be very cautious before saying that when you quote a post it becomes your data.

Since (as per the new privacy policy) the original post is considered personal data of another poster, stating that it has been transferred to you could be problematic.

I guess the issue is to know whether the personal data is the the database entry itself (in which case a new post quoting it is a different entry and this a different piece of data), or the wording contained in that entry (in which case a post quoting that wording is the same piece of data).

And frankly I have no idea ...

Boards.ie: Sean

Creative83 wrote: »

I take exception to this part of Sean's post...


These requests must be sent via a Private Message (PM) to the following recipient Boards.ie: GDPR (if for any reason you are unable to access or send a PM please email datarequests@boards.ie and we will get back to you with further instructions).


No, the onus is on Boards to delete the data as is my understanding. No "further instructions" are necessary... This looks like Boards will try to say that the user has that responsibility in their "further instructions".

There is no question that that onus on us to delete the data when requested by the owner of that data. We cannot have a third party contact us and ask us to delete some else's data. So we need to verify the identity of the person making the request. That is why the default is to request that a PM be sent.

For a PM to be sent the user must have logged onto Boards and when the PM is received we can see the Boards account from which it is sent. This allows us to verify the identity of the person making the request.

We are not in any way trying to shirk our responsibility we are simply ensuring that we prevent malicious actors sending in requests to delete other user's data.

Sleeper12

Bob24 wrote:

I think boards would have to be very cautious before saying that when you quote a post it becomes your data.

They are working on it right now.
I can repeat what someone says. To stop me breaches freedom of speach. If I don't actually quote you but repeat exactly what you say is my data. There is no question about that

Most of this data law can't work in the states because they have the freedom of speach

Boards.ie: Sean

Sleeper12 wrote: »

I'm on the side of leaving all the posts but the official statement says that current members posts are part of their data while they are members & anything & everything can be deleted.

Closed accounts the posts are no longer a person's data & they'll be handled on a case by case.

That's how I read the statement anyway. Maybe I picked it up wrong.

That's right, that's the situation

uck51js9zml2yt

Will accounts with all posts deleted be left open?

Boards.ie: Sean

Bob24 wrote: »

Also one thing which should change but is not said explicitly in the new policy, is that when you make a deletion request in this way the post should be completely and permanently deleted from all of boards’ system, as opposed to simply being hidden from the website for regular users previously.

When a deletion request is made, the following will happen:

• The content of the post will be permanently replaced by a statement saying the post has been deleted
• Any edit history associated with the post will be permanently deleted

This is not the same as a soft deletion as a soft deleted post is visible to mods and admins. The original post content will therefore be permanently removed from the live database.

The original post content will continue to live in database backups but we have amended our database backup policy so that backups live for 30 days after which they are permanently deleted.

So in 30 days the post content will have been completely washed out of our systems, both live and backup.

Boards.ie: Sean

Bob24 wrote: »

Actually this relates to another question I would have about data access requests. It is not said explicitly in the policy but I assume any post made by a registered user which was soft deleted by a mod (and is thus still present on boards servers but not visible to the user) will be included in these requests, so that users are given the opportunity to review those posts and request full deletion if the wish to do so.

Can someone from boards confirm this is correct?

This is correct. Data access requests will include soft deleted posts

Bob24

Thanks for taking the time to read and address the questions Sean, much appreciated.

Bob24

Boards.ie: Sean wrote: »

When a deletion request is made, the following will happen:

• The content of the post will be permanently replaced by a statement saying the post has been deleted
• Any edit history associated with the post will be permanently deleted

This is not the same as a soft deletion as a soft deleted post is visible to mods and admins. The original post content will therefore be permanently removed from the live database.

The original post content will continue to live in database backups but we have amended our database backup policy so that backups live for 30 days after which they are permanently deleted.

So in 30 days the post content will have been completely washed out of our systems, both live and backup.

Thanks for also clarifying the backup retention policy, sounds like the proper way to do it!

Boards.ie: Sean

J.pilkington wrote: »

My knowledge of gdpr isn’t as in dept as some of the posters here, but is an obvious efficient option for boards and users simply for boards to re-enable the delete and edit option for posters and this will save everyone a lot of time by having users do their own clean up.

