GDPR and FamilySearch Historical Records

LegacyUser

Adrian Bruce said: I'm hoping that this has already been well thought through, but having had the concern, it would be a dereliction of my professional duty not to raise it - for the protection of FS.

The EU's General Data Protection Regulation gets implemented on 25 May 2018. It applies to information held about living EU citizens, so I'm sure everyone's thought about ensuring that data about living people in FS FamilyTree is secure. But what about Historical Records? How many of those contain information about living people?

The collection which concerns me is United States Public Records, 1970-2009. "This collection is an index of names, birth dates, addresses, phone numbers, and possible relatives of people who resided in the United States between 1970 and 2009". It seems to me that this could very well fall under the scope of GDPR, as surely it contains some living people? If people complain about the data being wrong (and I have a suspicion that exactly this complaint has been made) and they are (a) alive (self-evidently) and (b) EU citizens - how exactly will FS correct that data?

It may be that the data is out of scope - it refers to US based data and I'm not at all convinced that is in scope, even for an EU citizen residing in the US, as the data is non-EU data. Or the answer might be, "Talk to the original provider and we will reload a new copy of the data."

Hopefully this has all been thought through, in which case I'll heave a sigh of relief and happily shut up - I don't have any concerns about my own personal data being in there as I've not been in the US for longer than a week.... (NB - there may be other collections to worry about, I've no idea).

LegacyUser

joe martel said: There are lots of historical records that contain info regarding living people, us census, obits and public records. I’m guessing the record custodian would need to consider if compliance applies and what that means.

LegacyUser

Adrian Bruce said: Lots... Umm. I suspected as much.

I'd take a wild stab that Census records (say) have been published by the US government, so that's what the expected process is, so someone with the requisite knowledge of the right GDPR phrasing to use, could justify that. Similarly for birth records and Obits. None of those concerned me unduly.

I'm less confident about the Public Records. The Wiki says, among other things, "In addition to public records generated by government agencies, corporations and private organizations also collect and disseminate records about individuals. Examples of these include telephone and address listings, credit applications, and membership directories."

Credit applications?! OK - I very much doubt that it's anything more than name and address in there. Ditto the tax type stuff. It just all sounds a bit messy and therefore unclear and therefore worrying.

The point is that GDPR responsibility falls both to the Data Controller (the guy who creates the data in the first place) and also the Data Processor (whoever runs a facility for processing said data). I would be fairly certain that FS counts as a (potential) Data Processor, at least. So even if the custodian of the originals is the Data Controller, it may be that FS still has to think of things as a Data Processor.

Again, it may be that the "This stuff is intended to be published" defence applies, or the "Not data about events in the EU" defence applies, but FS's responsibilities as a Processor might still mean it has to satisfy itself that everything is OK and prepare a defence using vaguely the right words if anyone from the EU asks.

My concern is that FS cannot wait for the originators of those Public Records to decide - they might never do so - whereas FS is the system with global access / visibility and therefore vulnerability.

LegacyUser

Lynne VanWagenen said: Adrian,

FamilySearch has a regular process by which ensure that we publish records in accordance with laws (including GDPR) and our agreements with the content owners.

LegacyUser

Adrian Bruce said: Good - that's what I wanted to hear.

LegacyUser

David Newton said: Is Familysearch a data controller? Yes.

Is Familysearch a data processor? Yes.

Familysearch has personal information about me. I'm an EU citizen in the EU and come Friday I will be covered by GDPR. Regardless of what is in FSFT there is a whole raft of other personal information that they hold and process.

The public parts of FSFT are subject to GDPR as they are non-private and domestic data held by an organisation. However because they are supposed to be about dead people the provisions are disapplied. If living (less than 100 years old) people have their information displayed in the FSFT that is a violation of data protection rules if those individuals are resident in the EU. The private parts of FSFT are a different matter. I have a lot of living individuals linked in to FSFT and marked as living and thus in my private area. I don't have the permission of the vast majority of them to do what I have done. However I am doing the study purely for private and domestic reasons, thus again GDPR is disapplied.

GDPR doesn't apply to the dead. There is an exception to GDPR for data processing for purely private and domestic reasons. That covers the two bits of FSFT.

LegacyUser

Ekram said: FS appears to be in breach of the GDPR. I am also an EU citizen, and FS invites me to upload my personal data, as well as that of family members.

Under GDPR, I, or any of my family members should be able to request the data that FS holds on us, as well as request FS delete this data. FS should also state the basis on which they are processing and storing this personal data.

As far as I am aware, I cannot perform any of these actions, or see any valid statement for the basis of data processing on the FS site.

Currently, either FS should stop processing the data of EU citizens (which I assume is impossible) or change their practices to be compliant. Not in 2 years time, but now.

An infringement of the GDPR could make FS liable to a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher - https://gdpr.eu/fines/

LegacyUser

Tom Huber said: Any information that you or anyone else enters with respect to a living person is stored in a "private space" associated with your account (added: the account of the person who entered the information). No one else, but the person who entered the information, can see that information.

