Data Protection Guidelines

From Freegle Wiki
Revision as of 08:02, 29 January 2019 by Edwh (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Guidelines for Volunteer Moderators

This guidance is aligned to the freegle Data Protection Policy sections

Definition of Personal Data - This is anything that can identify a living person. In your role as a moderator it will typically be things like their email address, postal address and possibly other things they write in emails.

Corresponding with Members - We advise that you try to correspond with members using the chat function on the Freegle Direct system. If you do keep a copy of correspondence in your own email store, we ask that you keep Freegle messages in a separate folder. We advise that you have an email client that allows you to search for users to assist with requests for data, and a way of deleting data that is older than the Freegle retention policy limit. See Data Protection Policy.

Obtaining Consent - you are not expected to ask for consent to use emails people send you. However, if information is sent to you clearly only about Freegle, as good practice you should not use this information outside of the Freegle context for which is was sent.

Allowing Access to Data - All personal information you retain for your role in Freegle could be in scope of a Subject Access Request [SAR]. This is where anyone can ask for a copy of all the information about them that Freegle (including its moderators) hold. These requests would come through the Data Protection Officer to ensure that they were reasonable and to give you search criteria to use to find it. For instance we may ask you to send us all information you have pertaining to around a particular scope or topic that has been cited in the SAR. This would include any correspondence about them, even if it wasn't addressed to them. Volunteers may feel that their commentary or notes about a member should remain private if it wasn't correspondence shared with the member. By law this is not the case unless covered by legal exemptions (the Data Protection Officer will clarify at the time of request), for example if it pertains to criminal investigation. Exemptions can be seen here [1].

Deleting Data - Right to be forgotten - If anyone asks Freegle to delete their data, we have by law to ensure we do this. Typically this will be by deleting their user information from a group. Due to the service we offer we will only do this in line with our published policy, so we may have their posts on the group visible for some time until they expire due to our data retention policy. However, if we do get a request under this law asking for all data to be deleted we will ask that moderators try to delete information in line with search criteria the Data Protection Officer will send to them. i.e. please can you delete all information you have on

Minimising Data Retained - However tempting it is to keep everything you've ever had about Freegle we recommend that you only retain information that is essential for you fulfilling the role you have.

Storing Data Securely - You should keep the access to all personal data you hold to only those with a legitimate need to see it. So if you have emails in a mailbox or file store (e.g. Google Docs), ensure that access is password protected. Where the mailbox or file store is a group one, ensure that only those that should be able to see it can have access by periodically checking who has rights and changing passwords when moderators leave the group.

Guidelines for Functional Groups and Teams (i.e. Freegle Central, Freegle Development, GAT, Mentors etc )

Essentially the guidance above for volunteers should cover most of what national volunteers do as well. Please be aware that any data you retain will be in scope of a "Subject Access Request". It should be noted that correspondence around disputes would be available to a member should they submit a subject access request around this scope of information. Therefore, only write down things you would be happy for the subject of the correspondence to read.

Guidelines for the Data Protection Officer

The Data Protection Officer Role - Your role is to advise the Board of Freegle as to the extent of the organisation's compliance with Data Protection legislation. You, nor the role, is the responsible party for compliance. You are there to provide a level of objective review of operations and advise on how Freegle may change to ensure compliance is maintained.

To do this you must periodically review the data being held by the different parts of the Freegle organisation and how it is stored and processed. Each time this is done it would be wise to record the outcome of this investigation to show any external body the process and the work done from that.

Subject Access Request [SAR] processing- You should be the gatekeeper for the process. You need to try to respond in a timely manner to requests, review with those who would have the data any exemptions that would apply, then formally request all relevant parties to supply the data. You will then have to return the data in a common format to the requester. You may also have to ensure that the access request fee is received should Freegle impose a fee on this process.

Its essential to have familiarised yourself with the ICO guidance on Subject Access requests found in the ICO Code of Practice

Communications - It is your role to periodically update the Board and Membership on:

  • Works to do with Data Protection (i.e. surveys, or changes to the Freegle system for DP reasons);
  • Concerns or issues that you have discovered (these must be formally raised with the Board);
  • Changes to the law that it would be helpful for the Board and Membership to know.

Useful Links