Data Protection Guidelines: Difference between revisions

From Freegle Wiki
Jump to navigationJump to search
No edit summary
Line 5: Line 5:
This guidance is aligned to the freegle [[Data Protection Policy]] sections   
This guidance is aligned to the freegle [[Data Protection Policy]] sections   


Definition of Personal Data - This is anything that can identify a living person. In your role as a moderator it will typically be things like their email address, location and possibly other things they write in emails.
'''Definition of Personal Data''' - This is anything that can identify a living person. In your role as a moderator it will typically be things like their email address, postal address and possibly other things they write in emails.


Obtaining Consent - you are not expected to ask for consent to use emails people send you. However, if information is sent to you clearly only about Freegle, as good practice you should not use this information outside of the Freegle context for which is was sent.
'''Obtaining Consent''' - you are not expected to ask for consent to use emails people send you. However, if information is sent to you clearly only about Freegle, as good practice you should not use this information outside of the Freegle context for which is was sent.


Allowing Access to Data - All personal information you retain for your role in Freegle could be in scope of a Subject Access Request. This is where anyone can ask for a copy of all the information about them that Freegle (including its moderators) hold. These requests would come through the Data Protection Officer to ensure that they were reasonable and to give you search criteria to use to find it. For instance we may ask you to send us all information you have pertaining to fred.bloggs@hotmail.com. This would include any correspondence about them, even if it wasn't address to them.  
'''Allowing Access to Data''' - All personal information you retain for your role in Freegle could be in scope of a Subject Access Request. This is where anyone can ask for a copy of all the information about them that Freegle (including its moderators) hold. These requests would come through the Data Protection Officer to ensure that they were reasonable and to give you search criteria to use to find it. For instance we may ask you to send us all information you have pertaining to fred.bloggs@hotmail.com. This would include any correspondence about them, even if it wasn't address to them. Volunteers may feel that their commentary or notes about a member should remain private if it wasn't correspondence shared with the member. By law this is not the case unless covered by legal exemptions (the Data Protection Officer will clarify at the time of request), for example if it pertains to criminal investigation. Exemptions can be seen here [https://ico.org.uk/for-organisations/guide-to-data-protection/exemptions/].


Deleting Data - Right to be forgotten - If anyone asks Freegle to delete their data we have by law to ensure we do this. Typically this will be by deleting their user from a group. Due to the service we offer we will only do this in line with our published policy, so we may have their posts on the group visible for some time until they expire due to our data retention policy. However, if we do get a request under this law asking for all data to be deleted we will ask that moderators try to delete information in line with search criteria the Data Protection Officer will send to them. i.e. please can you delete all information you have on fred.bloggs@hotmail.com
'''Deleting Data''' - Right to be forgotten - If anyone asks Freegle to delete their data, we have by law to ensure we do this. Typically this will be by deleting their user from a group. Due to the service we offer we will only do this in line with our published policy, so we may have their posts on the group visible for some time until they expire due to our data retention policy. However, if we do get a request under this law asking for all data to be deleted we will ask that moderators try to delete information in line with search criteria the Data Protection Officer will send to them. i.e. please can you delete all information you have on fred.bloggs@hotmail.com


Minimising Data Retained - However tempting it is to keep everything you've ever had about Freegle we recommend that you only retain information that is essential for you fulfilling the role you have.
'''Minimising Data Retained''' - However tempting it is to keep everything you've ever had about Freegle we recommend that you only retain information that is essential for you fulfilling the role you have.
Practically we would advise you to maintain a separate folder for Freegle emails and periodically reviewing what you have in that folder. Our guidance would be to delete email that is over XX years old. You may wish to keep information you are sure will be needed longer term in a separate folder so it doesn't get lost in any general periodic deletions.  
Practically we would advise you to maintain a separate folder for Freegle emails and periodically reviewing what you have in that folder. Our guidance would be to delete email that is over XX years old. You may wish to keep information you are sure will be needed longer term in a separate folder so it doesn't get lost in any general periodic deletions.  


Storing data securely - You should keep the access to all personal data you hold to only those with a legitimate need to see it. So if you have emails in a mailbox or file store (e.g. Google Docs), ensure that access is password protected. Where the mailbox or file store is a group one, ensure that only those that should be able to see it can have access by periodically checking who has rights and changing passwords when moderators leave the group.
'''Storing Data Securely''' - You should keep the access to all personal data you hold to only those with a legitimate need to see it. So if you have emails in a mailbox or file store (e.g. Google Docs), ensure that access is password protected. Where the mailbox or file store is a group one, ensure that only those that should be able to see it can have access by periodically checking who has rights and changing passwords when moderators leave the group.


== Guidelines for Functional Groups (i.e. freegle Growth, Freegle Media etc ) ==
== Guidelines for Functional Groups (i.e. freegle Growth, Freegle Media etc ) ==


Its assumed that  
Essentially the guidance above for volunteers should cover most of what national volunteers do as well. Please be aware that any data you retain will be in scope of a "Subject Access Request". Even correspondence around disputes would be available to a member should they submit a subject access request, so only write down things you would be O.K for the subject of the correspondence to read.


