Heads up to all ManFriday members

[SwearyG]

Our membership list has been leaked online.

Please do what you need to in order to keep yourselves safe.

I am out I have better to do than argue over this, the irony is I would have written a set of policies and procedures for ManFriday that would have been ironclad and covered their ass going forward - and that was what I meant when I said I would help.

That would have been pointless in this instance as the breach is under FB not MF so any GDPR policy they had would not make a blind bit of difference.

Going forward unless MF store and use people data outside of the FB platform they use they dont need a GDPR policy.

All this faux concern is just another excuse to stick the boot in. You weren't in the group reveal, what concern is it of yours if they were within a GPDR framework? Quite bizarre attempt at a kicking

I agree materialist, this is no friend of MF

policies wouldn't have stopped the leak but they would have covered their ass with the ico and they would have been able to demonstrate that they had policies which had been breached - it would have put them in a much stronger position.

and now I really am going this is bloody ridiculous. I do this every fucking day for a living I write these policies - not because they will stop a data breach from a malicious person but because they demonstrate to the ico that the organisation concerned have taken data protection seriously and have done their best to make sure that people know what their legal responsibilities are.

Small activist and community groups were always going to be the biggest issue in GDPR especially when they grew organically and were in areas that were controversial - in terms of keeping data secure and with the potential for leaking of info online.

But whatever.

Ballix do they not need a GDPR policy.

Seems to be a bit of a tale of Mr Jeremy Fisher.

R0wan
I have sent you an unsolicted PM

revealing

They do not need a GDPR policy if they do not store personel data!!!
Why have a policy if you dont need one?

Also they do not need to report themselves to ico because the data was not theirs it was Facebooks data!!

Are you really sure you do this for a living?

Why and how was that person able to get that membership list?

I think this may be the source if the confusion.

You seem to be assuming ManFriday has constructed the membership list?

They didn't. Anyone in a FB group can see the other members of that group. Manfriday have no control over that.

revealingnothingfuckinpersonal have you any personal experience with adminning. FB groups?

The point here is not whether MF had a 'GDPR policy' or not - or do you actually mean privacy impact assessments and fair processing notices Revealing? but that an individual who had access to members' details chose to distribute that data in a way that did breach data protection legislation.
I hope those affected complain about the leaker to the ICO. That is where the mischief lies, not with MF.

The way MF have acted quickly and openly since the leak is commendable and shows they are doing the right thing in the right way.

As an interested bystander I'd have to agree. Recently I do feel that there has been a bit of an effort to scare women into not organising or connecting with each other online. Don't think it's going to work, though it might encourage more action in RL too which won't be a bad thing.

Data protection and information security policy incorporating DPIA (with risk assessments etc) fair processing notices, privacy notice for a website if required, all that. I have a standard one that I drew up in advance of GDPR and that I use for charitable organisations (small community groups for eg) - I usually do them for free for campaigning groups whose aims I broadly agree with and I was offering to provide an adapted version for ManFriday but well, I'm sure you'll understand that I don't feel quite so content so to do now.

I also include templates which are based on the ICO templates with some amendments taken from the Isle of Man templates (which are most excellent by the way) for further DPIA should procedures need to change in future, or should there be a large piece of work required that would benefit from a DPIA.

Also act as DPO for currently 4 organisations of that type (campaigning/community) FOC.

But sure, I know fuck all.

I was offering to provide an adapted version for ManFriday but well, I'm sure you'll understand that I don't feel quite so content so to do now.

1. no you werent you were scaremongering and giving out incorrect info.

2. nobody asked you to do anything or write any policies so its no great loss is it...

Sorry - Isle of Man info, French toolkit is where the templates are to be found.

I would have provided - free

a toolkit for data mapping - I would do a data map and then leave the toolkit for use afterwards by anyone else who needed to use it

DPIAs for every area where I identified a risk and each project/campaign that was currently being undertaken and a template left for use afterwards

A data protection policy covering: the history of the organisation in question, the theory behind the GDPR, volunteer specific guidance, role of the ICO, how to handle data requests, redaction of personal information and how to do that, anonymization of personal data, data sharing, PECR and the e-privacy directive, privacy notice, data breach report form, subject access request form, change of details form, obligations as data processor under GDPR, obligations as data controller under GDPR, third party processing agreement if required and a template left if needed for future, confidentiality agreement, information security policy and best practice around use of personal devices, and a records management policy.

