KLAXON: Calling gender critical GDPR experts!

[Barracker]

I'd really like any GC GDPR experts to clock in here.

I think it would be very helpful to have accurate, informed expertise on how a person would go about challenging a data controller who is holding inaccurate data on them, by using the GDPR.

If anyone also happens to have an in-depth understanding of data in the NHS, and the various NHS bodies that are responsible (NHS DIGITAL etc) then that would fitntye bill nicely too.

But let's just say a woman wanted to have an inaccurate piece of data held about her completely removed without trace. And that this was a request the organisation has never received before.

(If this turns out to be a thread that is of value only to me, I'm happy to take any conversations offline.)

GDPR people?

[Polynerd]

There is very detailed guidance on the ICO website but it is from the perspective of the data controller. I'm not clear from what you've put whether you are the data controller or the complainant. However this would be the place to start: ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-rectification/

[Barracker]

Thank you polynerd
I'm not the data controller.

I'm hoping for someone who lives and breathes GDPR, who can perhaps 'hand hold' through the process, explaining in plain English as we go. A layperson attempting to interpret and wield the GDPR guidance might easily come unstuck.

[Polynerd]

I collect and process a lot of data for work but we have never had a challenge (touch wood!) so I don't have personal experience of how that works. What I would say is - you mention the NHS - that, for example, an initial misdiagnosis would not be able to be removed from the record because it gives an accurate record of the course of medical involvement.

[PearsMorgan]

The ICO also has guidance for data subjects (people). This may help: ico.org.uk/your-data-matters/your-right-to-get-your-data-deleted/

[Barracker]

This would not relate to a misdiagnosis.

More along the lines of assuming that because A is true, then B may be assumed and recorded as fact, and then used and processed as a proxy for A.
B is not true, does not follow from A, is dangerous to use as a proxy for A.
Processing data on B alongside B data on other people, when the subject neither volunteered data on B not agreed to its accuracy, nor accepts that it is an appropriate proxy for A.

Sorry if I'm not being entirely clear.

[Manderleyagain]

Lots of organisations are collecting & holding info on gender identity (often assumed) & not sex. That must be a gdpr issue because you have to have a good reason to hold personal info, & only the EA p/c's can be monitored for equality purposes I think. Anyway if you do get a gdpr expert please do keep it in public if you want to because I would be interested so I'm sure others would too.

[NotAGirl]

In almost every case it needs to be the data subject i.e. The person who the data is about or an authorised proxy who has to asked for the data to be amended or deleted.

[NotAGirl]

Gdpr is focussed on personal data rights so if the data isn't being recorded about you there would need to be some other basis for showing its harmful

[JustPurple]

Data subjects have the right to rectification under DPA18 if the data held on them is inaccurate or incomplete.

ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-rectification/

You can request rectification verbally or in writing and the organisation will have a month to respond.

If it's an NHS organisation in question, have you spoken to the DPO? They should be able to help.

[JustPurple]

In the interests of clarity, it sounds like the OP is the data subject.
OP isn't the controller, ie doesn't collect and process the data.

[NotAGirl]

If it's correcting data about yourself suggest referring to Article 16 'The data subject shall have the right to obtain from the data controller the rectification of inaccurate personal data concerning him or her' of the General Data Protection Regulation.

Contact the relevant department and copy in the data protection officer.

[Kantastic]

Oh good! I have a GC GDPR question and would like to tack it on to this thread if I may.

I have been wondering if it is possible to figure out what shadiness is going on at Twitter using the GDPR. For example, shouldn't Twitter have a record of all the times that a given Data Subject has liked JK Rowling's Tweet? And presumably a record of how the mysterious un-likings have happened. And if someone is deboosted there should be some reason for that recorded in the database.

It might be possible to deduce something about who's doing it, whether it's rogue TRAs on the technical side, or whether it's something more deliberately co-ordinated in the company, from the nature of Twitter's GDPR disclosures. I'd expect the rogue un-likings and unfollowings to be visible in the record if it's being done by a lone TRA who has got access to login information, but not to be disclosed if it's more co-ordinated.

This is something i have been idly wondering - I don't even have a Twitter account myself so I can't act on it. But I'd love to know whether it could be done. The stuff that's happening in Twitter and other Big Tech companies is incredibly sinister.

[NotAGirl]

Kantastic gdpr covers twitter users in eu so in theory individual twitter users based in the eu could pursue Subject Access Requests against twitter however it would be extremely difficult (read impossible for all intents and purposes) to force twitter to comply with the request. And those responding can redact data relating to anyone else.

[Kantastic]

however it would be extremely difficult (read impossible for all intents and purposes) to force twitter to comply with the request

Bastards. Oh well. Thanks!