Peter Miller peter.miller at itoworld.com
Thu Aug 20 11:37:06 UTC 2009

On 20 Aug 2009, at 12:16, Andy Robinson (blackadder) wrote:

> Peter Miller wrote:
>> Sent: 20 August 2009 12:06 PM
>> To: Andy Robinson (blackadder)
>> Cc: 'Nick Black'; osmf-talk at openstreetmap.org
>> Subject: Re: [Osmf-talk] EVERYONE: PLEASE VOTE
>> On 20 Aug 2009, at 11:50, Andy Robinson (blackadder) wrote:
>>> Peter Miller wrote:
>>>> Sent: 20 August 2009 11:13 AM
>>>> To: Nick Black
>>>> Cc: osmf-talk at openstreetmap.org
>>>> Subject: Re: [Osmf-talk] EVERYONE: PLEASE VOTE
>>>> On 20 Aug 2009, at 11:05, Nick Black wrote:
>>>>> Grant,
>>>>> I think that the OSM-F membership list should be available for
>>>>> anyone
>>>>> to request for their own personal use, in line with the UK  
>>>>> Companies
>>>>> Act.
>>>>> My understanding and the understanding of the Board is that  
>>>>> because
>>>>> the OSM-F is not Data Protection Act registered, we are tightly
>>>>> constrained by what we can do with a membership list.  Until last
>>>>> night I did not have access to the list.  We can only use it for
>>>>> purposes of membership - sending membership reminders is about the
>>>>> extent of the actions we can take.  I personally think this is sub
>>>>> optimal, which is why I'm working with the other OSM-F Board  
>>>>> members
>>>>> to get clarification on the DPA and other regulations.
>>>>> I think the members should have access to the membership list and
>>>>> the
>>>>> information that can be inferred from it, but this has to be done
>>>>> through the proper channels.
>>>> The Foundation is legally required to register under the Data
>>>> Protection Act 1998 and failure to do so is a criminal offence:-
>>>> "Notification is a statutory requirement and every organisation  
>>>> that
>>>> processes personal information must notify the Information
>>>> Commissioner's Office (ICO), unless they are exempt. Failure to
>>>> notify
>>>> is a criminal offence.
>>> Ah, but you have not stated what the exemptions are. We know that we
>>> do need
>>> to register because of all the things we might need to be able to do
>>> with
>>> the wider OSM database (the OSM User data). The membership is a
>>> different
>>> matter and as Nick says, its not a requirement to notify for the
>>> purposes of
>>> managing an individual's membership as far as I am aware and thus  
>>> not
>>> legally required on what we have used the data for to date, but
>>> clearly it
>>> is in our interests to do so for the future.
>> A quick look at the exemptions does indeed appear to confirm that  
>> some
>> basic stuff is allowed by not-for-profit organisations which may mean
>> that all our directors do not 'go straight to jail' (apologies for
>> suggesting that they might). I do hope however that we apply if we
>> need to so that we can be transparent organisation that we all  
>> desire:-
> Luckily I was playing monopoly recently and have a "Get out of jail  
> free"
> card left :-)
> +1 on the transparency and hence why notification and compliance to  
> permit
> some use of personal data beyond the restrictions currently imposed  
> is being
> actively evaluated and addressed.

Good news. It would of course be useful to have board meeting minutes  
available for meetings held since 14 April 2009 so that others can see  
what the board is working on and is not working on - most of us are  
working in the dark at present and can only guess.



>> "Not-for-profit organisations
>> "There is a specific exemption from notification for data controllers
>> that are a body or association not established or conducted for
>> profit, provided that their processing does not fall outside the
>> descriptions in Q8 and Q9.
>> "As a not-for-profit organisation is all of your processing covered  
>> by
>> the following descriptions?
>> "Your processing is only for the purposes of establishing or
>> maintaining membership or support for a body or association not
>> established or conducted for profit, or providing or administering
>> activities for individuals who are either members of the body or
>> association or have regular contact with it.
>> "Your data subjects are restricted to the processing of those for  
>> whom
>> personal information is necessary for this exempt purpose.
>> "Your data classes are restricted to personal information that is
>> necessary for this exempt purpose.
>> "Your disclosures other than those made with the consent of the data
>> subject are restricted to those third parties that are necessary for
>> this exempt purpose.
>> "The personal information is not kept after the relationship between
>> you and the data subject ends, unless (and for so long as) it is
>> necessary to do so for the exempt purpose.
> Thanks, this is exactly the section we have been working under to  
> date and
> the reason why we can't just throw out lists of members and personal  
> info ad
> hoc.
> Cheers
> Andy
>> Regards,
>> Peter
>>> Notification is the easy part. It's ensuring the systems are in
>>> place to
>>> comply with the Act that needs to be checked through so there is
>>> little
>>> point in notifying until we are ready, otherwise if we get an audit
>>> we would
>>> be found lacking. Those policies and procedures need to be written
>>> and put
>>> in place. Something that will take a bit of time to do. As I said,
>>> we need
>>> to consider not just the OSMF membership list but the OSM userbase
>>> as well.
>>> Its on Saturday's Board agenda so this is one of the important
>>> issues being
>>> discussed.
>>> Cheers
>>> Andy

More information about the osmf-talk mailing list