Deleted member querying data removal - GDPR

[Alvin63]

I'm tempted just to delete the account tbh. Don't want them back (although I realise they could sign up again but would be easily recognisable!). I have an addon that puts "banned" under a banned user's name. And did this partly to be clear to other members that someone was banned. Which is presumably why they want to change their username and close the account so they don't look banned. Just wondering if it would still say "banned" if I deleted the account and the username changed to "deleted member xyz". I guess I could just call them "banned member" instead of "deleted member xyz".

 

[Alvin63]

I did that. Deleted the account (kept the posts) and chose "banned member" instead of deleted member xyz. And obviously the "banned" add on doesn't work for a deleted member rather than a member who was banned but not deleted. Maybe having banned under a name isn't such a good idea after all if it triggers them to ask for account closure.

 

[zappaDPJ]

They have now emailed asking to close their account citing GDPR and claiming their username could identify them (it's not actually their real name).

For reference they are correct, they could be identified from their username e.g. a Google search on the username may well allow you to identify them in other places especially if the username is fairly unique: https://www.google.com/search?client=firefox-b-d&q=Alvin63

System generated usernames such as guest1234 should be OK and that's what you would use if you want to anonymize the member's account but keep the associated content (with PII removed as necessary).

 

[Mendalla]

And did this partly to be clear to other members that someone was banned. Which is presumably why they want to change their username and close the account so they don't look banned.

If this is the case, you'll want to be watching for possible returns. This is why I don't like deleting users. If the account still exists, I can check IPs and emails of new registrations against it. And, yes, I have two problem users who keep trying to sneak back in so it has paid off.

 

[Alvin63]

Thanks both. Yes I could have just changed the username but they specifically ask for the account to be deleted (for a second time after a temporary ban) and were currently banned, and don't want them back so decided to delete it which anonymises the username anyway - I like the idea of distinguishing between banned and deleted members though.

Mendalla - yes totally agree. By closing the account it means they might re register again. I'll deal with that if it happens. I could try banning the IP address though. It is a bit bonkers when fully deleting the account means removing everything - and then they email you so it gives you their email address and IP address again!

 

[Mr Lucky]

It is a bit bonkers when fully deleting the account means removing everything - and then they email you so it gives you their email address and IP address again!

Deleting an account and personal info from a website database is not the same as receiving an email

 

[Alvin63]

How exactly do you ban an IP address anyway?

 

[Mr Lucky]

Deleting an account and personal info from a website database is not the same as receiving an email

Besides if you delete the account then get an email from them you could just block or delete their emails

How exactly do you ban an IP address anyway?

ACP > Users > Banned IP

 

[Alvin63]

Thanks.

 

[Alvin63]

So if I ban the IP address, would that also stop them from emailing the forum email or not? And is the owner notified that their IP address is banned?

 

[Mr Lucky]

So if I ban the IP address, would that also stop them from emailing the forum email or not? And is the owner notified that their IP address is banned?

It would just ban that IP. I don't know what you mean by "stop them e-mailing" - what you do on the forum has no effect on what people do on their computer, they can still send to any email address obviously.

 

[Alvin63]

Thanks. I meant when they send an email to the forum email address it also seems to quote their IP address at the top of the email. On the other hand, that was before their account was closed. So I guess it wouldn't do that if they were no longer a member, Cheers.

 

[Mendalla]

You could also block them at the system level if you have the capability. I've did that with some common spam IPs (including an entire class B in Pakistan) using an app in cPanel. If you had a private setup with a firewall, you would do it on the firewall. That keeps them from even reaching your site, let alone signing up. And some email systems can be filtered on IP, too. Depends on how much effort you want to put in. Simply banning the IP in Xenforo is just the quickest and easiest.

 

[Alvin63]

I no longer delete accounts, I just “close them” by changing the username, deleting all data, profile, avatar. Add to a usergroup called account closed which has no permissions to do or see anything.

It’s as good as deleted but it is reversible

Just about to do this with someone who has left. When you say deleting all data, do you mean all their posts? Or do you mean their email address? Presumably there would still need to be an email address attached to the account?

 

[Paul B]

XF accounts do not require an email address.

 

[zappaDPJ]

Just about to do this with someone who has left. When you say deleting all data, do you mean all their posts? Or do you mean their email address? Presumably there would still need to be an email address attached to the account?

The only data you need to remove to comply with the directive is Personally Identifiable Information (PII). That includes the member's username, email address and as far as the UK's interpretation goes, usually an IP address or cookie Identifier.

Personally I always inform the member before taking action that it cannot be reversed and I also put the onus on the member to list the content that identifies them. If they still want to proceed, it makes the admin side of things so much easier.

 

[Alvin63]

This member doesn't want their account deleting. They've just left and want their account anonymising. Of course they may come back again at some point so being able to easily reverse it would be good.

 

[Alvin63]

So just wondering what @Mr Lucky does. When you say you change their username, do you just put a different username or call them "past member" or something?

 

[Paul B]

Just change it to the member ID - Member 236849 .

Or tell them to submit a user name change request.

But unless they are requesting deletion under GDPR, you are not obliged to do anything.

 

[zappaDPJ]

Just change it to the member ID - Member 236849 .

Or tell them to submit a user name change request.

But unless they are requesting deletion under GDPR, you are not obliged to do anything.

That's what I would do.