How does GDPR affect what we write in the sources section

Question

Through conversation in the comments, I am expanding the scope of my question:  has Wikitree management provided guidance yet on what information must not be put on profiles of non-living people to be compliant with GDPR?  If not, then I hope they will do so.

Original post: The FAQ and announcement say "DNA test information" for living people will be removed under GDPR.  If people have included a source in the bio using the template, will a bot be able to identify such a source and remove it?  If not, or regardless since there are many people that don't always stick to the template, are we to remove this information from the sources section?  Is there a way instead to sufficiently anonymize it that would be acceptable, such as cutting everything except the statement of confirmation and referring the person to a certain profile manager if they want more information?

Comments

Another issue is obituaries. We often link to FindAGrave or post a link or the obituary itself to those that are deceased. This contains information on living individuals. Names of children, grandchildren, greats, siblings, parents. They often list where they reside and Spouse's names. Some list religious or group affiliations that the deceased and their living spouse are a member of. It often contains years of marriage. All of these things can be considered a violation of the new EU laws. So it' not just DNA confirmation citations that can be a issue. As mentioned above, census reports from the 1920's, 30's, 40's and 50's are likely to contain names and ages sometime with the month of birth, Years married, Number of children born/living, occupations, race, education, rent or owned a home. It will be next to impossible to eliminate information on living individuals. Even death certificates can give info on living individuals as well as naturalization papers and marriage license and birth records. Many of things are primary sources that we all use. I certainly don't want to see wikitree having to start unlisting deceased people that could have the potential of a living child, grandchild, or great grands. I don't see how there is a way to be completely compliant. Too much info is out there.

---

I just don't see how WikiTree can be considered the watchdog for all of these public places where information concerning living people is for all to view.  The fact that they are bending over backward to do what they are doing now should be considered the end of their responsibility.

---

I don't disagree.  But my concern isn't what their responsibility should be -- its what the new law says it must be.  They can't possibly spell out every nuanced requirement, but I'd like some more clarity even so.

Answer 1

See what I wrote at https://www.wikitree.com/wiki/Clark-18807 :

DNA confirmation of Allen Gates Clark's relationship to his mother (maternal relationship), born Mary Simonds, is based on three-way autosomal DNA matches between three great-grandchildren of Allen Gates Clark (two grandchildren of Doris (Clark) Smith, including Ellen Smith, and a grandchild of Louise (Clark) Anderson), and a great-great grandchild of Mary Simonds' sister Martha (Simonds) Howe (grandchild of Martha Elizabeth (Howe) Anderson), sharing a 16.5 cM segment on X chromosome from 32,000,000 to 43,000,000 (testing by 23andMe). The Simonds ancestor is predicted to be a potential X-chromosome contributor for all four persons tested. Additional two-way matches exist between individual Mary Simonds descendants and the Martha Simonds descendant, on chromosomes 1, 11, and X.

I described the match without naming any living people other than myself.

Comments

A name is not the only way to find a person.  You have included "identifying information" for these living people in the form of relationships to other named people.  Perhaps in this form it is okay.  I don't know. My question is about the extent of Wikitree's policy about removing "DNA test information".  What constitutes such information?  What is allowed?  What is prohibited?

---

Note that there are no WikiTree profiles for any of the living people mentioned in my note other than the ones who are members of WikiTree. Indeed, there are no profiles for any of the living or deceased children and grandchildren of Louise (Clark) Anderson and Martha (Howe) Anderson. About all that we have here is "an unidentified grandchild of this person took a DNA test and here's something we determined from the results."

---

This subject is so complicated.

Even apart from DNA, I have used living authors (or potentially living authors)  as sources.  If I identify any living person in a source citation, am I also breaking the GDPR rules?  I hope the fact that a person has published under his/her own name excludes them from these restrictions.  

And are there differences between "published sources" and information published less formally online?  

What if I get a photograph of a dead relative from a relative who is still living?  I guess I could do what you did, "person who commented before the person who just commented" ;-) -- and identify the source of the photo as being from the "Living granddaughter of Joe Shmoe".

