Security and Data Protection

Everyone working or participating in our consortium with privileged access to member or respondent information of any kind needs to know what to do if they hear of a possibility of breach or have a suspicion that the privacy or integrity of that information has been compromised.

Respect for privacy is fundamental to Co-Op Credentials and is something that should differentiate us from surveillance capitalism and many casual social media platforms. It would be immensely damaging to us if a public breach were to occur - reputationally and financially.

Security Incidents

We are regulated by GDPR in our respective jurisdictions and under those regulations we must:

  • know how to recognise a personal data breach.
  • understand that a personal data breach isn’t only about loss or theft of personal data.
  • have prepared a response plan for addressing any personal data breaches that occur.
  • have allocated responsibility for managing breaches to a dedicated person or team.
  • know how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.

Our Draft Response Plan is very simple for now:

  • If you recognise a breach, or potential for a breach, please report it immediately to Title: “Incident”. Do not include detail or personal data in the email
  • When asked to provide detail please use a more secure message channel (telegram, signal, keybase). Provide a description of the nature of the personal data breach including, where possible:
    – the categories and approximate number of individuals concerned; and
    – the categories and approximate number of personal data records concerned

Our security team is small for now: it’s Angus McLeod and Nick Meyne. You can contact them at

We will record the risk or incident and then escalate and agree wider reporting to the impacted individuals or the relevant authorities. We will maintain a security risk register and conduct a risk assessment process.


Anyone with administrator or otherwise privileged access is expected to use long, unguessable passwords, to change them regularly and to manage them with a secure ‘vault’ tool like bitwarden, or something similar.

Data Protection


The policies we have adopted are drawn from the EU Horizon 2020 guidance:

Subject Access Requests

The subjects (members, survey respondents… everyone identifiable) of the personal data we control have the right to:

  • be informed if, how, and why their data are being processed;
  • access and get a copy of their data;
  • have their data corrected or supplemented if it is inaccurate or
  • have their data deleted or erased;
  • limit or restrict how their data are used;
  • have data portability (get a copy of all their data);
  • object to processing of their data;
  • not to be subject to automated decisions without human involvement, where it would significantly affect them.

Subjects have a right of access and organisations must provide transparency. The law is strict and a timely response is critical. We must therefore record and respond promptly to subject access requests. If you receive a data protection complaint or ‘subject access request’ from anyone:

  • please report it immediately to Title: “Subject Access”. Do not include detail or personal data in the email, but
  • record the name and contact details of the person making the request;
  • record the time of original contact and keep a copy of relevant correspondence
  • please use a secure message channel (telegram, signal, keybase) to communicate the nature of the concern or need.

Our Data Protection Officer is Nick Meyne

Please also see our guidelines for forum participation and moderation.


Data Processor vs Data Controller seems Relevant, here

1 Like