Data Use & Protection: Difference between revisions

From Freegle Wiki
Jump to navigationJump to search
No edit summary
No edit summary
Line 17: Line 17:


Personal Data on Freegle Direct :
Personal Data on Freegle Direct :
- email address
{| class="wikitable"
- User name
! Function
- Post code
! Personal data recorded
|- valign="top"
| Membership Detail || - email address <br>- User name<br>- Post code
|-
| Address Book || - Post Code (user could enter a different one to that stored with the membership detail)<br>- Directions - Often this will contain the user's address and other detail to help others navigate to their address)
|}


Although this information may not directly identify an individual, it may do if their real name was in their email address.
Although this information may not directly identify an individual, it may do if their real name was in their email address.


Additionally if the Address book function is used
Additionally if the Address book function is used
- Post Code (user could enter a different one to that stored with the membership detail)
 
- Directions - Often this will contain the user's address and other detail to help others navigate to their address)




Line 43: Line 47:
| Consent || GDPR has strengthen the consent needed, so organisations can't assume that you consent to them keeping your data, they <br> must get positive confirmation from you to retain it, and they need to tell you what they will use if for in plain language. <br> Plus they need to give you the ability to withdraw consent. || Freegle is ensuring that all the personal data you are asked for is the minimum required to run the, has clear information about how it will be used, buttons that clearly allow consent or not (usually "OK xxxxx" or "cancel") and a way to later withdraw consent (this may be leaving freegle).
| Consent || GDPR has strengthen the consent needed, so organisations can't assume that you consent to them keeping your data, they <br> must get positive confirmation from you to retain it, and they need to tell you what they will use if for in plain language. <br> Plus they need to give you the ability to withdraw consent. || Freegle is ensuring that all the personal data you are asked for is the minimum required to run the, has clear information about how it will be used, buttons that clearly allow consent or not (usually "OK xxxxx" or "cancel") and a way to later withdraw consent (this may be leaving freegle).
|-
|-
| Right to Access || You can obtain confirmation from an organisation if they are processing your personal data. You also have the right to get a copy of any personal data held in a standard electronic format || Freegle will be adding in a function under the settings tab to enable you to download all of your personal data and settings.
| Right to Access & Data Portability || You can obtain confirmation from an organisation if they are processing your personal data. You also have the right to get a copy of any personal data held in a standard electronic format, so you can transfer it to other organisations. || Freegle will be adding in a function under the settings tab to enable you to download all of your personal data and settings.
|-
| Right to be forgotten || This means that you have the right to have your personal data erased on request, or if it is no longer relevant to the processing that consent was given for. || Freegle will enable you to have erased the personal data in the Address Book function. However if you want to erase your membership data then it will mean that your membership login will be deleted.
|-
| Privacy by Design || This means that the systems your data is held on need to be designed to keep the minimum data necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing. || Freegle already has access protection in for its Freegle Direct system and keeps the least personal data possible to deliver the Freegle services.
|-
| Breach Notification ||  Under the GDPR, breach notification will become mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Organisations will also be required to notify their customers “without undue delay” after first becoming aware of a data breach. || If Freegle became aware of any breach or hack as its more commonly known we will let our members know via email and the UK Data Protection Authority. Luckily we don't keep anything sensitive, and therefore its unlikely to risk anyone's rights or freedoms.
|-
| Penalties || If an organisation violates the GDPR regulations it can be fined up to 4% of its annual global turnover || We at Freegle understand this is aimed at big corporations so they take it seriously. We too take it seriously as without the trust of our members Freegle wouldn't be able to function.
|-
|-
|  
| Data Protection Officer || The GDPR law DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. ||Although the law doesn't require organisations like Freegle to appoint a Data Protection Officer we will be having a volunteer position to look at this areas for us. They can be contacted by email at DPO@ilovefreegle.org
|}
|}



Revision as of 16:21, 14 September 2017

This page is to explain what personal data Freegle keeps, why it keeps it and what it does with it, it terms of processing, protecting and deleting it. Hopefully this is a straight forward explanation for freegle members. There is also a link to our Data Protection Policy which is more detailed and it so we can show our compliance to relevant data protection legislation.