Appreciate the argument that this can disrupt threads but in reality so will the boards team having to do this themselves, most other discussion forums (including the newer generation such as redit / Facebook and Twitter) already have this option and it works very well.

To me it seems like boards are making the process for the user really awkward by having it so manual and thus hoping that users simply won’t bother.

I know if I wanted to delete certain content from boards my preference would be to firstly delete the content I want to remove myself and then close my account. All this interaction and emails and having to send evidence is a pain in the a55 for everyone.

I suppose if it’s unpaid volunteers doing the work on behalf of the commercial profit making company maybe boards don’t care as it’s no skin if their back?

A couple of things. Firstly, re-enabling the delete option for users would not make us GDPR compliant which is why we haven't gone down that route. In vBulletin (the underlying platform that powers Boards) that delete option results in a soft delete (i.e. when using that option the post is no longer visible to normal users or visitors to the site but it is still visible to mods, admins and Boards staff). GDPR requires us permanently delete user's posts on request.

Secondly, as Data Controllers GDPR states thatwe have (and I quote) "the obligation to erase personal data". So I don't think we can simply say to a data subject / user that it's up to them to delete their data, they can request us to delete their data and delete it permanently.

Genuinely, we aren't trying to make the process for the user really awkward, one of the things we looked at early on was enabling deletion for users but for the above reasons that wasn't possible.

I should also point out that the process for removing yourself completely from Boards isn't that complicated. One PM requesting that all your posts are removed en masse and then over to Control Panel and click on the Close Account option and you're done.

Boards.ie: Sean

Patww79 wrote: »

This post has been deleted.

As long as you have an active Boards account your posts can be deleted upon request - either individual posts or all posts en masse, it's entirely your decision.

Boards.ie: Sean

Beasty wrote: »

What if the OP of that thread decided to request deletion?

Currently the whole thread is deleted when an OP is deleted. However that's a soft delete, and maybe we can then retain the original discussion by re-instating post #2 on

The policy will be that when an OP requests their post will be deleted, the original posts will be deleted by replacing the post content with a standard message stating the post has been deleted. The rest of the posts will remain as will the thread. Doing otherwise would mean that we would deleting other user's data (their replies) without their consent.

So this will not be the same as a soft delete of the thread.

tsue921i8wljb3

Boards.ie: Sean wrote: »

As long as you have an active Boards account your posts can be deleted upon request - either individual posts or all posts en masse, it's entirely your decision.

Sean I'd be interested to hear your perspective on this. Do you think it will be detrimental to boards as a business? Someone earlier in the thread referenced Cloud's vision of the site as a digital archive of opinions which could be looked back on over time. There is now the possibility for this to, at least, be somewhat torn asunder. I understand that you don't have much say in the matter but would boards be better if GDPR never existed?

Boards.ie: Sean

Nody wrote: »

Actually got another one to throw in to the mix; what about the forums that allow anonymous posting? There is obviously no e-mail address registered (though a user has been known to add one anyway by mistake) so how would those be handled for identification?

With an anonymous post it is hard to see how we could verify that the person requesting the deletion is the original author of the post and without verifying the identity we could not accede to all such requests.

However, if the content of an anonymous post contained sensitive data or data that could be used to identify an individual then we would look at requests to edit or delete the post on a case-by-case basis.

Boards.ie: Sean

Ashley Tinkling Oxygen wrote: »

Will accounts with all posts deleted be left open?

Absolutely. Under GDPR when you have an active account your posts are your data and you have every right to delete them. It would be petty and vindictive of us in the extreme to want to close down your account just because you invoked your god-given (or least GDPR-given) rights!

Hopefully, even if a user decides to delete all their posts that won't stop them contributing to Boards and continuing to post in the future.

Boards.ie: Sean

Micah Shrilling Strawberry wrote: »

Sean I'd be interested to hear your perspective on this. Do you think it will be detrimental to boards as a business? Someone earlier in the thread referenced Cloud's vision of the site as a digital archive of opinions which could be looked back on over time. There is now the possibility for this to, at least, be somewhat torn asunder. I understand that you don't have much say in the matter but would boards be better if GDPR never existed?