If you happen to know another person who has an account, give them the ID number of a living person and see if they can see that information.

LegacyUser

A van Helsdingen said: I believe that under the GDPR, living people should be able to request that any information added about them in another private space on FS be deleted. Allowing people to upload personal details about living people and not let the subjects of that information see the details or request that it be deleted is inconsistent with the GDPR.

I personally have become concerned about lax procedures around Latter Day Saint ordinances. Living people could be given a proxy LDS baptism if it was mistakenly or deliberately stated they were deceased. Someone could enter my name and family details into FSFT, but change the dates and add a death, and have me proxy baptised. To induct a living person into a religion without their consent is undeniably inconsistent with the principle of freedom of religion. I would want to be able to check, say every 5 years, that I have not been inadvertently proxy baptised into the Church of Jesus Christ of Latter Day Saints.

LegacyUser

Tom Huber said: Any vicarious ordinances are basically "erased" -- that is made, null and void -- if one of the two conditions exists (I have verified this myself):

1) Vicarious ordinances were performed before a full year after the person's death had taken place.
2) Vicarious ordinances were performed while the person was still alive.

I have found instances in my ancestry for both cases. Upon reporting these, the vicarious ordinances were made null and void.

LegacyUser

Adrian Bruce said: Re what's in the private areas: I am impressed by David Newton's point that " I am doing the study purely for private and domestic reasons, thus again GDPR is disapplied".

I always illustrate this with my Christmas card list. That contains personal data for private and domestic purposes. So GDPR does not apply and the recipients have no right to ask me or Mr Google to see their details in that Christmas card list. I believe that the private space in FSFT is the same. So I don't believe that I can request FS to tell me what's held about me in someone else's private space.

I have absolutely no idea if GDPR sanctions fishing expeditions along the lines of "Tell me if you hold any data about me...."

LegacyUser

A van Helsdingen said: That argument might work, but for the fact that if you claim that someone in your private space on the FSFT is deceased, their information is immediately released to the public. As far as I'm aware, there's no requirement to prove this- I could release details of my relatives to the public at any time by setting them to deceased.

LegacyUser

Adrian Bruce said: Quite agree. That's an argument about the entry of data into the visible part of FSFT, though. I can just as easily enter such data directly into FSFT by falsely entering them as dead, so it's not really an effective argument that the private space content is subject to GDPR, if that's what you meant.

The relative ease of such entry is a potential issue.

LegacyUser

Tom Huber said: This is an area where FamilySearch could do a better job. Before any person born within the past 110-120 years can be declared deceased, FamilySearch should require a source that proves the person is deceased. Without such a source, a note should appear that says no source has been provided that indicates the person is deceased.

I am not talking about pre-1900 records, and yes, there are instances where post-1900 records may not exist, thanks to wars, first, and so on. But lacking those sources is no excuse for marking the record deceased. Family traditions are notorious for being incorrect or confused with other situations.

So what would constitute a valid source that a person has died? Grave, newspaper announcement, official (government, religious) death record, personal letter written at the time of the death by a relative, and so on.

LegacyUser

Paul said: Depending on what geographical area you are looking at, it is often relatively easy to find websites that list all living residents over around 107 years of age. So, if I'm virtually certain an individual (if still alive) would be living in, say, the UK, USA, Canada, Australia, New Zealand or South Africa, I can be virtually certain they are now deceased.

I know this does not compensate for having an actual death certificate, but if the person were over 115 that detail would certainly have been well publicised in the media. The situation (regarding longevity) might change, but for now I would not hesitate in marking certain individuals in this category (110-120) as deceased.

LegacyUser

Paul said: Admittedly this situation generally applies to a bit further back in time, but I have come across quite a number of mariners / seamen for whom a death / burial cannot be found, so have assumed they were "lost at sea". No chance of ever having proof of death for such individuals.

(Sorry for drifting somewhat off-topic, Adrian.)

LegacyUser

Paul said: Further to comments I added today to a thread on Private People, I have just found an obituary, proving yet another of the few living persons I have added to Family Tree is now deceased.

As this is "unfamiliar territory" for me, can someone please advise the position in adding this to Family Tree:

(1) From the point of view of copyright - I found the obit at https://www.legacy.com/obituaries.

(2) With regard to the living children mentioned in the piece - do I have to remove / redact references to them?

I was about to add the piece to his Life Sketch section, and possibly add the accompanying photo, too.

Thanks.

LegacyUser

Stewart Millar said: Paul,
My approach to this would be to treat this as a source . . . use "RecordSeek" to generate and format the source record giving you options to modify the Title to suit and to add a transcription of key details from the obituary entry and any of your own explanative notes (in case the supplying web site may not remain at the same url address).

That way - I believe, no copyright is broken - any other FS user can view the obituary record with photograph by following the link created by "RecordSeek" - exactly as you have done.