Where does Freegle keep data?

The majority of data freegle has is kept in the platform we call Freegle Direct see [1]. This is where all groups are held (apart from those in Norfolk [2] and the few groups still only on Yahoo groups) and the freegle posts are shown. As Freegle Direct works with Yahoo groups where they can co-exist then Yahoo does keep other data that Freegle itself doesn't keep. Also Freegle Direct allows users to login using their Google, Yahoo or Facebook credentials that are authenticated by those services, so the data kept and the compliance of those companies with the legislation is up to them.

In addition the national volunteers keep data about their roles such as finance, media and IT development. !!!!We need to audit what personal data is kept beyond personal emails to quantify and set policy here. !!!

Finally local groups may keep information about how the group is running. We are currently (April 2017) looking into what local groups typically keep so we can advise them and come up with the appropriate guidance and policy.


What Personal data does Freegle keep?

Freegle keeps little personal data, and nothing that would be called sensitive.

Personal Data on Freegle Direct :

Function Personal data recorded
Membership Detail - email address
- User name
- Post code
Address Book - Post Code (user could enter a different one to that stored with the membership detail)
- Directions - Often this will contain the user's address and other detail to help others navigate to their address)

Although this information may not directly identify an individual, it may do if their real name was in their email address.

Additionally if the Address book function is used


How does Freegle ensure it complies with Data Protection Law?

Freegle relies on trust to continue to work. Therefore it takes its responsibilities seriously around data protection. We fully comply with current UK law in this area, even though we are not required by the Information Commissioner's Office to register.

We are currently reviewing what we do to ensure that we are compliant with the new EU laws called the General Data Protection Regulation, commonly known as GDPR [3] for short that takes effect from 25th April 2018. The UK government have stated that they will be transferring GDPR into UK law, so it will be relevant post any Brexit decisions.

Key Elements of GDPR and what Freegle are doing

GDPR Area What this means What Freegle are doing
Consent GDPR has strengthen the consent needed, so organisations can't assume that you consent to them keeping your data, they
must get positive confirmation from you to retain it, and they need to tell you what they will use if for in plain language.
Plus they need to give you the ability to withdraw consent.
Freegle is ensuring that all the personal data you are asked for is the minimum required to run the, has clear information about how it will be used, buttons that clearly allow consent or not (usually "OK xxxxx" or "cancel") and a way to later withdraw consent (this may be leaving freegle).
Right to Access & Data Portability You can obtain confirmation from an organisation if they are processing your personal data. You also have the right to get a copy of any personal data held in a standard electronic format, so you can transfer it to other organisations. Freegle will be adding in a function under the settings tab to enable you to download all of your personal data and settings.
Right to be forgotten This means that you have the right to have your personal data erased on request, or if it is no longer relevant to the processing that consent was given for. Freegle will enable you to have erased the personal data in the Address Book function. However if you want to erase your membership data then it will mean that your membership login will be deleted.
Privacy by Design This means that the systems your data is held on need to be designed to keep the minimum data necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing. Freegle already has access protection in for its Freegle Direct system and keeps the least personal data possible to deliver the Freegle services.
Breach Notification Under the GDPR, breach notification will become mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Organisations will also be required to notify their customers “without undue delay” after first becoming aware of a data breach. If Freegle became aware of any breach or hack as its more commonly known we will let our members know via email and the UK Data Protection Authority. Luckily we don't keep anything sensitive, and therefore its unlikely to risk anyone's rights or freedoms.
Penalties If an organisation violates the GDPR regulations it can be fined up to 4% of its annual global turnover We at Freegle understand this is aimed at big corporations so they take it seriously. We too take it seriously as without the trust of our members Freegle wouldn't be able to function.
Data Protection Officer The GDPR law DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. Although the law doesn't require organisations like Freegle to appoint a Data Protection Officer we will be having a volunteer position to look at this areas for us. They can be contacted by email at DPO@ilovefreegle.org


What about groups that are on Yahoo Groups for the Norfolk system?

What about users of TrashNothing?

Useful Links