Data Processor Agreement

Thu, 06/08/2020 - 17:09 — FloranAstraneiri

Note: Please ignore the 'User login' in the left column of this webpage (if it appears). This is only for IWW role holders who have access to the membership database. You need to be logged out for the purpose of submitting this form and for the form to work properly. If you intend to submit this form and you are currently logged in to the membership database, please log out first.

IWW WISE-RA Data Processor Agreement - Introduction

As an IWW role holder, or accredited IWW Worker's Representative, or approved third-party data processor, you will be required to handle sensitive personal data and union data under the care of the IWW WISE-RA.

Your role may require you to access or process this data via the union's @iww.org.uk email accounts, membership database, or on other IWW WISE-RA data processing platforms, such as the administrator or moderator interfaces of the Interwob forum or Wobchat. If you are an accredited IWW Worker's Representative, you will be handling workers' sensitive personal data in the course of performing representation casework. If you are a Complaints Panel volunteer, you will be handling members' personal data in the course of processing complaints. If you are a member of the IT Committee, you may receive security-sensitive administrator access to our IT platforms' back-end systems and servers. It is the IWW WISE-RA's responsibility, and thus your responsibility as an IWW role holder, to safeguard and process that personal data in compliance with Data Protection laws, and to handle IWW WISE-RA controlled data generally in compliance with IWW WISE-RA's Privacy and Data Protection Policy.

As such you are considered a Data Processor, as defined by current Data Protection legislation (the UK General Data Protection Regulation, or UK GDPR). The IWW WISE-RA is considered the Data Controller. The persons whose personal data is held and processed by the IWW WISE-RA are considered Data Subjects.

For these reasons, you will need to sign this Data Processor Agreement (DPA) before you can be given access to IWW membership data and allowed to process it.

IMPORANT: Before signing this document, please:

As a priority, read the section below titled "Required technical security measures" and implement those measures. Please click the section title to unfurl and read its contents.
Familiarise yourself with the IWW Privacy and Data Protection Policy, paying particular attention to the passages set in bold and the sections and paragraphs marked with a ⚠ symbol (click here).

As a data processor you will be expected to abide by these policies and apply them to all personal data you access and handle on behalf of the IWW WISE-RA.

When you feel sure you understand these policies, please fill, sign and submit this DPA form.

The Data Controller you are entering into an agreement with through this DPA is:

The Industrial Workers of the World (Wales, Ireland, Scotland and England Regional Administration); a certified independent trade union registered in the United Kingdom; Certification Officer List Number 790T.

Address: Data Controller, Industrial Workers of the World (IWW);
PO Box 111, Minehead, TA24 9DH,
The United Kingdom of Great Britain and Northern Ireland
Telephone: +44 (0)845 4681905
Email: dataprotection@iww.org.uk

Don't hesitate to get in touch with our Data Protection Officer (dataprotection@iww.org.uk) if there is anything you don't understand.

By filling and submitting this form, you understand and agree that your personal data will be processed on the lawful basis of the IWW WISE-RA’s legitimate interests, according to the IWW WISE-RA Privacy and Data Protection Policy.

The section below titled 'How We Use Your Information' contains a summary of our Privacy Policy. It links to our full Privacy Policy and provides information for contacting our Data Protection Officer. It is collapsed by default. Please click on the title of that section - 'How We Use Your Information' - to expand that section.

IMPORTANT - PLEASE READ THIS SECTION CAREFULLY before completing the form - Required technical security measures (CLICK HERE TO UNFURL THIS SECTION AND READ ITS CONTENTS).

Data Processors must comply with all applicable aspects of our Technical and Organisational Measures Policy and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the applicable legislation and relevant standards to protect personal data.

With regard to personal data for which WISE-RA is the Data Controller, or general internal IWW WISE-RA business, as far as possible, only IWW-WISE-RA-controlled or mandated internal communications platforms and tools should be used for core data processing functions of the union at the IWW WISE-RA Regional Administration and ROC levels, such as membership data and database management, the discussion and practice of internal union business, deliberations and democracy, democratic decision making and elections, complaints processing and data retention, the long term retention and processing of personal data and casework / worker's representation / organising data, and email communications from and between IWW officers, role holders and data processors about IWW WISE-RA business or containing any personal information processed on behalf of the IWW.

