MNHQ here: Mumsnet’s approach to data protection and GDPR

[KateMumsnet]

As lots of you will know, May 25 sees the introduction of the General Data Protection Regulation (GDPR) - a new law covering data protection and privacy. As with any company that works with data, we’ve done some work to ensure that we’re fully compliant with GDPR. If you’d like to know more about what we’ve done, read on.

We have reviewed and updated our Privacy Policy and provided a page of Frequently Asked Questions.

We’ve made it easier to edit or delete the information you give us when you join Mumsnet -- your registration data. This might be no more than a username and an email address; you can have a functioning Mumsnet account with just those two things. However if you also told us your name, age, sex, how many children you have, and/or your postcode, it’s now easier to see how to edit or delete that information in your ‘My Account’ page.

The ‘My Account’ page is also where you can delete your Mumsnet account (although we would prefer you not to, obviously). Deleting your account will not delete your posts on Mumsnet but it will delete all the registration data associated with your account.

By popular request, we will not be deleting Private Message archives as originally planned.

If you receive any Mumsnet newsletters, you can unsubscribe using the link at the bottom of the email. If you have a Mumsnet account you can also subscribe and unsubscribe to any or all of them here.

As you use Mumsnet you might see a new notice that tells you when cookies are being used.
You can find details about how we use cookies in our Privacy Policy and FAQs. But in a nutshell, we use cookies to:

• improve your experience by, for example, remembering that you have logged in and that you like reading threads top-to-bottom;
• show you more relevant content and ads; and
• gather aggregate information about how many people visit Mumsnet, how often, and what they look at while on the site (aka analytics).

Long-standing Mumsnet users may remember the Profile Page functionality that we rolled out to users many years ago. For now we have decided to default all existing public Profile Pages to ‘private’, so that MN users who have put personal information on their profiles have a chance to review and delete it if they want to. You can check whether you have a Profile Page, and edit or delete it over here.

If you’re looking for the My Photos page: we’ve suspended this for now - it wasn’t working well and needs a complete revamp. Any photos you had previously uploaded have been deleted from our systems.

In terms of MNHQ’s internal processes, we have put further restrictions in place around which staff members have access to Mumsnet users’ personal information.

We're emailing all our members to let them know about these changes. As ever, we really welcome your feedback. Do add comments below or email [email protected] if you have any thoughts, questions or concerns.

And if someone were to cross analyse posts it would be very easy to identify people. Eg

Stated profession chartered surveyor
Says she has a female partner
Lives village near oxford
Went to oxford uni
Has twins
One twin has cerebral palsy

I made the above up but you see what I mean

Coffee: " hit ‘report’ on one of your posts and explain the problem to our site Moderation team; they will be happy to help if they can. You can request a retrospective name change – this means that all your previous posts will appear under a different username.

if they can? You have a legal duty under GDPR to delete my information if I ask you to. If they can doesn’t cut it."

The legal requirement is that you have the right to request deletion. The organisation doesnt have to comply if they can justify processing that data and they might depend on the legal basis.

So there is still no way to delete forum posts?

Hi @sleep5, @coffeecupofmilk and @Onceuponatimethen

We’re very happy to delete individual posts if you’re worried you’ve said too much - just hit report on that post and explain the problem. If you’re worried about lots of your posts, or think that someone ‘in real life’ has worked out your identity, you can also request a retrospective name change - this means that all your previous posts will appear under a different username. Posts are publicly-available content (rather than data) and our T&Cs do say that when you post on site, you allow us to use your posts in perpetuity. Our overall view is that threads with lots of holes in them are a poor user experience for the community as a whole, which is why we don't offer the option to delete them.

Does this mean that the bit where you change your username and then are asked for a first name has changed?

Apols for missing this earlier @coffeecupofmilk - yes, that has been changed. 'First name' is no longer a field on your 'My Account' page - it now appears on the 'About You' page and is completely optional.

Can you please explain how the amount of information the company on thread are asking for is compliant with your data privacy policy?

Apart from username, all the information requested in that product test is actually necessary in order to receive the product in question. Till now, we’ve often asked for so that we have two ways of contacting those who are selected to take part (DM and email). We’ve never passed this info on to the partner companies we work with (though of course we only work with partners who themselves have robust privacy policies). It’s never been compulsory to give your username in order to take part, and after the 25 May when GDPR comes into effect, we’ll no longer be asking for usernames at all.

It appears to me that our data is transferred outside the EU, is this correct?

Yes, that’s correct for some companies, including Google - but the GDPR will apply equally to all businesses that market to or do business with European Union member states, regardless of where in the world that business is located.

How does this work with the fact that the period boxes were sent to wrong people and what steps have you taken to ensure that doesn’t happen again?

As part of our preparations for GDPR we’ve looked closely at how we do things internally - we are tightening both the processes by which data is handled by staff in relation to things like competitions and product tests, and we’ve considerably reduced the number of staff who have access to any personally identifying information.

Thanks,
MNHQ

Hello!

I started a thread here You can see previews of old chat threads on the iPhone app and asked a GDPR question at the end of it. Please could you take a look? I think a lot of people assume old content is gone forever and it's clearly not, I also think you get different information on the iPhone app and website sometimes.

It’s never gone forever because of sites that freeze snapshots of internet though is it?

Thing is people just don’t think when they are posting stuff about how a specially designed programme that crawled the boards harvesting certain info or a very determined individual could put the info together.

People reveal info in ways they don’t realise too. Someone might not start a thread including the wording ‘I live in Oxford’ but they might well post ‘l love Christchurch meadows and only twenty minutes walk from my flat which is great’. Which has the same effect as saying ‘I live in Oxford’.

And if the posts from that username can be cross ref to id the person changing the username doesn’t cure it because that collection of posts is enough to id them. And what matters to them is whether people in rl know what they think.

I'm going to be pretty upset at losing my pm conversations. I've had some really good conversations and absolutely invaluable advice on them.

Is it possible to have an export option so that we can keep what we have, before they all vanish?

Yes, I don't want to lose my PMs either.

Mnhq will at times delete all your posts.

They've kindly done it for me in the past when stalker ex found posts and was trying to use my posts against me

Could it be argued that MN is not processing personal data when someone posts something on the boards - as the OP is the author?

The personal data is the actual name of the person, email, contact etc and that's what's being processed. It's stored on a database somewhere

So being forgotten would mean that all that stuff can be deleted but the posts aren't 'data' being processed by MN so being forgotten doesn't apply to that?

Surely it's not up to MNHQ to police what you post in case you share too much. Have some common sense.

It’s the total erasure you should be able to do - that’s their obligation to police

Hi everyone,

Thanks for your thoughts here it's always very valuable to receive your feedback.

On our decision to delete private messages after 60 days, we’re going to see how people feel about our this by keeping a close eye on this thread and in Site Stuff. When we get more feedback we can decide what next.

In terms of deleting posts, if you’re worried that you’ve said too much or divulged personal information we’re very happy to delete individual posts - just hit report on that post and explain the problem.

I've been helpful

www.mumsnet.com/Talk/site_stuff/3250954-mn-proposal-to-delete-pms-after-60-days

deleting Private Messages that are more than 60 days old.

I like my PMs, and sometimes I have to go back and see the conversations I've had with people in the past - much further back than 3 months sometimes - when I start chatting to them again. There are so many usernames, trying to remember if that moniker was Bob who thought X or Jane who thought Y is impossible. And I'd hate to put my foot in it!

Could we perhaps have an archive function? Then if people specifically didn't want to lose a message/messages they could archive them, but the bulk (I imagine) of messages on the site would be deleted after 60 days.