Dealing with breaches of data safety

Last night an email was sent out by the returning officer.

The first 100 people to get this also received the email addresses of the other 100 people on the list.

I have two questions.

1) How would you prevent this from happening?

2) If it were to occur again, how would you deal with it?

Cheers

Tony

[mollyjak]

I would like to apologise to all concerned as I have already done so on the Facebook group where this has been posted.

This is way above my technical knowledge and I would not know how to prevent this happening again. All I can do is apologise on the returning Officer's behalf - human mistakes can and do happen and if there was anything I could do to help correct this then I would.

Lillian, you and the rest of the committee were not informed by the returning officer or the Chairperson. The fault on this occasion is not with the majority of the committee.

How people would deal with it is a deal breaker.

[Poole_Man]

Last night an email was sent out by the returning officer.

The first 100 people to get this also received the email addresses of the other 100 people on the list.

I have two questions.

1) How would you prevent this from happening?

2) If it were to occur again, how would you deal with it?

Cheers

Tony

Firstly I would like to say I am not making any comment about the incident of yesterday I don't know the circumstances by which that happened. It may be a matter for the new Committee when elected to look in to.

To answer the 2 questions:

1) I would expect GAGB to use a proper legally run external email mailing list provider which provides the means to avoid this. There are several such email mailing list providers available to use which wouldn't require a fee to use. They would also meet any rules and regulations on Data Protection and European anti-spam laws.

I won't openly name any of the email mailing list providers as I don't wish to be accused of advertising.

2) If we were to use a proper email mailing list provider as I suggest above I would not expect it to happen again. In six years of using such providers I have not known any email list I managed via such a system to be compromised.

You have not answered what you would do if it were to happen despite the provider?

[Poole_Man]

You have not answered what you would do if it were to happen despite the provider?

For me to state the action I would expect to follow would depend on how the data leak happened. To speculate about future possibilities of Data being compromised could lead me to write a book on the subject the subject is quite complex.

All data we collect should be used in accordance with the principles of data protection as set down in Data Protection Act 1998, regardless of our need to register or not under the Act.


Schedule 1 to the Data Protection Act lists the data protection principles in the following terms:

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
   
   (a) at least one of the conditions in Schedule 2 is met, and
   
   (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Taken from http://www.ico.org.uk/for_organisations/data_protection

So no a simple apology to start with..........

[Poole_Man]

So no a simple apology to start with..........

Yes of course that was so obviously required in my mind I didn't think to actually say I would say sorry.

Then I would move to the investigation and take action from there .

Paul

Yes I have separate email addresses. This one was one I share a little but not much and only by my choosing. I have had it quite a number of years and it has a very low spam count. I hope it stays that way.

As for mistake yes it was but a 2 minute job to send an apology at the time.....



However my question remains when/ if it happens again... how is it potentially managed.

[mollyjak]

However my question remains when/ if it happens again... how is it potentially managed.

We will learn from our mistakes.

I am not techie, I don't know what to do or how to do it - honest answer.

However this should be the first item on the next agenda for the elected Committee - whoever they may be.

Errors are made and apologies given and should be accepted. The lesson, as it were, has been learned.
If anyone has suggestions as to the best way forward I am sure the elected Committee will be happy to listen to any recommendations - techie to techie

[Cornell Finch]

I have been thinking about this. While it won't do anything for those that had their addresses shared, all forum software has a method to mass email from the forum.

Assuming that all members of GAGB (and I know that might not be everyone) are members of the forum too, why not make use of the forum software for the non-survey monkey type emails?

It will handle all the emailing without revealing any email addresses and in most software there's also an option for distribution via membership groups.

Might be worth looking at.

You might also look at what the existing hosting provider offers. They often have something similar to mail-chimp preinstalled for mailing lists.

Collin

[Maple Leaf]

.... snipped

Assuming that all members of GAGB (and I know that might not be everyone) are members of the forum too, why not make use of the forum software for the non-survey monkey type emails?

It will handle all the emailing without revealing any email addresses and in most software there's also an option for distribution via membership groups.

Might be worth looking at.

... snipped

Collin

Cass does use the built in forum software for sending out the Seeker magazine emails. Although in the past there was one time she was having problems with it and also had to resort to the manual task of batch emailing everyone - a very time consuming job which I recall took many hours.

To be fair, I don't know if we could have used it for the emails that were sent out on Sunday as we would have had to exclude members since the cut off date (1st Oct).

However, we just followed the procedure that has been used by the Returning Officer in past years to keep the members informed (which has worked well) but unfortunately on Sunday various circumstances meant he also resorted to a manual process when his bulk process failed (possibly due to him being in a hotel half way around the world from his home domain) and that is when the incident happened.

It was a considerable time in which you had the opportunity to rectify and you chose to hide it. I had dropped this issue and moved on. I will now reconsider my position

Yes a few people did take the route of asking you and then went on Facebook when they realised it was being brushed under the carpet and the others affected were not being informed

[LadybugKids]

Yes a few people did take the route of asking you and then went on Facebook when they realised it was being brushed under the carpet and the others affected were not being informed

I can see your perspective and I explained my reasons for my perspective. I feel badly about the incident and know there is nothing I can do to "undo" what happened. What I will do is work with The Committee to make certain it never happens again.

In America, telling someone they are brushing something under the carpet implies an intent to deceive. I can assure you and all members of GAGB that there was never any desire to be dishonest. Different people will have different opions about the judgement that was excercised and the decisions made, but I think it is a real stretch to accuse anyone to being anything less than honest (and perhaps that's not happening here due to cultural differences). All communications I have been privy too have included nothing but the facts. The members of The Committee I have had the pleasure of working with are hard-working volunteers with fully honorable intentions.

I knew I made a mistake, informed Maple Leaf as soon as I was aware of the fact, and posted a public apology in this thread at my next opportunity. I am not in Europe on a lark. I am here on business, working long days with limited access to the Internet, daily switching locations, and cutting sleep short while squeezing in my volunteer efforts with multiple organizations where I can with GAGB's election currently having top priority. The instantaneous communications that people are accustomed to due to 24/7 connectivity are physically impossible for me during this trip as I in business meetings with my phone switched off or visiting industrial facilities that require me to leave my phone in my car. Short of diverting to the UK on my way home next week to publically face people, I am unsure of what more I can do other than come up with a solution to prevent a future reoccurance.

I've walked in the shoes of those whose e-mails I inadvertently exposed and fully understand the anger and disappointment. I can't undo what was done and have apologized for it. Can you walk in mine?

I can, I understand it was an accident.

Time to move on I think.

The questions I posted are genuine. I do want to know how potential committee members think a future incident should be dealt with.

[abiherts]

Personally I would apologise immediately sending an email to everyone involved, I do not like certain email addresses of mine given out to every tom and harry however I do have my caching email on view on my profile.

I think this is something to be discussed on the first committee meeting to ensure that this never happens again.