Where possible, non-commercial, open-source platforms, and/or highly secure platforms that minimise the sharing of IWW business data and IWW-processed personal data with third party sources, should be given preference for use as IWW controlled and mandated data processing and communications platforms.

For the IWW NARA (North American Regional Administration) role holders who sign the IWW WISE-RA Data Processor Agreement, all of the terms and conditions described in this document only apply to the processing of the personal data of Data Subjects for which IWW WISE-RA is the Data Controller (i.e., personal data, including the personal data of NARA members, when it is processed within the Interwob forum or other WISE-RA controlled data processing platforms), and excludes NARA members' personal data where it is processed by IWW NARA outside of the Interwob forum (or outside of any other WISE-RA controlled data processing platforms), and NARA union business excluding personally identifying data in any context or platform, which are governed by the laws, rules, policies and procedures relevant and applicable to and within NARA.

Agents of third party organisations authorised as IWW WISE-RA data processors must only use the communications and data processing platforms and tools (e.g., organisational email accounts) provided by IWW WISE-RA or by that authorised organisation when processing data on the IWW's behalf.

Going forward in this document 'IWW' will stand for 'IWW WISE-RA', and 'IWW Data Processors' will be taken to include IWW NARA members, or agents of third party organisations who sign a WISE-RA Data Processor Agreement in order to process data controlled by IWW WISE-RA.

When required for their role, IWW officers, role holders and data processors will be given an email account hosted on an IWW controlled email server and/or any access their role may require to other IWW controlled data processing platforms (e.g., the Membership Database, the Interwob forum administrator or moderator tools and interfaces).

IWW officers, role holders and data processors must only use the data processing and communications tools/platforms/accounts assigned to them by the IWW, or by third party organisations authorised by IWW as data processors, for all processing or communications of IWW WISE-RA business or of personal information for which the IWW WISE-RA is the Data Controller. They must never use personal emails or unauthorised/unmandated personal or third party data processing platforms for these purposes, unless the Data Subjects whose personal data is processed provide explicit and informed consent.

Explicit and informed consent means that, before they consent, the Data Subject must be informed of what data will be processed and/or shared, for what purposes it will be processed and/or shared, how it will be processed and/or shared, and with whom it will be shared. The personal data must never be processed or shared in a manner that differs from the purposes and methods that informed that consent unless further consent is obtained to include those new methods and purposes.

IWW role holders and data processors, however, can use their personal telephones and telephone numbers to make regular (phone number to phone number) voice calls and send SMS messages on behalf of the IWW. IWW role holders and data processors may also use the Signal app for end-to-end encrypted messaging and voice-over-internet calls for the same purposes. No other mobile messaging or voice-over-internet apps should be used unless explicitly authorised by the IWW WISE-RA Data Protection Officer (DPO) and mandated by a relevant body of the IWW, or unless the Data Subject provides their explicit and informed consent to do so. IWW data processors must not keep the contact details of call, SMS, Signal-messaging or Signal-call recipients or the contents of SMS or Signal messages saved on their devices longer than is necessary for fulfilling their IWW mandated work, unless they have the explicit and informed consent of the recipient to retain the data for longer on their devices.

