Urgent help from uk xenforo users

ineedhelp

Well-known member
Someone said they can have my site shut down because I don't offer members an account deleting option.

I'm obviously using the xenforo forum system.

So under the UK Data Protection Act. Is this true? Xenforo forums doesn't offer this open to users. So how is it the site owners fault?

I Can delete people's account if they request but it's not mentioned on the forums that members can request to have there account deleted.

Does the data protection act really apply in this situation? Surely xenforo must have thought all this through ?
Please reply.
 
Make sure your terms of services that they agree to (before they sign up!) mentions that submitted data becomes the property of the web site, and that (exceptions aside) you don't prune accounts or content.

I don't delete accounts upon request, unless the person has exactly 0 posts, hasn't been active in any way, etc. if they have been active "at most" we null the name/email, but we don't touch the posts.
 
If they do not use their real name, and their identity cannot (reasonably) be established from the content they post - no. Privacy applies to a person, not an Internet handle.

I have text in my registration terms that explicitly states we do not delete accounts/post history.

It *is* reasonable to expect you to remove their real name and email address form their account - which I will do for people if they request it, but AFAIAA there is no legal requirement to do so.

Cheers,
Shaun :D
 
The UK has their data protection law, but it basically means upon request you might have to provide them with a dump of the private data. It's worth googling.

The EU has a data protection act as well.

But these don't include 'prune all data upon request', I've never read that.

I am from the Netherlands btw.
 
Make sure your terms of services that they agree to (before they sign up!) mentions that submitted data becomes the property of the web site, and that (exceptions aside) you don't prune accounts or content.

I don't delete accounts upon request, unless the person has exactly 0 posts, hasn't been active in any way, etc. if they have been active "at most" we null the name/email, but we don't touch the posts.

All the registering and the terms are default xenforo terms as they come with the system.. I've not changed anything.

So I not even required to delete accounts of I don't want too?
 
All the registering and the terms are default xenforo terms as they come with the system.. I've not changed anything.

So I not even required to delete accounts of I don't want too?
\

You could email him once more.

To my best intentions and knowledge, based on what I have observed after reading the UK data protection act there's no clause mentioning it's mandatory to comply to data pruning requests. Thank you for your concern and request, and as a courtesy I provide you with these options:
a) As a courtesy and at our discretion we nullify the user-account by renaming the username and changing the email to oldusername@example.com.
b) We await a court order by a Judge 'it is ordered' to prune specific data from your account from our live database.
c) You accept that we do not have to prune any data, and discontinue using our site because you no longer agree to our terms of services. And we consider this matter resolved.
 
It'll take me a year to read through all that...lol

So to simplify the topic... My site can't just shutdown out the blue for this reason?

Cos the registration doesn't ask for personal details apart from email address and as for d o b... Most lie about their age anyways...

What about users who sign up using the Facebook login... Can they deactivate or delete there account via Facebook or something?
 
If they do not use their real name, and their identity cannot (reasonably) be established from the content they post - no. Privacy applies to a person, not an Internet handle.

Unfortunately in the UK, that's not right, thanks to the Data Protection Act, even posting under a pseudonym, the DPA still applies.

However, as far as the original post goes, the posts they have submitted are in the public domain, the DPA doesn't apply. The DPA only applies as far as what you do with private user data (i.e. their email address, real name, etc.. stuff that may not be public on their profile. It also applies to PMs between you and the user and any discussion threads about them in any private moderator / administrator forums.

It should also be noted, that if a user is banned, you also shouldn't tell any other users any details about the banned user's account, including why they were banned.

If a user ever requested DPA records from you, that's basically what you would have to supply them with, evidence of their private data, any PMs between you & them and print outs of any threads in moderator / administrator forums that concern them.

It really does go a little too far in my opinion, but I've had legal advice on the matter, so I can speak with some degree of knowledge on this.
 
MGSteve - so any advise on avoiding these issuses?

If I delete any pms then how does one convince anyone in question that it is deleted?

And if threads are not part of data protection act cos they are in the public domain. Why would you need to provide printouts?

What are the chances of 1 user who signed up yesterday to get my site shutdown because of no account deleting option?
 
Users don't have the right to have data deleted, they have the right to have it corrected if its wrong, and if they pay you a tenner they have the right to get a copy of it, and thats it. oh and you shouldn't be keeping more than that's needed to run the site.

Also if your not a company and you just run the site as a hobby then your not even required to register as a data handler with the ICO.
 
Users don't have the right to have data deleted, they have the right to have it corrected if its wrong, and if they pay you a tenner they have the right to get a copy of it, and thats it. oh and you shouldn't be keeping more than that's needed to run the site.

Also if your not a company and you just run the site as a hobby then your not even required to register as a data handler with the ICO.

R U from the UK as well?

Yes it's a hobby so I don't want such issues.

I don't keep anything more or anything less, only what is required by the xenforo registering process.

So what about deleting users on request? Required or not? Or as the poster said earlier just change email login n username?
 
Yes and i've been in touch with the ICO before about it. You wouldn't get shut down anyway, if something was to happen it would be a fine, and only for data loss but extremely unlikly as for a regulator they are quite toothless, I mean look at what has happened to some of the high profile companies that have lost sensitive data in the past.

I wound't worry about it at all. I think its under German Law that your required to offer the chance to delete accounts, just make sure your T&C's are updated from the default like GeekChat said to state that posts are not removed and you've covered yourself.
 
MGSteve - so any advise on avoiding these issuses?

If I delete any pms then how does one convince anyone in question that it is deleted?

And if threads are not part of data protection act cos they are in the public domain. Why would you need to provide printouts?

What are the chances of 1 user who signed up yesterday to get my site shutdown because of no account deleting option?

Deleted PMs aren't an issue as they've been deleted, DPA only applies to data held by an organisation that concerns the member, if its deleted, its gone.

With regards to threads - I was talking about private threads in the moderator / admin section that discuss the member concerned, obviously these are private (sort of like notes the bank may keep about you when you ring up) and are covered by the DPA.

I've never heard of a site being shutdown because they don't delete accounts. At the end of the day, if someone wants their account deleted, we tend to remove any personal info from the account and leave the account there.

Basically and I can't offer this as cast iron legal advice as I'm not a lawyer and as such I have to put that disclaimer; the member is talking rollocks. if he wants to be deleted, simply change the email address and remove any personal info out of his profile.
 
I called the ICO - and the helpline lady assured me I had nothing to worry about after I had explained the situation, though I have also emailed them so I can have a written assurance of what the lady said!

She said as my website is a hobby and for personal use then it doesn't fall under the DPA.

--------------------------

Can someone tell me how and where I can go to edit the T&C of the registration process, please, thanks!
 
^^^^^ Thanks, found it!

NEW TOPIC:

I've searched the Help Manual, but couldn't find the answer to my question:

For example, I want to ban a users IP address, example IP 213.23.45.187......... To ban this user's ip I would ban it as 213.23.*

Right? Or the whole IP?

And....... Will this IP ban ONLY effect that 1 single user? say there are other users on the same street as him, they won't be effected, will they?
 
Top Bottom