I would say: If they cannot verify their identity, you do not need to answer any GDPR requests.
How you verify the identity of your users is up to you. This has nothing to do with XF.
GDPR discussion thread
- Thread starter 7ore
- Start date
I would say: If they cannot verify their identity, you do not need to answer any GDPR requests.
How you verify the identity of your users is up to you. This has nothing to do with XF.
So the user we banned finally reported us to the ICO as they sent a letter asking us to review how we handled it.
They said I need to inform the user how they can verify their identify given they no longer have access to the email address on the account. Any ideas? @Chris D @Slavik
Also is the data exported by XF the full extent of what I need to send for a subject access request? That doesn’t include IP addresses etc, do I need to also provide them? If so, can someone suggest an SQL query that will list a users IP addresses.
I’ve got 10 days to respond to this (and am on holiday!) so any advice would be great
I would be replying that in line with best practices you keep an absolute minimum of personal data related to an account on record.
That to authenticate any requests relating to an account, you ask for proof of ownership of that account, which, can either be by a) Sending the request while logged into the account, or b) Sending the request from the email registered to that account.
Since these are the only ways the user has to securely identify that is their account if they can not do either you can not be sure the request is legitimate and in line with protecting the data of your users, you declined the request. To fulfill such requests on the basis of "its my account, honest guv" would be grossly negligent in your duty of protecting your users data.
If the user wishes to authenticate themselves, they should first re-gain access to the email and send a valid request.
Mr Lucky
Well-known member
My understanding would be that if a member has a dynamic IP address it's absolutely pointless to send them or even consider they are relevant to GDPR.
A static IP address is something the member would know you have because (I think) under GDPR you would mention in your privacy policy that you store that information for legitimate purposes.
Claverhouse
Active member
Wholly agree.
There will be many cases of malicious actors, including that on the highest authority that a man's foes shall even be of his own family *, seeking to control or ruin internet accounts.
* [ Christ's warning must have resonated with James II & VII, as his children deserted and joined the traitors... ]
Nuh'uh.
I am fully in favour of screwing with people who are damned nuisances, but this is a step too far. Trying to recover a lost email account is one of the chief tortures set in Buddhist Hells for he who is abusive to his betters or destroys a beehive.
AzzidReign
Well-known member
Then that "personal data" isn't "personal data" any more....is it? So then what else do we have that falls under PD? IP addresses. Without anything in combination with it...I don't think there is anything left to do.
Claverhouse
Active member
I think I mentioned in this thread or elsewhere sufficient proofs that could be posted by mail, attestations by ministers and officials, that would satisfy me someone was who they claimed to be [ and I would delete what they desire except for posts; although this anonymisation tool does the trick if not too often used ].
Onerous no doubt, but if people want to be difficult, it's OK to be difficult back.
Onerous no doubt, but if people want to be difficult, it's OK to be difficult back.
So I sent the guy his SAR data but told him we were refusing to delete it due to our "legitimate interest". He complained but the ICO agreed with us. He then complained about our retention length of the data (which is currently indefinitely) and the ICO agreed with him that we need to provide a retention length.
It raises lots of questions though.
Does this relate to any banned accounts or only accounts who've requested that data be deleted?
What retention length is acceptable?
Does XF have any way to automatically flag when a banned account has been banned for the retention period so an account can be reviewed and have the personal data (i.e. email address and DOB) removed? This seems like it'd be pretty necessary doesn't it? @Mike @Chris D @Slavik
How is everyone else handling this?
It raises lots of questions though.
Does this relate to any banned accounts or only accounts who've requested that data be deleted?
What retention length is acceptable?
Does XF have any way to automatically flag when a banned account has been banned for the retention period so an account can be reviewed and have the personal data (i.e. email address and DOB) removed? This seems like it'd be pretty necessary doesn't it? @Mike @Chris D @Slavik
How is everyone else handling this?
Hmm is that the same thing?
If I do the batch update, select only banned users and select last login of the retention period that will work but doesn't that become a massive pain having to do that every day?
Surely an automated "user X has been banned for 5 years, please review their account information" would be a much better solution?
If I do the batch update, select only banned users and select last login of the retention period that will work but doesn't that become a massive pain having to do that every day?
Surely an automated "user X has been banned for 5 years, please review their account information" would be a much better solution?
Also what's the best way to remove an email address from an account given that it IS the account information?
There seems to be these options:
There seems to be these options:
- Discourage users
- Undiscourage users
- Ban users (permanently)
- Unban users
- Remove avatars
- Remove signatures
- Remove websites
Stuart Wright
Well-known member
Thanks for sharing this, Rob, it's very important IMO.
That could be a better solution, but unfortunately the software doesn’t do it at the moment so you’ll have to handle it manually if you feel it is necessary to.
No one said you have to run it every day.
If you have a documented retention period of, say, “up to 60 days”, you’d run it monthly.
No one said you have to run it every day.
If you have a documented retention period of, say, “up to 60 days”, you’d run it monthly.
We're a tiny site compared to you guys so I imagine you'll get way more of these issues than us but it seems that XF is still lacking a little in this area.
It's not a "if we feel it necessary to" issue though. The ICO made it quite clear that an indefinite retention period is not an option so it becomes a requirement.
I'm assuming it's quite easy for some sort of cron check to do this and given how great you guys were at getting all the other GDPR stuff in quickly I was hoping you'd do the same with this.
The tools are already there to do this, albeit manually.
Not everything has to be handled by the software, and not everything has to be handled automatically. There are no immediate plans to add this, and certainly not in the XF 1.5.x line which is rapidly approaching the end of its life.
Feel free to create a suggestion for it (if one does not already exist) and it will be considered in the future.
Not everything has to be handled by the software, and not everything has to be handled automatically. There are no immediate plans to add this, and certainly not in the XF 1.5.x line which is rapidly approaching the end of its life.
Feel free to create a suggestion for it (if one does not already exist) and it will be considered in the future.
Could you not go back and just give them an arbitrarily high number, say, 10 years. To the point that everyone will have long forgotten.
You could also try argue say, 5 years from the last point of contact, as banned accounts after that time are likely to never be wanted nor missed, and that you have a legitimate interest in retaining the data for that period. If a banned user frequently contacts you, it suggests they are attempting to undermine the ban from your site and thus you need the data to keep them off your system.
Cheers, just made a suggestion.
We have 800 odd accounts that have been banned for over 5 years. Even with the batch update tool listing them, going into each one, deleting the email address and zeroing out the DOB would take ages. Yeah it's possible but it's also possible by a series of database queries. Neither are very user friendly though.
We have 800 odd accounts that have been banned for over 5 years. Even with the batch update tool listing them, going into each one, deleting the email address and zeroing out the DOB would take ages. Yeah it's possible but it's also possible by a series of database queries. Neither are very user friendly though.
If your retention period is 5 years, why do you need to manually edit the users, one by one? Why not just use the batch update tool to delete them? If there is a need to not retain the data for that long, what is the benefit of keeping those accounts at all?
