Peter Miller peter.miller at itoworld.com
Thu Aug 20 11:05:43 UTC 2009

On 20 Aug 2009, at 11:50, Andy Robinson (blackadder) wrote:

> Peter Miller wrote:
>> Sent: 20 August 2009 11:13 AM
>> To: Nick Black
>> Cc: osmf-talk at openstreetmap.org
>> Subject: Re: [Osmf-talk] EVERYONE: PLEASE VOTE
>> On 20 Aug 2009, at 11:05, Nick Black wrote:
>>> Grant,
>>> I think that the OSM-F membership list should be available for  
>>> anyone
>>> to request for their own personal use, in line with the UK Companies
>>> Act.
>>> My understanding and the understanding of the Board is that because
>>> the OSM-F is not Data Protection Act registered, we are tightly
>>> constrained by what we can do with a membership list.  Until last
>>> night I did not have access to the list.  We can only use it for
>>> purposes of membership - sending membership reminders is about the
>>> extent of the actions we can take.  I personally think this is sub
>>> optimal, which is why I'm working with the other OSM-F Board members
>>> to get clarification on the DPA and other regulations.
>>> I think the members should have access to the membership list and  
>>> the
>>> information that can be inferred from it, but this has to be done
>>> through the proper channels.
>> The Foundation is legally required to register under the Data
>> Protection Act 1998 and failure to do so is a criminal offence:-
>> "Notification is a statutory requirement and every organisation that
>> processes personal information must notify the Information
>> Commissioner's Office (ICO), unless they are exempt. Failure to  
>> notify
>> is a criminal offence.
> Ah, but you have not stated what the exemptions are. We know that we  
> do need
> to register because of all the things we might need to be able to do  
> with
> the wider OSM database (the OSM User data). The membership is a  
> different
> matter and as Nick says, its not a requirement to notify for the  
> purposes of
> managing an individual's membership as far as I am aware and thus not
> legally required on what we have used the data for to date, but  
> clearly it
> is in our interests to do so for the future.

A quick look at the exemptions does indeed appear to confirm that some  
basic stuff is allowed by not-for-profit organisations which may mean  
that all our directors do not 'go straight to jail' (apologies for  
suggesting that they might). I do hope however that we apply if we  
need to so that we can be transparent organisation that we all desire:-

"Not-for-profit organisations

"There is a specific exemption from notification for data controllers  
that are a body or association not established or conducted for  
profit, provided that their processing does not fall outside the  
descriptions in Q8 and Q9.

"As a not-for-profit organisation is all of your processing covered by  
the following descriptions?

"Your processing is only for the purposes of establishing or  
maintaining membership or support for a body or association not  
established or conducted for profit, or providing or administering  
activities for individuals who are either members of the body or  
association or have regular contact with it.

"Your data subjects are restricted to the processing of those for whom  
personal information is necessary for this exempt purpose.

"Your data classes are restricted to personal information that is  
necessary for this exempt purpose.

"Your disclosures other than those made with the consent of the data  
subject are restricted to those third parties that are necessary for  
this exempt purpose.

"The personal information is not kept after the relationship between  
you and the data subject ends, unless (and for so long as) it is  
necessary to do so for the exempt purpose.



> Notification is the easy part. It's ensuring the systems are in  
> place to
> comply with the Act that needs to be checked through so there is  
> little
> point in notifying until we are ready, otherwise if we get an audit  
> we would
> be found lacking. Those policies and procedures need to be written  
> and put
> in place. Something that will take a bit of time to do. As I said,  
> we need
> to consider not just the OSMF membership list but the OSM userbase  
> as well.
> Its on Saturday's Board agenda so this is one of the important  
> issues being
> discussed.
> Cheers
> Andy

More information about the osmf-talk mailing list