5x12 pentomino tiling

List Servers and the Data Protection Act


Here at The Hug we run quite a lot of lists on our colo server using the mailman list server software. You can see the public lists here but there are more besides which aren't public.

I've been looking at data protection recently for a project I'm working on and it suddenly occurred to me that a running a list server meant you were holding people's personal data, even if it's only their email address and name and if you're doing this in the UK this could come under the Data Protection Act and hence require someone to register as a "data controller".

At this point you're probably thinking I'm being a little overly paranoid: surely just names and email addresses alone don't qualify as enough data to need protection? But consider this: implicitly you're holding an extra piece of information for each person: the purpose of the list to which they are subscribed. So to take an example on our server we run at least one private list for a charity for people with a particular medical condition. If the subscribers to that list became public that would reveal something about them which they may not wish to be shared.

Similarly, as you'll see from the public lists, we run lists for people who live in our village and neighbouring villages. If someone is a member of one of those lists one can reasonably deduce where they live. And membership of the chat list for our local church reveals the religion of the member.

The next question is who has to register? Is it us as list server owners, or the list owners themselves? So I asked the Information Commissioner's office. Their view is that the the list owners are the people responsible for the data so they have to register as data controllers. Here's what they said:

From the information you have provided it appears that although you provide the server and the purposes for which personal data are processed is decided by the local organisations. If that is the case then it is likely that each organisation will be a data controller in its own right for any personal data processed by them and as such they may need to notify this office of their processing.

If in relation to any personal data your organisation Hug Solutions Ltd decides the purposes for which personal data are processed then it is likely that your organisation too will be a data controller in respect of any processing of personal data. If that is the case there would be a requirement for your organisation to notify this office in its own right.

Each legal entity must notify in its own right.

So that's £35/year for each list owner!

Now there are exemptions. The most obvious one is section 36 of the Act which says:

Personal data processed by an individual only for the purposes of that individual's personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III."

I think that lets the owners of some of our "social lists" off the hook as they can argue that it's a recreational purpose. But I still expect some of our list owners to choose to register and we at The Hug are registering too as we control the data for all the lists. We have also strongly recommended that all the list owners disable access to the subscriber list of each list they own to anyone other than themselves as any other setting probably puts the list owner in breach of the Act.

If you own a list server, or run a mailing list, you might like to mull over the above. Does any of this apply to you?

Tags: internet, linux Written 30/10/06

Comment on this article

« »
I am currently reading:

A History of Women in 101 Objects by Annabelle Hirsch Game On by Janet Evanovich

Word of the Day: