Deleted member querying data removal - GDPR
- Thread starter Alvin63
- Start date
Mr Lucky
Well-known member
Ah OK then the query I mentioned would be the only way I think. But do a backup first.
I wouldn’t be too bothered though as it isn’t your fault - they asked for a delete they got one.
Cheers - yeah I'm not too bothered. Probably just being a bit OCD about it as the forum is only 6 months old and now has a messy element! The member is happy as long as their individual thread is updated. But despite having 160 members, only about 10 post regularly and some of them would find it confusing to see this person's threads under two names. ie did they go or didn't they?
Mr Lucky
Well-known member
It was a typo caused by spell correcting!Sorry for being ignorant - I don't even know what Corrientes is
Well I wasn't too confident about dealing with SQL. But I did manage to get it sorted, thanks to this other addon by Andy - and it's worked well.
www.xf2addons.com
Update guest
Description: Updates guest username to specified user ID. This add-on is used when a member has been deleted, but then later you want to re-assign the posts back to a valid user. (Example of Update guest page) Features: All phrases start...
www.xf2addons.com
Suzanne O
Well-known member
If that former user is still emailing you about this today - tell them that their account is deleted.
If they decide to log in and find that their account is deleted and still complain might be an idea to get the GDPR people to notify them that everything's been sorted.
If they decide to log in and find that their account is deleted and still complain might be an idea to get the GDPR people to notify them that everything's been sorted.
JamesBrown
Well-known member
If someone asks for their account and personal stuff to be deleted, I just delete the account. I don't want to keep the data in case they come back! Stuff em. If someone is arsey enough to ask me to delete data once, they could beg me to come back and it's not going to happen. No forum needs those people in it.
Bozza
Member
A bit late to the party, but I'll chip in quickly anyway...
I also run a large UK-based forum, so this is all quite familiar ground. I also previously worked in Information Security for a while, so have some professional understanding too.
When it comes to PII, it doesn't have to be the case that the single data point can identify an individual. Someone used the example of a pet name before. If someone could come to your forum and see someone has a pet dog called Spot - that in isolation can't be PII. But if that formed part of a jigsaw puzzle with data points from other source and the missing piece was having a dog called Spot, then that data point IS considered to be PII and they can demand it's removal under GDPR.
The whole thing is a massive pain in the arse, frankly, and this is how I deal with the "delete everything" crowd now...
1. Yes, your account can be deleted. I can remove your user record from the forum.
2. Your posts will NOT be deleted as part of that.
3. ...so I will give you forum permissions to delete your own posts. Go through them at your leisure, and delete whatever you wish to remove.
4. Let me know when you're done, and I'll remove your user record.
If someone has 5,000, 10,000 or even 50,000 posts on the forum, they will reflect on their request somewhat.
As you've found, as soon as you start doing this, all manner of users who have sort of beef, for whatever reason, will request the same as they think they're being awkward and creating work for you. So I just bounce it back to them.
I also run a large UK-based forum, so this is all quite familiar ground. I also previously worked in Information Security for a while, so have some professional understanding too.
When it comes to PII, it doesn't have to be the case that the single data point can identify an individual. Someone used the example of a pet name before. If someone could come to your forum and see someone has a pet dog called Spot - that in isolation can't be PII. But if that formed part of a jigsaw puzzle with data points from other source and the missing piece was having a dog called Spot, then that data point IS considered to be PII and they can demand it's removal under GDPR.
The whole thing is a massive pain in the arse, frankly, and this is how I deal with the "delete everything" crowd now...
1. Yes, your account can be deleted. I can remove your user record from the forum.
2. Your posts will NOT be deleted as part of that.
3. ...so I will give you forum permissions to delete your own posts. Go through them at your leisure, and delete whatever you wish to remove.
4. Let me know when you're done, and I'll remove your user record.
If someone has 5,000, 10,000 or even 50,000 posts on the forum, they will reflect on their request somewhat.
As you've found, as soon as you start doing this, all manner of users who have sort of beef, for whatever reason, will request the same as they think they're being awkward and creating work for you. So I just bounce it back to them.
