Stuart Wright
Well-known member
When someone puts in an SAR (subject access request) in accordance with GDPR, forum owners have a legal responsibility to reply with a lot of specific information.
Following such a request and a subsequent complaint by a forum member for non compliance to the UK data commissioner’s office, I need to ask this question.
What SQL queries do we need to run to supply all of a member’s information?
We need their user record and all the records from associated user tables including user change logs and IP logs.
Also any records from addons such as the user notes system.
I think it’s reasonable to say that publicly posted information does not need to be sent since this was posted by the person. Similarly private messages including the member are deemed private and so shouldn’t be sent. However, private conversations between moderators about that member may need to be included.
In the above case, I got direct help from a person working in the data commissioner’s office (who was extremely helpful) and though the member’s account has already been deleted, so there was no information to send, that didn’t mean I could send ‘nothing’ as a response. I had to amend our privacy policy significantly to comply with GDPR (including adding their address and phone number) and then reply addressing each specific request.
Also I was told that it is not acceptable to delete someone’s account upon receiving an SAR in order to avoid sending the information.
So could someone help specify the queries to run please?
And ideally there should be a function in Xenforo to output all the data in a relatively easy-to-read format.
Following such a request and a subsequent complaint by a forum member for non compliance to the UK data commissioner’s office, I need to ask this question.
What SQL queries do we need to run to supply all of a member’s information?
We need their user record and all the records from associated user tables including user change logs and IP logs.
Also any records from addons such as the user notes system.
I think it’s reasonable to say that publicly posted information does not need to be sent since this was posted by the person. Similarly private messages including the member are deemed private and so shouldn’t be sent. However, private conversations between moderators about that member may need to be included.
In the above case, I got direct help from a person working in the data commissioner’s office (who was extremely helpful) and though the member’s account has already been deleted, so there was no information to send, that didn’t mean I could send ‘nothing’ as a response. I had to amend our privacy policy significantly to comply with GDPR (including adding their address and phone number) and then reply addressing each specific request.
Also I was told that it is not acceptable to delete someone’s account upon receiving an SAR in order to avoid sending the information.
So could someone help specify the queries to run please?
And ideally there should be a function in Xenforo to output all the data in a relatively easy-to-read format.
Last edited: