Fifteen Commandments for Using Personal Data in Cambiatus.
Based on Shuttleworth Foundation Personal Data Safeguards.
If you are a member of CAMBIATUS and CAMBIATUS shares the personal data of people with you then these commandments tell you what you must do to protect personal data entrusted to you by CAMBIATUS. The Entity (Entity meaning: Cambiatus (supported by Cambiatus Foundation and Cambiatus OPC) puts particular responsibilities in respect of data on particular people but these rules apply to everyone who does work for the Entity. For legal purposes these safeguards note that deliberate or negligent failure to comply with these safeguards is grounds for termination of employment or breach of service agreements. The Entity members are committed to doing the right thing, so these commandments are firstly to help know what the right thing is.
1. Only collect and use data for a specific purpose. For example, only get someone’s bank details if they are needed to make payment to a person, and then only use the details to make payment and to keep a record of the transaction for compliance and regulatory purposes.
2. Only collect personal data that the Entity actually needs to do something.
3. Only collect and use data if the person whose data it is has:consented to the use of the data, orthe data is needed to draft a contract or to carry out a contract with the person, orthe Entity has advised in writing that a use of personal data is authorized by the Entity.
4. When you get consent to use personal data it must always be an affirmative act. For example someone must tick a box or select yes or sign a document to show consent. Just stating that someone gives consent if they don’t object in a notice in an email or website terms is not enough.
5. Don’t collect personal data about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation unless specifically requested to do so in writing by the Company.
6. Do not share special data, such as political opinions, outside the Company without the consent of the person whose data it is unless that person has very clearly made it public.
7. Before introducing a new automated process check it with the Company to ensure that it does not include profiling which is automatically evaluating someone according personal characteristics.
8. Don’t keep personal data longer than is necessary for the purpose unless the Company is required to keep that data to comply with laws such as tax laws, finance law or to comply with the Company’s commitment to openness and transparency.
9. Don’t keep personal data for the sole purpose of showing compliance with the GDPR.
10. Members can delete their personal data directly on the webapp. If someone requests that you update, correct, delete, restrict or port any additional data then tell them to make the request via email to email@example.com
. All personal data requests must always be dealt with by this email address so that the Company can record each request and what it has done about it.
11. If you suspect that personal data has been breached then immediately advise the person designated by the Entity.
12. Alert the person designated by the Company if anyone does not comply with these safeguards.
14. The personal data safeguards will be updated from time to time by the person designated by the Company. When you get the new safeguards they will replace and over-rule these safeguards.
15. If you have any questions or uncertainty about how to comply with the safeguards then consult the person designated by the Company.
In these safeguards 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The law on personal data, and these safeguards apply to automated data processing and data in a filing system. These safeguards do not apply to data communicated verbally or that is not automated or part of a filing system, such as at an Entity event. Instead, communication at events is governed by the Entity’s rules for that event.
Generally the Entity only has personal data from people that are members
When personal data is collected, obtained, stored, used internally by the Company or communicated to people and entities outside of the Entity, then it is called processing. All processing of personal data by the Entitymust comply with these safeguards.
The Entity only processes data if it has a legal basis. There are three main legal bases for the Entity to process data.
The personal data are necessary for a contract between the Entity and the person whose data are processed.
Processing for a contract that is anticipated but not yet concluded is processing for a contract. The person whose data is being processed has consented.The processing is necessary for the Entity to pursue its aims and the fundamental interests, rights and freedoms of the data subject are not infringed by the processing.
The Entity only collects personal data for a specific permitted purpose, for example to pay money to someone. When data are collected for a particular purpose then only the data necessary for the purpose should be collected. For example, the physical address of a person who will receive money from the Entity is usually not relevant to the purpose of paying them by electronic transfer unless the bank facilitating payment demands it.
When the Entity gets data from someone who consents to the Entity processing their data then the consent has to be affirmative. So consent cannot be inferred because someone keeps on using a website that has a notice saying that carrying on using the website is consent, or doesn’t opt out of getting emails. Consent can be shown by someone ticking a box, or supplying an email address or clicking a yes button on a website. Someone who gives consent can withdraw their consent at any time and should be told that they can withdraw consent at any time. But any processing done before consent is withdrawn is not affected.
Special data is data on the racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation of anyone. The Entity does not seek to acquire special data but as categories ‘political opinions’ and ‘philosophical beliefs’ are not easily defined categories. Information that could arguably fit into these categories if they are interpreted broadly is sometimes included in dialogue with the Entity members on the possible ways of achieving the Entity aims. When the Entity processes special data it does so in the course of its activities as to achieve our aim of developing tools that contribute to the regeneration of the Earth, which includes addressing ecological, social, economic and cultural challenges. The Entity only processes special data from members to achieve its aims.
The Entity does not engage in profiling, which is “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person”. For example, automatically calculating a credit score based on personal data is profiling, as is deciding that someone is a security threat based on automated processing of personal data.
As a general rule personal data in contracts, or that is used for financial purposes, is kept for the foreseeable future. The Entity does not keep personal data longer than is necessary for the purpose unless the Entity is required to keep that data to comply with laws such as tax laws, finance law, or if it is necessary to accomplish the Entity’s mission.The Company does not keep personal data for the sole purpose of showing compliance with the GDPR. Once the Company has processed data in compliance with the GDPR and it is no longer necessary for the original purpose and not required for another law it should be deleted.Data can also be kept for archiving purposes for research and statistical services. If data are only kept for these purposes then if possible it should be pseudonymised.