Mr Lucky
Well-known member
I did that once and it made a complete nonsense of many threads. He deleted every post, the reason being he’d read somewhere people could steal his ID. Fair enough if he’d posted his address, mugshot, DOB, social security number, passport number, name of his dog, mother’s maiden name, bank password etc.
But he hadn’t .
Cheers. I've already added a forum rule for people to use anonymous usernames and not to use real names (which isn't necessary in this forum). So in future I don't have to go through deleting names. In this instance I had said send me the url of any post you want deleting (as someone else had advised).
Another question though? What happens if you delete a banned member? Should you unban them before you delete the account?
Another question though? What happens if you delete a banned member? Should you unban them before you delete the account?
It does make me think GDPR was more intended for sites that have details of your name, address, date of birth and bank details. ie information that could lead to identity fraud. A forum only has an email address and ip address stored. Unless they've included personal info in any content. So deleting an account just to purge an email seems a bit over the top anyway - when most people have their email registered on sites all over the internet - supermarket shopping, Amazon etc.
This article is interesting though. It says that that scope of PII has grown considerably and includes IP addresses and digital images/videos. On the other hand it also says.
Based on that you could securely delete email address, IP address and any other identifying info in posts. But not necessarily the account (which I know has been mentioned before). Although purging IP addresses could be tricky. This also suggests any videos posted should be removed (they might show something identifiable in the background).
www.groundlabs.com
That kind of suggests they only have the right to have information "securely deleted" and also suggests it's only if the organisation storing the data can't manage it in a secure manner.
Based on that you could securely delete email address, IP address and any other identifying info in posts. But not necessarily the account (which I know has been mentioned before). Although purging IP addresses could be tricky. This also suggests any videos posted should be removed (they might show something identifiable in the background).
What is PII for GDPR | Ground Labs
The GDPR put companies under legal obligation to protect the personally identifiable information (PII) of their employees, customers, and third-party vendors. Learn what PII under the GDPR means and what its requirements are.
www.groundlabs.com
Mr Lucky
Well-known member
I can’t see how it would make any difference
zappaDPJ
Well-known member
That's one thing I wouldn't do. I'd ask the member to identify anything they consider PII rather than giving them carte blanche to disrupt the flow of threads.
GDPR has evolved from a well intentioned method to ensure users could control their data to an absolute sprawling mess of legislation that is no longer suitable for purpose and has caught small and legitimate businesses in red tape that was never aimed at them originally.
The accout would be deleted, gone for good, the information taht way once associated wiht it would be disassociated or deleted - that state the user was if before deletion doesn't matter at all.
Nope. GDPR is intended to cover any data that could be used to directly or indirectly identify a human being- that might be a real name, email, birthdate, IP, geo location, SSN, photo, user ID - maybe even the name of a dog or photo of a cat (if that is sufficiently unique).
Nope. By default there are custom profile fields for location and various identities (Facebook, Twitter, etc.) - those are PII as well.
If users use linked accounts those IDs are PII as well.
If they uploaded photos with GPS data this is PII as well.
And so on.
Personally I'd disagree, but it doesn't matter what I (or you) think - what does matter is law.
And that is pretty clear in stating that PII must be deleted (or in some cases restricted) upon request, there is no way around that.
Personally I'd just delete accounts upon request so they are gone for good.
If they come back and want their account restored - that's their problem, they requested it to be deleted in first place and that was done.
If they instead come back and request further PII to be removed they have to show that this data can be used to identify them - if they can do this even after the account has beed deleted the data in question obviouslly is PII and must be removed; if they can't show that the data in question can be used to identify them it most likely isn't PII - isn't it?
Mr Lucky
Well-known member
Which brings us back to the question: if all the account data is gone when the account was deleted, how do we know whether they are who they say they are?
IMHO & IANAL that's quite easy:
According to article 17 GDPR the data subject can request removal of personal data - if they can't show that they are the data subject in question they can't exercise this right.
Mr Lucky
Well-known member
I can see them getting a bit frustrated when they email saying the email address proves because it’s the same one from the account, and you reply “how do I know that? I deleted everything and don’t remember the email address, sorry”
Similar threads
- Question
