There is a quiet irony at the heart of amateur radio. Ours is a hobby built on the principle of communication — of reaching out across continents, of connecting with strangers in the ether, of broadcasting our presence to the world. We accept, willingly and openly, that our callsigns are public. Our names and addresses are registered with national regulators. Anyone with internet access and a passing curiosity can look us up. That is the deal we sign when we get our licence, and most of us are perfectly comfortable with it.

But there is a world of difference between information that is publicly available and information that is actively handed to someone without our consent. And that distinction — painfully obvious in law, in ethics, and in plain common sense — appears to be one that our national organisations are struggling to grasp.

The IRTS Incident: A Breach From Within

The recent data breach at the Irish Radio Transmitters Society (IRTS) is, in some ways, the most troubling kind of incident an organisation can face. It was not the work of a sophisticated criminal gang operating from a server farm in Eastern Europe. It was not a ransomware attack launched by an "international cyber group." It was an authorised person making an unauthorised download of member data.

Let that sink in for a moment.

Someone who had been trusted with access to the IRTS membership database used that access in a way they were not permitted to. The data did not walk out through a broken door — it was carried out through an open one, by someone who had a key.

This matters enormously, because it tells us something specific and uncomfortable about the state of data governance in our national societies. It is not enough to protect systems from outside attackers if there are no robust controls governing what authorised users can do with the data once they are inside. Access controls, audit trails, data minimisation policies, role-based permissions — these are not optional extras in a modern data governance framework. They are the baseline. They are the minimum that any organisation holding personal data about its members is legally and morally required to have in place.

Ireland's GDPR obligations, enforced by the Data Protection Commission, are not suggestions. They are law. And they apply just as much to a volunteer-run amateur radio society as they do to a multinational corporation.

The "It's Public Anyway" Fallacy

Already, one can hear the murmuring in the shack: "But our data is public anyway. Anyone can look up a callsign."

This is a seductive argument, and it is almost entirely wrong.

Yes, a callsign is public. Yes, a licensed amateur's name and broad location are registered with ComReg and can be found by anyone who looks. But the IRTS — like all national societies — holds far more than that. It holds email addresses, phone numbers, membership histories, subscription records, payment information, and potentially details about a member's health, employment, or other circumstances gathered through the ordinary course of membership administration. It holds, in short, the kind of aggregated personal profile that transforms individually innocuous facts into something genuinely sensitive.

There is also the matter of consent. A ham radio operator consents to their callsign being public. They do not consent to their compiled membership record being downloaded and distributed by an individual with a grievance, an agenda, or simply poor judgement. The existence of public data does not create a licence to misuse private data held alongside it.

The "it's public anyway" argument is the data protection equivalent of saying "well, your house faces the street, so I'm entitled to walk through your front door." It does not hold up.

A Pattern That Should Shame Us All

The IRTS incident does not exist in isolation. In recent years, our national organisations have accumulated a record of data failures that should give every licensed amateur serious pause.

In May 2024, the American Radio Relay League (ARRL) — the world's largest national amateur radio organisation, with resources that dwarf those of most others — suffered a sophisticated ransomware attack by what the FBI described as a "malicious international cyber group." The organisation's phone systems went down, its celebrated Logbook of the World service was taken offline, and member data including names, addresses, and — in the case of some employees — social security numbers was compromised. What made a damaging incident worse was the ARRL's handling of it: months of near-silence, grudging disclosures, and a communication style that members rightly described as opaque and unprofessional. Trust, once lost, is not easily rebuilt by an organisation that appears to be more concerned with managing its own reputation than with keeping its members informed.

The Radio Society of Great Britain (RSGB) has had its own bruising encounters with data protection. A complaint to the UK's Information Commissioner's Office regarding the RSGB's handling of personal data was upheld, with the ICO finding that the society had "infringed the Data Protection Act 2018 / GDPR" by failing to keep personal information securely. The RSGB's initial response to that complaint — claiming there had been "no data processing" in relation to the incident — was, to put it charitably, difficult to reconcile with the facts as the ICO subsequently found them.

These are not small organisations operating on goodwill and hope. The ARRL has a paid staff, a headquarters, and decades of institutional resources. The RSGB has over 21,000 members and a substantial annual income. If they cannot get data protection right, what hope do we have for smaller societies operating entirely on volunteer effort?

The Scale Problem

And here we arrive at what is, perhaps, the most uncomfortable question in this whole debate.

The IRTS has just over 1,000 members. It has no paid employees. Every function of the society — from administering examinations on behalf of ComReg, to producing the weekly radio news bulletin, to managing the membership database — is carried out by volunteers who give their time generously and deserve enormous credit for doing so.

But goodwill is not a substitute for governance. And governance, in the modern data protection era, requires expertise, systems, and — critically — time. It requires someone to write and maintain a data protection policy. It requires audit trails to be configured and monitored. It requires access controls to be implemented and reviewed. It requires a data protection officer, or at least someone with formal training, to oversee compliance. It requires, in short, the kind of sustained institutional attention that is genuinely difficult to maintain when you are running an organisation on the side.

No one should criticise IRTS volunteers for not being data protection professionals. That is not their job, and it would be unfair to suggest otherwise. But it is entirely reasonable to ask whether the current model — in which small national societies attempt to shoulder the full burden of data compliance with minimal resources — is sustainable or, frankly, safe.

A Case for Consolidation

If national organisations cannot adequately protect the data of their members, then it is time to have an honest conversation about whether the current structure of those organisations serves members' interests.

There is a compelling case for consolidation. A merged or federated national organisation — one that combined the membership bases of the smaller societies across the British Isles and Ireland, for example — would achieve scale in several important respects. It would have a larger income from which to fund proper data infrastructure, including secure systems, professional compliance oversight, and the kind of cyber resilience that is not achievable on a shoestring. It would have a larger pool of volunteer expertise to draw on, including the IT professionals, data protection specialists, lawyers, and security practitioners who are almost certainly already members of these societies but whose skills are rarely harnessed in any structured way. And it would have the institutional weight to advocate more effectively for amateur radio at a regulatory level, at a time when spectrum pressure and the decline of new licence applications make such advocacy more important than ever.

Consolidation is not without costs. Local identity matters. The ties that bind a member to their regional society are real and valuable. A one-size-fits-all approach to amateur radio in Ireland and the UK would lose something. But the alternative — a patchwork of small societies each holding member data without the resources to protect it properly — is not without costs either. Those costs are paid by ordinary members whose data is exposed, misused, or simply not handled with the care they have a right to expect.

What Needs to Happen Now

In the short term, the IRTS owes its members a full, transparent account of what happened, what data was affected, and what steps have been taken to prevent recurrence. Affected members should be notified in accordance with GDPR requirements. The Data Protection Commission should be informed if it has not been already. And a proper review of access controls, data governance policies, and audit procedures must follow.

In the medium term, every national amateur radio society — not just the IRTS — should be conducting an honest self-assessment of its data protection posture. Are audit logs in place? Are access permissions regularly reviewed? Is there a documented data retention policy? Is there a breach response plan? If the answer to any of these questions is "we're not sure," then the answer is effectively no, and action is required.

In the longer term, the amateur radio community needs to decide what kind of national organisations it wants. Ones that muddle along with good intentions and insufficient resources, hoping that nothing goes wrong? Or ones that are properly equipped — technically, legally, and institutionally — to serve their members in the twenty-first century?

We spend a great deal of time in this hobby worrying about interference on the bands. It is time we started worrying equally about interference with our data.