GDPR in Genealogy Data

[Lanticbay]

Hi,

I have tried to research (this site and others) the applicability of the recent EU General Data Protection Regulation (GDPR) to genealogy data but landed up going round in circles and more confused than when I set out. Can anyone advise on the following:

1.
GDPR replaces the UK Data Protection Act (DPA). My understanding was that genealogy data was exempt from UK DPA because the act related to living persons data only and also genealogy data was collected for personal research. However if the data of living persons was collected and passed onto others the exemption was voided. Does the same apply under GDPR ie basic genealogy data on living persons cannot be passed on without their permission?

2.
Recent developments in genealogy software packages means that data may be transmitted from user PC’s across the internet to match that data against databases on servers. These are often located in foreign (non EU) countries. Are users of this kind of software service who have living persons in their family tree software unwittingly contravening GDPR?

[Guy Etchells]

Hi,

I have tried to research (this site and others) the applicability of the recent EU General Data Protection Regulation (GDPR) to genealogy data but landed up going round in circles and more confused than when I set out. Can anyone advise on the following:

1.
GDPR replaces the UK Data Protection Act (DPA). My understanding was that genealogy data was exempt from UK DPA because the act related to living persons data only and also genealogy data was collected for personal research. However if the data of living persons was collected and passed onto others the exemption was voided. Does the same apply under GDPR ie basic genealogy data on living persons cannot be passed on without their permission?

Almost the Information Commissioner made a ruling that a person could display data of living persons on their online family tree without it breaching the Data Protection Act.
This exemption did not apply to companies.

2.
Recent developments in genealogy software packages means that data may be transmitted from user PC’s across the internet to match that data against databases on servers. These are often located in foreign (non EU) countries. Are users of this kind of software service who have living persons in their family tree software unwittingly contravening GDPR?

No.
The GDPR is a new regulation not governed by the data Protection Act decisions. All data that may identify a person comes under the GDPR this includes names. This will stand until the Information Commissioner makes a ruling on the terms of the GDPR.
Basically it means every online family tree the mentions the name of a living person and every newspaper article that mentions a person’s name and even letters with a person’s name on the front of it is a breach of the GDPR unless permission to display the name has been sought and granted.
Cheers
Guy

[PrawnCocktail]

Basically it means every online family tree the mentions the name of a living person and every newspaper article that mentions a person’s name and even letters with a person’s name on the front of it is a breach of the GDPR unless permission to display the name has been sought and granted.
Cheers
Guy

Maybe this cartoon isn't as far adrift as I thought!   

[Lanticbay]

Many thanks for your reply Guy.

As regards point 1 - I did not know of the Information Commissioner's ruling nor was it mentioned in any of the articles I read. It does explain why there are so many contradictory statements out there. Obviously some knew of the ruling but didn't mention it. Thanks for clarifying the situation.

Still scratching my head over your "No" to point 2. Given your statement on websites, newspapers etc surely sharing genealogy data of living persons with others must be a breach of GDPR if you do not have permission from that person?

[Guy Etchells]

Many thanks for your reply Guy.

As regards point 1 - I did not know of the Information Commissioner's ruling nor was it mentioned in any of the articles I read. It does explain why there are so many contradictory statements out there. Obviously some knew of the ruling but didn't mention it. Thanks for clarifying the situation.

Still scratching my head over your "No" to point 2. Given your statement on websites, newspapers etc surely sharing genealogy data of living persons with others must be a breach of GDPR if you do not have permission from that person?

the problem with the GDPR is it is a wide ranging law which may be interpreted in a huge number of ways.
https://gdpr-info.eu/chapter-1/
For example take the definition of personal data shown in Chapter 1 Article 4 of the above site.

"personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"

That covers just about anything about a person whether the data controller has access to the information that would connect the person to the information or not.

The Information Commissioners guidelines to the GDPR website adds-

"Can we identify an individual indirectly from the information we have (together with other available information)?

    It is important to be aware that information you hold may indirectly identify an individual and therefore could constitute personal data.
    Even if you may need additional information to be able to identify someone, they may still be identifiable.
    That additional information may be information you already hold, or it may be information that you need to obtain from another source.
    In some circumstances there may be a slight hypothetical possibility that someone might be able to reconstruct the data in such a way that identifies the individual. However, this is not necessarily sufficient to make the individual identifiable in terms of GDPR. You must consider all the factors at stake.
    When considering whether individuals can be identified, you may have to assess the means that could be used by an interested and sufficiently determined person.
    You have a continuing obligation to consider whether the likelihood of identification has changed over time (for example as a result of technological developments)."

This could mean on a family history site a person may add 4 empty boxes for living children of a couple.
Over time 3 of the four may die and be replaced with their names leaving that empty box. According to the above that empty box could be construed as an identifier of the fourth child, therefore it would be personal data.

The GDPR is going to make plenty of money for solicitors.
Cheers
Guy

[Lanticbay]

Many thanks for your further clarification, Guy.

Hope no-one tells the EU. As usual they are short of money and at 14million euros a pop .....