Notice of Data Use and Rights
The Company gives notice to each person whose personal data it has, of the categories of their data that it has, and the legal basis and the purpose for which the data is used. In the same notice the Company advises each person what their ‘data rights’ are. These are the rights they have to make certain requests of the Company in respect of their data, the Company must comply with these if it is able to do so.
Each person whose personal data the Company has can make requests to the Company about their data. They can ask the Company to advise what personal data the Company has on them. They can also ask that the Company update, correct or delete personal data. Someone whose personal data the Company has can also ask that their data be restricted, which means it is stored but not used, because the person contests the accuracy of the data or the basis on which the Company is using it.
Someone whose data the Company has can also ask the Company to port the data, either giving them a copy in a standard format or requesting the Company to send the data in a standard format to someone else. If someone requests that the Company port their personal data to a 3rd party then the Company warns the person requesting that their data be ported that the Company has no control over what the 3rd party does with the data. Instead the person who is asking that the data be ported must deal directly with the 3rd party to ensure that their data is dealt with as they require. the Company has no responsibility after the data is ported.
Whenever possible the Company will do what is requested. But sometimes laws, such as finance laws will prevent the Company from doing what is requested. If that happens the Company must tell the person that the Company cannot comply.
All requests to update, correct, delete, restrict or port personal data are dealt with the same way to ensure that the Company can record the request and the response to the request. The Company requires that requests are sent to a function specific email (firstname.lastname@example.org) which copies to multiple recipients. The Company must respond to requests within 30 days of receipt of the request either by doing as the person asks, advising that there is a delay for a reason permitted by law, or advising why the Company cannot comply.
People whose personal data the Company has must be given notice if they think the Company has not dealt with their personal data appropriately then they can make a complaint to an authority about how the Company uses data.
If the Entity must keep personal data, existing systems are evaluated to ascertain whether they are appropriately secure.
As the Entity adopts new systems these must be evaluated to ensure that they adhere to privacy by design principles. Systems must:
- Pro-actively identify and assess risks to privacy and take steps to prevent them.
- Personal data is protected as a default.
- Privacy is embedded in the design and architecture of technical systems;
- Privacy is not traded off against other values such as security, instead values realised together in a fully functioning system;
- Personal data are kept private at every stage; collection, transmission, use and deletion. When personal data is deleted from a system this must be done so that it cannot be retrieved from servers, hard drives and the like.
- The collection and use of personal data must be clear, for example through a notice advising that particular categories of personal data are collected and why.
- Privacy architecture must be centred around the person whose data is at issue.
If there is reason to suspect that the rights and freedoms of a person are affected by a breach of their data then the Entity should alert that person, unless the data was encrypted or doesn’t pose a threat for some other reason. When someone is alerted about a data breach then the person must be told that the contact person is the person designated by the Entity.
To ensure that service providers to whom the Company transfers personal data look after data appropriately the Company generally requires either a written agreement with the service provider or a general written document in which the organisation or person commits to dealing with personal data as required by the GDPR. A notice on the website of the service provider in which it explains its compliance with GDPR is sufficient but a date stamped copy must be made.Where a service provider is not in the EU or a jurisdiction where the GDPR is applied but the service provider says that use of that service is GDPR compliant, then the Company ascertains the basis on which the service provider protects personal data; an adequacy decision by the EU, binding corporate rules, a standard agreement approved by an EU data controller.
Each member , and each person who is an employee or consultant of a member , which is part of the Company but not in the EU or a jurisdiction where the GDPR has been applied, is required to agree to these safeguards. The Company takes the responsibility of dealing with personal data very seriously.
The Company assesses each service provider to whom personal data is communicated to ensure that that service provider is compliant with the GDPR. Before using any new service provider the Company ascertains whether a service provider is in the EU or another jurisdiction where the GDPR is applied and gives information on its own compliance with the GDPR.
When the Company transfers personal data to companies outside the EU or a jurisdiction where the GDPR has not been applied only when the transfer is necessary for the fulfilment of a contract between the person whose data it is and the Company or it is necessary for the fulfilment of a contract with another person that is in the interests of the person whose personal data is being used or the person has consent to transfer outside the European Union. A person whose data is processed in a country that is outside the EU or a jurisdiction where the GDPR has been applied, must be given notice that their data is processed outside the EU.
Records of Compliance
- the Entity has to demonstrate that it is complying with applicable personal data law;
- the Entity maintains a record of;
- the categories of personal data processed;
- the categories of people whose data is processed;
- the categories of recipients of the data, for example service providers;
- the time limits for each category of data;
- how the data is secured.
Amongst other things this requires recording that notice of their data rights was given to persons whose data the Entity processes, every consent to process data and every request made by a person about their data.
Updating the Safeguards
These personal data safeguards will be updated from time to time by the CIO who will communicate the new version of the safeguards to the entities and people of the Entity.
Status of Safeguards
The purpose of these safeguards is to ensure that personal data are dealt with appropriately by the Entityoverall. They are necessarily general and flexible in nature. Where appropriate exceptions and variations are made. It is neither possible nor desirable to list exceptions in these safeguards. Since these safeguards enable compliance with existing law they do not require the Entity to do any more than the law requires. Copies of the guidelines may be made available to people whose personal data the Entity has or to other persons or bodies to demonstrate personal data protection standards by the Entity . When this happens it is for information purposes only and does not constitute an agreement between that person or body and the Entity unless agreed otherwise in writing by the Entity . The safeguards are not part of any contract binding the Entity unless the Entity explicitly incorporates the safeguards in the contract. If they are included in a contract these safeguards do not confer any legal right or benefit on any person who is not a party to that contract unless the contract explicitly states otherwise.