For free. But I know fuck all

Seeing a gang attacking one person sickens me...no matter what the justification, it is nasty bulling and a campaign group turning into a lynch mob is not a good look.

I have yet to see any evidence posted here that the person suspected actually did this dastardly deed. It seems to be just assumed.

Tevealing I've no doubt you are a DP professional but like a lot of DP professionals I know I suspect that you are so far down the DP rabbit hole that you believe that DP is the tail that must wag the dog, and fail to see beyond the DP bubble.
MF is the name of a campaign, it is not an organisation. (Unincorporated or not)
Stop giving women involved in MF a kicking and look to the leaker instead.

you did say this though revealing and so it seems unlikely to have been a goer:

"ManFriday were naive and made some potentially (or what look like on the face of it - I'm not in the group so I don't know exactly) poor decisions about where to host their activism and they need to learn from this going forward.

And, you know, the keep quiet don't say anything and insinuations about me here really don't help the cause of manfriday at all. They have made me very very angry - I'm sorry but they should have protected their members better. (I'm not one was not one never was one for the record) They ballsed up and they need to take that on the chin."

Seeing a gang attacking one person sickens me...no matter what the justification, it is nasty bulling and a campaign group turning into a lynch mob is not a good look.

I have not seen this on this thread is it elsewhere on MN or other social media?

revealing
Thats a great list of services you can provide however as it stands those services are not needed by MF.

Can you not understand that GDPR is not required unless personal data is stored?

You have already admitted you were not part of the group so have no idea how, if or why they stored personal date. All of this is a pointless effort on your part.

Sorry am confused, why would anyone leak the membership list online, ? Whats the motivation

Gill
The list shows members names and the area they lived which would allow others to doxx them.
The motivation behind leaking it is anyones guess...

They wanted these women to get doxxed it was always their plan?
Sour grapes?
Did not agree with the groups premis?
Moment of madness?
Revenge?

This was the #ManFriday update here yesterday:

Yesitsadebate posted:

"Hello everyone,

As a follow-up to Sweary’s post, this is what has happened and what we’re doing about it:

• A person who we have had concerns about for several months appears to have joined the #ManFriday group using a sock account/ been passed screenshots by a sympathiser. They then had a screenshot posted on Twitter by a TRA account.
• The #ManFriday admin team took action to remove over 100+ people from the group: anyone who had not been actively posting or who had joined the group recently.
• We then explained on here, on the FB group and to the people directly affected what had happened. The post from the FB group was then taken by this person, we assume, and we received a message via the #ManFriday website threatening police action. This person also posted a couple of rants on the Mumsnet thread, which were swiftly deleted by MNHQ as from a PBP.
• This person then published the stolen #ManFriday membership list (incomplete), which was tweeted by a TRA account. We were made aware of this PDQ, reported the tweets and alerted then closed the group as we couldn’t be sure of our members’ privacy.
• This person then set up a couple of Twitter accounts to direct accusations at Mumsnet and #ManFriday. As the Tweets indicated that the person was threatening self-harm and behaving erratically, I called the police, who conducted a welfare check.
• Statements have been made to the police today.
• The IPO are also being contacted today, as a precaution. It’s Facebook who holds the leaked data rather than us but we want to do the right thing.
• We’re contacting the people on the list as quickly as we can but as we aren’t FB friends with everyone, it’s not a simple exercise. Sweary posted on here to try to get the message out quickly to as many people as possible.

It’s a crap situation and I’m so sorry to everyone who’s worried or who is now being targeted online. Tweets targeting people’s employers are being reported as soon as we spot them.

If anyone is worried in particular, please do send me a FB message and I’ll try to respond ASAP."

have yet to see any evidence posted here that the person suspected actually did this dastardly deed. It seems to be just assumed.

I doubt all the evidence the Man Friday women may have about the identity of the doxxer (if they had personal messages etc) would be posted on this thread, especially as the matter has been reported to the police apparently by more than one person.