The following list sets out the description of the technical security measures that you, as a data processor, are required to implement whenever accessing and processing IWW WISE-RA data:

I will use firewalls to protect my internet connection. This will be my first line of defence against an intrusion from the internet.
I will choose the most appropriate secure settings for my devices and software. Most hardware and software will need some level of set-up and configuration in order to provide effective protection.
I will keep my software and devices up-to-date. Hardware and software needs regular updates to fix bugs and security vulnerabilities.
I will install up-to-date, industry standard anti-virus and anti-malware software on all my devices to optimally protect my devices from viruses and other malware. I will choose the most appropriate settings of this software to optimise security. I will keep my anti-virus and anti-malware software updated to the latest version at all time. I will keep my anti-virus/anti-malware definition files fully and regularly updated. I will perform regular virus/malware scans on my devices at least once a week.
I will ensure that no one other than myself can access IWW WISE-RA data and online platforms via my devices or using my WISE-RA login credentials. I will not allow other users to use my devices while they remain logged in to any IWW WISE-RA platforms. I will restrict access to my devices to users and sources I trust.
I will ensure that my login passwords for WISE-RA systems are as strong as possible -- at least 16 characters and including random strings of: numbers, small and capital letters, and special characters such as %,^,&,*,(,),$,#,@, or !.
I will keep my passwords stored securely in password management applications (and use two factor authentication to secure my password management application). (We recommend using the open source KeepassXC password manager (https://keepassxc.org/)).
I will never share my passwords for accessing the IWW WISE-RA membership database, members' area, Interwob Forum, Wobchat, IWW Nextcloud or any other password-based access that is not intended for use by anyone other than myself. IWW email account passwords may sometimes need to be shared with a co-officer or co-role-holder for shared use; in such cases I will only ever share those passwords using secure, encrypted communications (see step-by-step instructions for this.).
I will never share or send my passwords or any personal data under my care over unencrypted internet connections, email, messaging, voice calls or any other mode of unencrypted/unsecured communication. I will not send unencrypted emails or messages containing IWW WISE-RA passwords or any personal data, even to myself as a "note to self."
I will only use the data processing or communications tools/platforms/accounts that the IWW WISE-RA has assigned and authorised me to use for all my processing/communications of IWW WISE-RA business or of personal information for which the IWW WISE-RA is the Data Controller. I will only use other data processing and communications methods if I obtain authorisation from the IWW WISE-RA DPO, or obtain the explicit and informed consent of the Data Subject. If I am an agent of an IWW WISE-RA authorised third party data processor organisation, I will only use the data processing and communications tools and platforms provided by the IWW or by that organisation. This means, for example, that if I am only given access to the Interwob moderator tools, I will only process the personal data within Interwob and will not export it or communicate it outside of the Interwob platform without further authorisation from the IWW WISE-RA DPO or the Data Subject's consent; or, for example, if I am given access to the IWW WISE-RA database and an IWW WISE-RA email account, I will only use those tools to process the personal information and will not process it outside of those platforms; unless otherwise allowed in a manner described further below, or allowed by further authorisation by the IWW WISE-RA DPO or through consent of the Data Subject.
If I am given an IWW WISE-RA email account, I will not set a forwarder from my IWW email account to a non-IWW email, and I will not use a non-IWW email account to send emails using an IWW email alias. The IWW IT Committee does not allow the use of aliases or forwarders linking with any non-IWW email accounts, for data protection reasons.
If I am given an IWW WISE-RA email account and/or access to the IWW WISE-RA Membership Database, when sending emails to multiple recipients I will normally use the IWW WISE-RA database bulk mailer. Otherwise, if using an email client, I will use the BCC field for the personal email addresses of all recipients; never the "To:" field; to prevent recipients being able to see other recipients' personal email addresses.
I will not include the personal data of any IWW WISE-RA Data Subject in emails sent to persons who have not signed an IWW WISE-RA DPA, without the explicit and informed consent of the Data Subject in question.
Except where other sections of this document allows alternative methods (e.g., using my personal phone or the Signal app), I will only use IWW email accounts for all casework-related or complaints-process-related messages, or any communications relating to an IWW Data Subject's personal data; whether it is for communicating with any person on behalf of the IWW about their case or their personal data; communicating with their employer or co-workers about their case or personal data; or communicating with other IWW role holders about their case or personal data. I will never email any personal data of IWW WISE-RA Data Subjects from personal non-IWW email accounts without the Data Subject's explicit and informed consent. I will never email any personal data of IWW WISE-RA Data Subjects to non-IWW email accounts, including the non-IWW email addresses belonging to IWW WISE-RA role holders who have signed a DPA, except with the explicit and informed consent of the Data Subject, and will only ever do so if strictly necessary.
I will avoid, where possible, storing any personal data and/or IWW WISE-RA data on my devices unless reasonably necessary to perform my assigned role, and if I do so, I will only store such data on password-protected, encrypted hard drives and systems/devices, or in encrypted files. I will delete this data from my devices as soon as I no longer require it. Personal data and IWW WISE-RA data should best be stored on the Interwob forum (in so far as it is data generated on Interwob), or the IWW WISE-RA Membership Database or Nextcloud file repository rather than on personal devices. If I run the IWW's Nextcloud app on my devices to synchronise file storage between the IWW Next Cloud and my device, I will do so securely and only on password-protected and encrypted devices.
I will regularly back-up my data to password protected, encrypted storage (for any IWW Data, only on personal hard disks, thumb drives, SD cards, etc, NOT cloud based storage except the IWW WISE-RA Next Cloud file repository). Regular backups of important data will ensure it can be quickly restored in the event of disaster or ransomware infection. I will not use third-party cloud based storage/backup services for backing up IWW WISE-RA data (You can use third-party cloud storage to back up your own devices, systems and files, but not for backing up any data controlled by the IWW WISE-RA, however the IWW WISE-RA Next Cloud file repository can be used as cloud storage for IWW controlled data).
I will never share or send IWW WISE-RA data or personal data under my care with/to anyone who has not signed an IWW WISE-RA Data Processors' Agreement, and even then I will only do so on a strictly need-to-know basis and only for the purposes for which the data has originally been collected (as explained to the Data Subject when it was collected). The only exception where I can share personal data under my care with persons who have not signed an IWW WISE-RA Data Processors' Agreement is where I have obtained further authorisation from the IWW WISE-RA DPO or explicit and informed consent to do so from the Data Subject concerned.
When sharing or sending IWW WISE-RA union data, especially a Data Subject's personal data: I will only share the data with persons who have signed the IWW WISE-RA DPA, and only send it from my IWW email account to another IWW email account, or otherwise use encrypted communications; If I need to share data with persons who have not signed an IWW WISE-RA Data Processor Agreement, I will only ever do so if strictly necessary and if I have obtained further authorisation from the IWW WISE-RA DPO or the explicit and informed consent of the Data Subject concerned. In all cases I will send only the data that is strictly necessary for the task, only for the stated purposes it was collected, minimising the data I send, and pseudonymising or anonymising it whenever possible.
I will never store, process or collect IWW WISE-RA data or any personal data under my care on any third-party data processing, social networking or cloud platform that is not explicitly authorised by the IWW WISE-RA DPO and formally mandated for use by the IWW WISE-RA body that the data corresponds to, and the Data Subject has provided explicit, informed consent to their data being used in this way. For example, I will never collect or copy the data to Google Spreadsheets, Survey Monkey surveys, Dropbox, Google Drive or any other online/cloud data processing/data-collection/survey/file-sharing/storage application, nor use such applications to share the data or collaborate on data processing with other persons (unless the IWW WISE-RA Data Protection Officer has authorised it, AND there is explicit, minuted mandate by the IWW WISE-RA body whose data is concerned, AND explicit, informed, recorded consent by all the Data Subjects whose data is concerned, which allows me to do so. cf. the IWW WISE-RA Privacy and Data Protection Policy for more details on the procedures required to use third party data processing platforms).
If an authorised and mandated third-party platform is used to process personal data, and it is used with the Data Subject's consent, I will use strong passwords, secured with an appropriate password management system, and employ two factor authentication to secure my access to that platform. I will furthermore ensure that Data Subjects can have their data removed from that platform at any time and that they know how to do so.
I will never share, post or cross-reference the personal data under my care using any social media or social networking platform such as Facebook, Discord, Twitter, etc. in a manner that directly or indirectly reveals/shares the data with third parties (unless there is an explicit, minuted mandate by the IWW WISE-RA body whose data is concerned, AND explicit consent by all the Data Subjects whose data is concerned, which allows me to do so).

