Ownership of Unicon or other large convention data

This discussion has an associated proposal. View Proposal Details here.

Comments about this discussion:

Started

1A.6 states:

"Copies of attendee registration details, judging sheets, protest forms, and
related paperwork are not necessarily public, but are the shared property of the host
and the International Unicycling Federation, and must be made available upon request."

Who can rightfully request these data? Surely not just anyone?

And to whom should such a request be addressed?

Comment

Under GDPR any person can request any records pertaining to themselves. I guess that might also include if there has been protests delivered about them even if it didn't ultimately go anywhere (like, someone complaining about another team doing something that's not against the rules).

It could be changed to "and must be made available upon reasonable request as evaluated by the IUF board and in accordance with relevant laws." I guess that might give enough wickle room so people don't get records they shouldn't see.

Comment

What you describe is for data about the individual who makes the request.
GDPR is regulated in (European) law, we don't need to write anything in our own rules about it. We simply have to obey the law where applicable.

I understand 1A.6 to be about the whole body of data.
I vaguely suspect that what is meant is that the host must make all data available to the IUF if requested so by IUF. If this is correct, we should reword 1A.6.

 

Comment

I understand the data is the shared property of IUF and the host. Presumably IUF would keep it going forward and for instance someone could request data to know what kind of issues they might run into when hosting a competition within their own country.

As for GDPR one of the requirements of that regulation is that the data collected must be governed by a privacy policy and it must be clear how people can opt in and out and what data is collected. It might be for a different forum/discussion but currently the rules don't comply with the GDPR.

Comment

Perhaps Connie or Scott can tell what 1A.6 means.

I'm not sure that everything you wrote about GDPR is correct, but I agree to leave the subject out of Rulebook discussions.

Comment

I'm not sure what "must be made available upon request." refers to honestly, or who has the right to request it. That rule proceeds my time as one of the rulebook editors. Perhaps John Foss has some insight. 

All of the digital data from recent events is stored inside UDA and thus is IUF data, per my understanding of the agreement between Robin and the IUF. The paper data has always remained in the hands of a party related to the IUF and outside of the main hosting team. That has usually been Robin or Connie in the past 10 years, with the understanding that it is IUF data. Connie, correct me if I am wrong.

Comment

Part of the "must be made available upon request" goes back from before UDA and even UCP when hosts would not share any data. Long ago history and things are significantly different now as we have digital data.

Paper data: Robin or I have kept it. Every so often the stack of papers goes to the recycle bin. I have the Unicon 19 papers.

New text for that section? I don't have a suggestion. I agree that update is good.

Comment

So my vague suspicion is correct. :-)

I then suggest to replace

"Copies of attendee registration details, judging sheets, protest forms, and related paperwork are not necessarily public, but are the shared property of the host and the International Unicycling Federation, and must be made available upon request."

with

"Attendee registration details, judging sheets, protest forms, and related paperwork are not necessarily public. They are the shared property of the host and the International Unicycling Federation. On request by the IUF Board, the host must make these available to the IUF. Digital data can obviously be copied. Data on paper can either be copied, or the originals can be handed to the IUF."

The other text in 1A.6 seems good as it is.

Comment

Do you really want to have possession of several boxes of paper forever? There should be a time limit for storing any paper copies. Before 'handing to the IUF' any papers, it might be interesting to know if they even want it.

Comment

No, I'm not suggesting to keep forever. The 'handing to the IUF' is derived from the original 'must be made available'. 

Your concern as to whether IUF even wants those boxes of paper is covered by "On request by the IUF Board".

Maybe we should say that the host is not required to keep data on paper for more than a year after the convention. So if the IUF wants it, they have a year to request it.

Digital data is easier to keep for a long time. But also here, I think that the IUF should be allowed one year to request digital data. That implies that a year after a convention, a host has no obligations towards the IUF anymore. Is that reasonable?

Comment

The paper kept for a year is good in my opinion; we need comments by Scott and/or Ken.

Comment

I think it's important to consider what kind of data we're talking about and outline policies for each item. There are clear privacy implications with a bunch of the data that's currently available in the system (like being able to see non competing participants) and it's worth asking if it makes sense to keep it all.

The data that's clearly of historical significance is results and records.
Protests are interesting to keep track of in that it gives us a jumping off point for clarifying the rules.
Financial records, internal documents and deliberations can be interesting to make available for the next hosts, but IUF would already be privy to a lot of that already.

There's no benefit to keeping information about who has signed up for workshops or who participated in the final party or the bus tour to muni seem of less significance.

There could be deliberations about the status of transgender competitors (especially if the 4-/6-year no change rule is implemented later) which should obviously be kept confidential but is something that's going to be referenced later.

Judging sheets from freestyle should/should not be made available based on a deliberation about who exactly needs to be able to see that and how to ensure the judges remain impartial.

~~

I would turn the paragraph on its head and write explicitly what data must be kept around and state it's up to the host and the IUF to ensure that data gets recorded. Everything that's not mentioned there can be tossed and then there's certain kinds of data produced that should be tossed (like judge notes).

Comment

1A.6, I believe, stems directly from Unicon X, but may also have been from what happened at earlier conventions. The hosts run the convention, they survive to the end without dying from lack of sleep or wanting to kill each other, and they're tired. Months later, they can't be bothered to share the results and/or other data. The act like they own it, which they should not; some of that data is unicycling history, and must be preserved.