Good question

Do I think that some threads could suffer if a lot of posters in that thread decided to delete their posts? Absolutely, it could make the thread difficult, if not impossible, to follow.

Do I think that is will become a major issue across the site? I can't say for certain but I don't think so. Most people come to Boards because they want to talk about things that excite, interest and matter to them with others that feel the same way. They are generous with their time and opinions and appreciate the fact that others are too. I think that in general that will remain the fact and they will be happy for the posts to continue to be part of the conversation.

Do I think that it is a good thing that users have protections and rights concerning their personal data? For sure I do. None of us know how well GDPR will balance the rights of the individual with that of communities (like Boards) to which they contribute and of organisations. We will all get a better idea of that in the coming weeks, months and years as the realities of GDPR begin to take hold. But the general principal of users having protections rights over their own data ... I don't think there's any argument there.

In terms of how it will impact us as a business, given that I think and hope that most users will be happy for their posts to remain on Boards then I think we'll be fine.

And in terms of Boards as a digital archive of opinions, I think it's a great point and I don't think that will change. Boards never explicitly set out with that as its purpose and that was never part of the terms and conditions that users signed up to when joining the site.

So if Boards was a digital archive of opinions, it was always an informal one. And I don't think that will change with the introduction of GDPR. In years to come people will still be able to look back and see what people were talking about and what their opinions were in those bygone days of 2018

gozunda

Boards.ie: Sean wrote: »

As long as you have an active Boards account your posts can be deleted upon request - either individual posts or all posts en masse, it's entirely your decision.

What is the procedure for initiating this process? Has this already been stickied in TaC?

Esel

Seán - say a third party gets access to a device with a logged-in account, and requests deletion? The owner would know nothing and find all their posts gone.

Or a tired and emotional user requests deletion and later regrets doing so.

Have you given any thought to restoration in these scenarios?

Beasty

gozunda wrote: »

What is the procedure for initiating this process? Has this already been stickied in TaC?

See this post from Sean, and some of the follow-up posts and responses

Updated Privacy Policy

Beasty

Esel wrote: »

Seán - say a third party gets access to a device with a logged-in account, and requests deletion? The owner would know nothing and find all their posts gone.

Or a tired and emotional user requests deletion and later regrets doing so.

Have you given any thought to restoration in these scenarios?

Once processed the deletion cannot be reversed and I'm sure the site would not want to be perceived to being obstructive in any way when observing such legal rights. It will all be dealt with by the office.

The privacy policy indicates requests will be processed within 30 days, but does not indicate any "cooling off period". Maybe they could introduce an automatic "are you sure" reply, or a minimum processing period within those 30 days

Bob24

Esel wrote: »

Seán - say a third party gets access to a device with a logged-in account, and requests deletion? The owner would know nothing and find all their posts gone.

Or a tired and emotional user requests deletion and later regrets doing so.

Have you given any thought to restoration in these scenarios?

Since GDPR requires boards to permanently delete personal data upon request, it wouldn't be very reasonable to expect them to have any long term restoration process*. They could have some kind of cooling off period whereby the data is marked for deletion but only really deleted after a week and a second confirmation from the requester, but IMO it could be over engineering it a bit for a very small number of cases - and there would be a risk of some people accusing boards of dragging its feet to process requests.

Also while I'm not saying it could never happen, since the deletion process will require to provide identification documents, the chances of someone impersonating an other person are reduced.


* it was explained that the deleted post will remain in backups for 30 days though, so I guess technically restoration would be possible within that timeframe, but TBH if it was me I don't think I would bother with selectively restoring a database for a post that someone regrets deleting (a case of mass deletion due to boards mistake might be different but I doubt it would happen very often).

Esel

By deletion, I clearly implied deletion of all posts.

Esel wrote: »

Seán - ...

The owner would know nothing and find all their posts gone. ...

Verification of requests must be robust.

Do the new terms say that a request for all personal data will result in an encrypted file being provided, with the key in a separate e-mail? How secure is that process?

OldMrBrennan83

This post has been deleted.

Permabear

This post has been deleted.

Turtwig

Are PM's not readable from your email though? You don't need to log onto boards to read a PM.

Permabear

This post has been deleted.