Guidelines for the Data Protection Officer
== Guidelines for the Data Protection Officer ==
 
'''The Data Protection Officer Role''' - Your role is to advise the board of Freegle as to the extent of the organisation's compliance with Data Protection legislation. You, nor the role, is the responsible party for compliance. you are there to provide a level of objective review of operations and advise on how Freegle may change to ensure compliance is maintained.
 
To do this you must periodically review the data being held by the different parts of the Freegle organisation and how it is stored and processed. Each time this is done it would be wise to record the outcome of this investigation to show any external body the process and the work done from that.
 
'''Subject Access Request [SAR] processing'''- You should be the gatekeeper for the process. You need to try to respond in a timely manner to requests, review with those who would have the data any exemptions that would apply, then formally request all relevant parties to supply the data. You will then have to return the data in a common format to the requester. You may also have to ensure that the access request fee is received should Freegle impose a fee on this process.
 
'''Communications''' - It is your role to periodically update the board and membership on 1. works to do with Data Protection (i.e. surveys, or changes to teh Freegle system for DP reasons); 2. Concerns or issues that you have discovered [These must be formally raised with the Board]; changes to the law that it would be helpful for The Baord and membership to know


"How To" Section for Users


== Useful Links ==
== Useful Links ==

Revision as of 22:42, 5 November 2017

This Page will contain Guidelines for the implementation of Data Protection Policies

Guidelines for Volunteer Moderators

This guidance is aligned to the freegle Data Protection Policy sections

Definition of Personal Data - This is anything that can identify a living person. In your role as a moderator it will typically be things like their email address, postal address and possibly other things they write in emails.

Obtaining Consent - you are not expected to ask for consent to use emails people send you. However, if information is sent to you clearly only about Freegle, as good practice you should not use this information outside of the Freegle context for which is was sent.

Allowing Access to Data - All personal information you retain for your role in Freegle could be in scope of a Subject Access Request. This is where anyone can ask for a copy of all the information about them that Freegle (including its moderators) hold. These requests would come through the Data Protection Officer to ensure that they were reasonable and to give you search criteria to use to find it. For instance we may ask you to send us all information you have pertaining to fred.bloggs@hotmail.com. This would include any correspondence about them, even if it wasn't address to them. Volunteers may feel that their commentary or notes about a member should remain private if it wasn't correspondence shared with the member. By law this is not the case unless covered by legal exemptions (the Data Protection Officer will clarify at the time of request), for example if it pertains to criminal investigation. Exemptions can be seen here [1].

Deleting Data - Right to be forgotten - If anyone asks Freegle to delete their data, we have by law to ensure we do this. Typically this will be by deleting their user from a group. Due to the service we offer we will only do this in line with our published policy, so we may have their posts on the group visible for some time until they expire due to our data retention policy. However, if we do get a request under this law asking for all data to be deleted we will ask that moderators try to delete information in line with search criteria the Data Protection Officer will send to them. i.e. please can you delete all information you have on fred.bloggs@hotmail.com

Minimising Data Retained - However tempting it is to keep everything you've ever had about Freegle we recommend that you only retain information that is essential for you fulfilling the role you have. Practically we would advise you to maintain a separate folder for Freegle emails and periodically reviewing what you have in that folder. Our guidance would be to delete email that is over XX years old. You may wish to keep information you are sure will be needed longer term in a separate folder so it doesn't get lost in any general periodic deletions.

Storing Data Securely - You should keep the access to all personal data you hold to only those with a legitimate need to see it. So if you have emails in a mailbox or file store (e.g. Google Docs), ensure that access is password protected. Where the mailbox or file store is a group one, ensure that only those that should be able to see it can have access by periodically checking who has rights and changing passwords when moderators leave the group.

Guidelines for Functional Groups (i.e. freegle Growth, Freegle Media etc )

Essentially the guidance above for volunteers should cover most of what national volunteers do as well. Please be aware that any data you retain will be in scope of a "Subject Access Request". Even correspondence around disputes would be available to a member should they submit a subject access request, so only write down things you would be O.K for the subject of the correspondence to read.

Guidelines for the Data Protection Officer

The Data Protection Officer Role - Your role is to advise the board of Freegle as to the extent of the organisation's compliance with Data Protection legislation. You, nor the role, is the responsible party for compliance. you are there to provide a level of objective review of operations and advise on how Freegle may change to ensure compliance is maintained.

To do this you must periodically review the data being held by the different parts of the Freegle organisation and how it is stored and processed. Each time this is done it would be wise to record the outcome of this investigation to show any external body the process and the work done from that.

Subject Access Request [SAR] processing- You should be the gatekeeper for the process. You need to try to respond in a timely manner to requests, review with those who would have the data any exemptions that would apply, then formally request all relevant parties to supply the data. You will then have to return the data in a common format to the requester. You may also have to ensure that the access request fee is received should Freegle impose a fee on this process.

Communications - It is your role to periodically update the board and membership on 1. works to do with Data Protection (i.e. surveys, or changes to teh Freegle system for DP reasons); 2. Concerns or issues that you have discovered [These must be formally raised with the Board]; changes to the law that it would be helpful for The Baord and membership to know


Useful Links