There's a whole story about the competition data (at least for racing) from Unicon X, but I won't take up space here with it. Suffice it to say there were a lot of errors, and the people in charge were more interested in covering up mistakes than trying to fix them. That's the G-rated version.  :-)

So the purpose is to ensure that competition results info, especially, is shared and preserved, and not the "property" of any third party. Currently we have a professional team of data-meisters that are very much on top of this, and are taking very good care of all that data. But none of us will be around forever, so it would be good to retain some sort of a statement about the data generated by uni competitions, that at least the results should be public information.

BTW, I have a lot of paper from the early Unicons. It's on my list of stuff to do, at some point, after I retire, and after I do a bunch of other stuff, but before I die, to get it all digitized...

Comment

Paper kept for a year and accessible upon request by the IUF sounds reasonable to me. Results must be submitted to the IUF in a digital format (e.g. PDF), and we create a Zip archive. I think digital 

All data must be kept according privacy laws. That doesn't need to be stated in the rulebook.

Comment

Sorry, hit go too soon. I think all digital event data should be kept for at least 2 years.

Comment

"All data must be kept according privacy laws." <– to be compliant with privacy laws we need to explicitly state which pieces of data is kept for what reasons, for how long, who it's shared with and how it's being kept secure. Further people need to give explicit consent for each type of data that's being recorded and overall there should be a design that minimizes data collection.

It would probably make the most sense to state the exact data that must be kept as historical and allow the IUF board/hosts to decide on a privacy policy for the rest.

That said there are still a mad amount of data that can safely and should be deleted immediately after a Unicon: dietary preferences and t-shirts sizes for instance.

There's likely a bunch of data the hosts must keep onto for legal reasons (like for accounting) but in general it's hard to see any rationale for keeping all the paper notes (what exactly is it that isn't being digitized on the spot?). Data that neither the hosts nor the IUF need post convention should be deleted.

Comment

"Can be safely deleted" and "Is practical and easy to delete" are two entirely different points. The law is not really concerned with what is easy to delete, but we as organizers are quite concerned with this. I'm not going to manually go in and delete t-shirt data one by one after I finish organizing a big event.

Also, saving t-shirt data has proved useful in the past. I have looked up a competitors past shirt size in order to determine something else.

Ownership of data and data privacy are related topics, but also separate. The privacy topic is clearly complicated, and may require additional research.

Comment

"Can be safely deleted" and "Is practical and easy to delete" <– the question is what purpose the data was collected for and if it's used in accordance with that purpose. FWIW using a single master application to handle all data should make it easier to delete the data when it's no longer needed as everyone would access it through the app.

"Also, saving t-shirt data has proved useful in the past. I have looked up a competitors past shirt size in order to determine something else." <– this is a violation of all data ethics and European data regulations. People provide their t-shirt sizes for the purpose of getting a t-shirt that fits and nothing else.

"Ownership of data and data privacy are related topics, but also separate" <– actually no, not in the eyes of the (European) law. For one IUF or Unicon hosts don't "own" personal data, the person handing it over does (for EU residents and all participants at European events). For aggregated or historical data (like results) IUF can clearly be said to be the owner. Regardless of ownership the simple fact that the IUF handles the data make it liable for how it's stored, used and shared – collecting more data increases the liability.

"The privacy topic is clearly complicated, and may require additional research." <– Yes. I suggest reading up on GDPR: https://eugdpr.org/the-regulation/

~~

I've suggested a couple of ways this can be brought up to date. As it stands now it would be illegal under threat of fines for the Unicon hosts in 2020 to hand a lot of that data over to IUF.

Comment

ONE

My objective for starting this discussion was to get clarity specifically on "and must be made available upon request". I know understand what is meant (i.e. by the host, to the IUF), and I think this clarity is also needed in the Rulebook text. I will write a small text proposal for this.

TWO

I am certainly no expert on GDPR. Therefore, my proposal does not address any GDPR or data privacy concern. I offer the following merely as a layman's suggestion:

The rulebook states that all data are the shared property of the host and the IUF. So I suggest that at the time anyone registers through UDA, it must be made clear by the registration form/webpage that whatever convention they are registering for, is organised under the auspices of the IUF, and their data will be available to both the host and IUF. If that is accepted by the registrant, then there can be no problem if the hosts provides the IUF with registration data. Results data is public anyway.

Comment

I think it's a great proposal. There's a clearly stated purpose for how the data is collected, it states what the time limit for hosts to hold on to data is (1 year), who owns the data and that interested people can get access to the data or have explained deliberations that they may have questions about.

As you mention a lot of the practical stuff (especially) around GDPR compliance is not covered, but it doesn't seem like a weakness that a finer policy that adheres to the goals of the rulebook exists elsewhere.

Comment

@Magnus: just to be sure, are you referring to the actual proposal?
Or perhaps to my suggestion under TWO above, with the possible implication that this should be processed into the proposal text?

Comment

To clarify: I think it's a great proposal that covers all the bases.

As for TWO above I agree. We've used the UDA for a number of competitions in Denmark and we're going to start the process of making it GDPR compliant for our competitions next year – that should solve the issue for all who depends on the application.

Comment

Should I work TWO into the proposal? Or is this outside the scope of the Rulebook?

Comment

TWO is outside the scope of the rulebook. It's up to the organizers and the IUF to decide on how to practically collect and manage data and I don't think it's up to the rulebook to specify if the UDA or some other system should be used.

As to GDPR and the UDA it should be made clear how it's collecting data for IUF and how that data is used and shared. As you mention the way that would be achieved is with a popup or similar explaining where people can find more information about it. This is something that should be worked on outside of the rulebook though.

Comment

OK so I will keep the proposal as it stands.

The GDPR / privacy / data collection issue looks like something that should be picked up by the IUF with some pointers from this discussion. I'm leaving it here.


Copyright ©

IUF 2018