Reba

---

I'm doubt it matters whether the person has a profile, because I doubt the law makes any specific reference to information housed as a webpage dedicated to a specific profile of a living person.  WikiTree has always required its users to respect privacy of living people (the honor code only refers to information about "family members" -- perhaps that should be revised).  It seems to me there is a looming question about whether WikiTree needs to get much more serious about enforcing this policy in reaction to GDPR.  Right now the focus seems to be almost solely on privacy levels of profiles and how DNA propagates from these profiles.

Perhaps "unidentified grandchild" is anonymous enough.  But in my family, both my mom and my wife's parents have just a single grandchild.  So this information would be enough to identify the exact person.  Even if it only narrows the list to a handful, is that enough?

---

I do not believe that stating that I have a brother that is related to me is against GDPR.

You need to include unique identifying information which is defined as name, birth date, address, etc.

As long as it is impossible to identify the person you are talking about using Wikitree, it should be OK.

---

The law defines 'personal data’ as follows: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

I don't see the the law restricts to processing only of data which is a unique identifier.  But even if it did, if you have only one brother, that would be a unique identification.  Or since Ellen lists in her example an X-match, perhaps knowledge of X-descent patterns combined with the grandchild designation could uniquely identify the person.  

---

There is no way to prove that I have only one brother. Even I cannot prove that I do not have a brother that was adopted out. The only way to uniquely identify him is to say my brother who was born on such an such a date. (Or by attaching sources pointing to a unique identifier)

It is like saying my grandparents had 50 grandchildren. That is legal as well. The unique information would be in identifying my grandparents not their grandchildren.

---

Even stating "your brother who was born on such and such a date" would not proveably uniquely identify him.  Nor would saying "paternal grandfather".  There will be no undeniable proof of any identification.  The question is, how will WikiTree interpret the law so as to be compliant?  Where is the line drawn at information placed on profiles of nonliving people?  So I rewrote my original post to expand it to this scope.

---

Yes this is true. I think wikitree is actively taking the wrong course, and I will keep saying it over and over again as an alert.

People seem to think that the GDPR is designed so that Joe Blow cannot do a Google Search and get information about me.  That is a very small piece. There is a larger piece that data collectors (like Wikitree) not process or collect identifying information about individuals without their consent. This is where the current push to add birthdates to living individuals is very misguided. Also, sources. At Family Search, they recognize, you should not be able to attach sources to living individuals. When you add a record there, you must indicate whether the person is alive or dead.  Only after you have decided they are dead, can you begin to attach sources.

The retention of identifying data, wether availabe to the public or just to wikitree admins, is not allowed under GDPR. The data must be anonymized and used only for the research purposes allowable.  It is allowable to record that I live in a family, how big my family is, and I would guess, for genealogical purposes, knowing my surname is also fine. When we start attributing dates and forenames, we are getting into murky water.

---

My calling my brother Anonymous Martin and giving no more information than he is my brother, it would be impossible for you to know who he was, unless you already knew all of the information I entered into wikitree to create him. If I made him Red Privacy, even he could not find himself.

https://www.gdpreu.org/the-regulation/key-concepts/personal-data/

I am using him only for genealogical information, so then, it becomes a question of do I have a right to do this research or not? It definately is ambiguous which is why the World Familes (FTNDA working groups) is shutting down.

I hope that we make informed intellegent choices that are respectful of both people's privacy and our rights as genealogists to reserach our ancestors with new and improved tools.

Also, the idea of adding someones email to their wiki-ID as an invitation is also a possible violation of GDPR. A system need to be in place which after a set amount of time, if an inivation is not processed, the indentifying email should be expunged.

Answer 2

Wow does that mean US Census info is an issue?  There are a lot of listings with the household named.

Comments

I've wondered that myself, but I'm going to let the US government defend themselves on that one. I suspect they'll challenge the ruling if someone tries to bring it up as their sovereign right to release data gathered by the US government based upon an agreed upon date. Just as it would be the EU's right to find some way to block any site that has that sort of data stored there as a primary document (family search, Ancestry, etc.). Just another one of those interesting down-the-road things that will come up. It would be interesting to see that presented in some sort of international courtroom.