Everyone working or participating in our consortium with privileged access to member or respondent information of any kind needs to know what to do if they hear of a possibility of breach or have a suspicion that the privacy or integrity of that information has been compromised.
Respect for privacy is fundamental to Co-Op Credentials and is something that should differentiate us from surveillance capitalism and many casual social media platforms. It would be immensely damaging to us if a public breach were to occur - reputationally and financially.
We are regulated by GDPR in our respective jurisdictions and under those regulations we must:
- know how to recognise a personal data breach.
- understand that a personal data breach isn’t only about loss or theft of personal data.
- have prepared a response plan for addressing any personal data breaches that occur.
- have allocated responsibility for managing breaches to a dedicated person or team.
- know how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.
Our Draft Response Plan is very simple for now:
- If you recognise a breach, or potential for a breach, please report it immediately to firstname.lastname@example.org Title: “Incident”. Do not include detail or personal data in the email
- When asked to provide detail please use a more secure message channel (telegram, signal, keybase). Provide a description of the nature of the personal data breach including, where possible:
– the categories and approximate number of individuals concerned; and
– the categories and approximate number of personal data records concerned
Our security team is small for now: it’s Angus McLeod and Nick Meyne. You can contact them at email@example.com
We will record the risk or incident and then escalate and agree wider reporting to the impacted individuals or the relevant authorities. We will maintain a security risk register and conduct a risk assessment process.
Anyone with administrator or otherwise privileged access is expected to use long, unguessable passwords, to change them regularly and to manage them with a secure ‘vault’ tool like bitwarden, or something similar.
The policies we have adopted are drawn from the EU Horizon 2020 guidance:
The subjects (members, survey respondents… everyone identifiable) of the personal data we control have the right to:
- be informed if, how, and why their data are being processed;
- access and get a copy of their data;
- have their data corrected or supplemented if it is inaccurate or
- have their data deleted or erased;
- limit or restrict how their data are used;
- have data portability (get a copy of all their data);
- object to processing of their data;
- not to be subject to automated decisions without human involvement, where it would significantly affect them.
Subjects have a right of access and organisations must provide transparency. The law is strict and a timely response is critical. We must therefore record and respond promptly to subject access requests. If you receive a data protection complaint or ‘subject access request’ from anyone:
- please report it immediately to firstname.lastname@example.org. Title: “Subject Access”. Do not include detail or personal data in the email, but
- record the name and contact details of the person making the request;
- record the time of original contact and keep a copy of relevant correspondence
- please use a secure message channel (telegram, signal, keybase) to communicate the nature of the concern or need.
Our Data Protection Officer is Nick Meyne
Please also see our guidelines for forum participation and moderation.