Protecting User PII

Data protection & retention policy summary

As volunteer site moderators it may be necessary for you to have access to end-user PII, such as names, email addresses, location information, etc.

In plain language, this means that volunteer site moderators must adhere to the following:

• PII should never be used for any purpose, except when necessary to execute your responsibilities as a volunteer site moderator.
• PII should never be shared except with Drupal Association staff and other site moderators, and even then only when it is necessary to execute your responsibilities as a volunteer site moderator.
• Screen shots of admin only areas of the site should not be posted in public places. If for some reason this is necessary, they should be sanitized of any PII.
• PII should never be stored locally.
• Any machine which has an active account with access to this information should be protected from unauthorized access.
• If a site moderator becomes aware of a breach of PII, they should inform the Drupal Association staff immediately.

Introduction

The Drupal Association (DrupalCon, Inc) needs to gather and use certain information about individuals.

These can include end users, customers, suppliers, business contacts, employees and other people the organization has a relationship with or may need to contact.

This policy describes in more detail how personal data must be handled to provide context for the volunteer site moderators who must help to protect this PII.

Why this policy exists

This data protection policy ensures The Drupal Association (DrupalCon, Inc):

• Complies with data protection law and follow good practice

• Protects the rights of staff, customers, end users, and partners

• Is open about how it stores and processes individuals’ data

• Protects itself from the risks of a data breach

Data protection law

The Data Protection Act 1998 described how organizations — including The Drupal Association (DrupalCon, Inc)— must collect, handle and store personal information. As of May 25th, 2018 the EU General Data Protection Regulation (GDPR) supersedes the Data Protection Act 1998.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Data Protection Act was underpinned by eight important principles. These say that personal data must:

1. Be processed fairly and lawfully

2. Be obtained only for specific, lawful purposes

3. Be adequate, relevant and not excessive

4. Be accurate and kept up to date

5. Not be held for any longer than necessary

6. Processed in accordance with the rights of data subjects

7. Be protected in appropriate ways

8. Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection

In plain language, regulations such as GDPR define the following roles, rights, and responsibilities:

• Data Subject - this is the end user.

• Data Controller - this is the Drupal Association as the owners and operators of Drupal.org and its sub-sites, and this responsibility extends to volunteer roles who work on our behalf.

• Data Processor - any other organization that processes personal data on behalf of the Data Controller.

Rights of the Data Subject

• Right to be Informed - A data subject has the right to know whether personal information is being processed; where; and for what purpose.

  This information is outlined in the section below titled "Information We Collect About You" and "How we Use Your Information".

• Right to Access - A data subject has a right to access the information about them that is stored by the Data Controller.

This information is outlined in the section below titled "Information We Collect About You" and "How we Use Your Information".

• Right to Rectification - A data subject has the right to correct any errors in the data about them.

• Right to Restrict Processing - A data subject has the request that data not be processed, and yet also not be deleted by the Data Controller.

• Right to object - A data subject has the right to opt out of marketing, processing based on legitimate interest, or processing for research or statistical purposes

• Right to be forgotten - Also known as the right to revoke consent, the right to be forgotten states that a data subject has the right to request erasure of data, the cessation of processing by the controller, and halting processing of the data by third party processors.

  The conditions for this, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent.

  It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.

• Data Portability - A data subject has the right to receive a copy of their data in a 'commonly used and machine readable format.'

Responsibilities of the Data Controller and Data Processors

• Privacy by Design - 'The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects'. Article 23 of the GDPR calls for controllers to hold and process only the data absolutely necessary for the completion of its duties, as well as limit the access to personal data to those who need it to carry out these duties.

• Breach Notification - The Data Controller must notify the appropriate data processing authority and any affected end user of any breach that might result in 'risk to the rights and freedoms of individuals' within 72 hours of becoming aware of the breach.

A Data Processor must notify the Data Controller of any breach 'without undue delay.'

• Data protection officer - A Data Controller or Processor must appoint a Data Protection Officer when: a Data Controller represents a public authority; or the core operations of the Controller require regular and systematic monitoring of Subjects on a large scale; or when the Controller's core operations depend on processing a large scale of special categories of data (including but not limited to health data, criminal conviction information, etc).

  The Drupal Association's core operations do not require the Association to establish a Data Protection Officer.

Data protection risks

This policy helps to protect The Drupal Association (DrupalCon, Inc) from some very real data security risks, including:

• Breaches of confidentiality. For instance, information being given out inappropriately.

• Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.

• Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.

Subject access requests

All individuals who are the subject of personal data held by The Drupal Association (DrupalCon, Inc) are entitled to:

• Ask what information the company holds about them and why.

• Ask how to gain access to it.

• Be informed how to keep it up to date.

• Be informed how the company is meeting its data protection obligations.

If an individual contacts the company requesting this information, this is called a subject access request.

Subject access requests from individuals should be made by email, addressed to the data controller at help@drupal.org. The data controller can supply a standard request form, although individuals do not have to use this.

The data controller will aim to provide the relevant data within 30 days.

The data controller will always verify the identity of anyone making a subject access request before handing over any information.

Disclosing data for other reasons

In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, The Drupal Association (DrupalCon, Inc) will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.

Providing information

The Drupal Association (DrupalCon, Inc) aims to ensure that individuals are aware that their data is being processed, and that they understand:

• How the data is being used

• How to exercise their rights

To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company. This statement can be found in the:

• Terms of service - https://www.drupal.org/terms

• Privacy Policy - https://www.drupal.org/privacy

• Digital Advertising policy - https://www.drupal.org/advertising

• Git Contributor Agreement - https://www.drupal.org/git-repository-usage-policy