Primarily for general aviation discussion, but other aviation topics are also welcome.
By johnm
FLYER Club Member  FLYER Club Member
#1611968
Well done the CAA, one of the few organisations correctly interpreting the GDPR


GDPR - Protecting your data
Using the SkyWise app

You may have heard about the new General Data Protection Regulation ("GDPR"), that comes into effect May 25 2018.

The regulation gives you more control over how your data is used and how you are contacted.

The CAA holds your name and email address which you provided when you registered to use the SkyWise app. We use this data to send you notifications that relate to your chosen subjects.

If you would like to unsubscribe from SkyWise please click the button below and follow the instructions. We will then delete your data from our system.

If you don’t want to make any changes to your subscription then no action is required.

If you would like further information regarding GDPR, please refer to the ICO website:
https://ico.org.uk/for-the-public/.
flyingeeza, kanga liked this
By johnm
FLYER Club Member  FLYER Club Member
#1611989
Ian Melville wrote:I thought the opt-in had to be explicit, therefore no action cannot be an acceptance that you are happy for that data to be held?


A common misunderstanding of the regulations. A positive decision to opt in is required and a positive decision to do nothing and thus let the current practice continue is perfectly acceptable.
User avatar
By rikur_
FLYER Club Member  FLYER Club Member
#1611990
Largely comes down to the manner in which consent was previously obtained. E.g. if you actively signed up to a notification service (like Skywise) then it is unlikely that new consent is required, as you took a positive action to subscribe to the service in the first place. If you bought some goods and the retailer added you to its marketing list as a result without explicit consent, then the retailer may not be able to rely upon that as consent under GDPR - albeit they might instead of consent choose to use the lawful basis of 'legitimate interest' as a reason for marketing to you.

GINFO is a more interesting topic - whilst I assume the lawful basis for the CAA holding that data is 'public task' (not consent) ... does the 'public task' require that it is published publicly? - if not, I'm not sure what the basis for publishing the GINFO database online ...... particularly some of the historic information. Public bodies cannot usually rely on consent as a basis, due to the imbalance of power between the public body and the individual.
By johnm
FLYER Club Member  FLYER Club Member
#1611991
As I pointed out above, the data subject is merely required to make a positive decision to opt in and a positive decision to do nothing will count, so where an email is already used to communicate that works in all cases.
Therefore all any organisation needs to do is provide a clear opportunity to opt out for members of its current list.

To add to that list explicit consent from each new data subject is required and that consent must be informed, hence the flurry of new privacy policies being published.

The GINFO case is an interesting one and I don't know the legal basis of publishing the personal data and a cursory search hasn't helped. I might try some serious digging when I have a period of excessive ennui.......
User avatar
By rikur_
FLYER Club Member  FLYER Club Member
#1611996
Not quite as simple as that in my understanding @johnm - albeit I agree that in many cases new consent isn't required, and remember, "consent" is only one of six lawful basis that data might be used on.

See myth 9 in the ICO blog on the topic here: https://iconewsblog.org.uk/2018/05/09/r ... -the-gdpr/

Edit: Worth noting many organisations are trying to cover off GDPR and PECR at the same time
By johnm
FLYER Club Member  FLYER Club Member
#1611997
@rikur_ Yes I'm familiar with all that which is why I made a similar but briefer point in my earlier posts. There might be some subtleties but there's no cause to go looking for them :wink:
By riverrock
FLYER Club Member  FLYER Club Member
#1612005
johnm wrote:Therefore all any organisation needs to do is provide a clear opportunity to opt out for members of its current list.

If the system is already there to opt out, and the organisation has an audit of them opting in, in the first place, the organisation needs to do nothing.

I recognise the email system they are using (and they forgot to take off the system's logo on the initial emails) so I know it records opt ins. So the CAA shouldn't have to do anything, including sending that email.
By Leodisflyer
#1612261
Consent is only one of the lawful basis.

If info is being used for marketing (not in this case?) then PECR should already have been followed so a simple update of the privacy policy may be appropriate as it would be in many other cases too. Can't work out whether he deluge of mails that we are all getting are due to misinterpretation of GDPR and/or lack of confidence that PECR was being properly followed before.

I remain curious about G-INFO - haven't looked in detail, but on face value I don't see how the perceived "issues" with G-INFO are different to Internet registries as in https://www.theregister.co.uk/2018/05/1 ... _shambles/ (the data protection requirements, not the change issues described in the article).
User avatar
By rikur_
FLYER Club Member  FLYER Club Member
#1612267
Leodisflyer wrote:

I remain curious about G-INFO - haven't looked in detail, but on face value I don't see how the perceived "issues" with G-INFO are different to Internet registries as in https://www.theregister.co.uk/2018/05/1 ... _shambles/ (the data protection requirements, not the change issues described in the article).

Re G-INFO .... the ANO seems to create the obligation to maintain a register, but doesn't reference publishing it ... and The Mortgaging of Aircraft Order 1972 seems to add the requirement to record / publish mortgaging details. No doubt somewhere there is an obligation to publish the register, but I haven't found it.
By Leodisflyer
#1612271
Thanks - maybe the privacy policy will set it out - unless they simply say that it is to comply with legal obligations.

I don't have an issue with G-INFO as such, but it does look as though it is potentially a useful tool for stalkers and we've also seen how it can be quickly used by people after an accident to make assumptions about the possible ID of casualties. I assume that there must be a legal requirement that overrides the rights and freedoms of the data subjects.
User avatar
By flyingeeza
#1612292
Leodisflyer wrote:Thanks - maybe the privacy policy will set it out - unless they simply say that it is to comply with legal obligations.

I don't have an issue with G-INFO as such, but it does look as though it is potentially a useful tool for stalkers...


True.
Might tread on some toes here...

I, a grey old git, recently squirmed groaning and stiff out of our XAir at Popham after an hour's solo flight to the Microlight Fair and was immediately approached: "Well, you don't look like Amanda!" I mean...duh, ffs?

So some bloke saw the aircraft reg as I taxied in and he looked it up on G-INFO and saw it was registered to an Amanda and just had to be first to welcome her to Popham? :roll: Smooth. :roll: :lol: His disappointment was tangible! Just so uncool, I thought. But I was polite to him anyway. I'm a pilot. We are polite.

But I guess we need to welcome the reg-scribblers as long as they buy burgers and ice creams...and consume half of the car parking! :D :roll:
#1612325
Curiosity drove some more revenue for Google. The CAA covers G-INFO in an FAQ: https://www.caa.co.uk/Aircraft-register ... -Database/

In many ways I like the fact that you can see the details of previous owners of aircraft going back decades. One aircraft with which I have an emotional attachment has an online record going back over 70 years, although the first person (rather than business) was entered as recently as 65 years ago.
johnm liked this
By Bob Upanddown
#1612989
I thought CAA were doing the right thing then I received an email from CAAi.

Whereas CAA didn't want any action to stay subscribed to Skywise, CAAi want me to click the "let's stay in touch" button. So, like all the rest asking this, it will be ignored and my inbox will be less full.

So, typical of the CAA, no consistency in the application of regualtions!! But we knew that already.

G-INFO. I know they have been challenged about this over the years. Needs a legal challenge from AOPA.