How We Use Your Information (click here to unfurl this section)

The following Privacy Notice is a summary of the IWW Privacy and Data Protection Policy. Please read the full text of our Privacy and Data Protection Policy at the following page: https://iww.org.uk/privacy

We are committed to keeping your data secure and to never using it in ways you would not expect.

The IWW is the Data Controller for the personal information you provide when interacting with the IWW, participating in the IWW and using its services. We use this data to improve our work as a union.

The principal lawful basis for our collecting and processing personal data is the IWW pursuing our legitimate interests as a trade union (namely, when we collect and process personal data from membership applicants and members, or when people contact us). This is the basis upon which we will collect your personal data in this form.

In certain cases of supplementary personal data collection and processing we will do so on the basis of your informed consent (in particular, when we collect data that is considered sensitive and specially protected under data protection laws, or specific instances where we intend to share your data with third-parties not listed in our Privacy and Data Protection Policy, or when we actively solicit data from non-members).

Please click here to see the full list of personal data we may collect and how we may collect it.

Please click here to see the full list of purposes for which we may collect personal data.

As a trade union, we have a statutory requirement to keep an accurate register of members’ names and addresses. If you wish to be an IWW member, you must provide this information to us.

As with most websites, the IWW uses cookies to improve our users’ experience. Cookies may also collect personally identifiable information. Our cookies policy explains which cookies we use and why, along with where you can find more information about cookies.

We may disclose information about you to IWW officers, staff, administrators, organisers, accredited IWW trainers, accredited IWW worker’s representatives (‘Reps’), or any other IWW Data Processors, insofar as reasonably necessary for the lawful bases and purposes as set out in our Privacy and Data Protection Policy, our Rule Book and our Manual of Policies and Practices.

All IWW Data Processors must sign a Data Processor Agreement with us, in which they commit to comply with our Privacy and Data Protection Policy and with applicable UK data protection laws.

The IWW will not disclose any of your personally identifiable information to any third party unless it is justified by:

the lawful basis of pursuing our legitimate interests as a trade union, and the data is shared as described in the full text of the IWW WISE-RA Privacy and Data Protection Policy;
or it is necessary to fulfil our contractual obligations;
or we have your explicit consent to do so;
or it is necessary to protect someone’s life;
or we are required to do so by law.

We do not routinely transfer your data outside of the UK or the European Economic Area (which share the same data protection standards). However, if it is necessary, we will ensure appropriate data protection measures (as applicable under UK law) are in place.

You have rights as a data subject. These rights include: subject access; erasure; rectification; the right to restrict or object to processing; the right to data portability; and the right to complain to the Information Commissioner’s Office (ICO).

The IWW is fully committed to upholding these rights. If you believe we have not done so, please get in touch so that we can put things right.

Where you have given consent for the IWW to process your data, you may withdraw it at any time by contacting us, as well as exercise all your data subject rights listed above.

Where we collect and process your data on the basis of pursuing our legitimate interest as a trade union (namely, for members), you likewise can exercise all of your rights listed above, but keep in mind that as a Trade Union, we have statutory requirements as well as other lawful bases to hold and process certain essential elements of members’ personal data, without which their membership in the IWW cannot be maintained.

Subject access requests, the provision of data portability, or requests of erasure, rectification, or to restrict or object to processing of your data may be refused or partially refused by the Data Protection Officer in certain cases as provided by the relevant legislation or regulatory authorities. These grounds for refusal are outlined for each type of request on the Information Commissioner's Office Website. Data erasure requests and subject access requests, in particular, may be refused in part or in whole if the data are relevant to, or if you are subject to, any formal internal process reasonably requiring the data to be retained, such as a formal complaint or investigation, or if the Data Protection Officer decides the data needs to be retained for any reason compatible with the present Privacy Policy or as provided by the relevant legislation or regulatory authorities.

You can opt-out/unsubscribe from receiving emails and communications from us at any time. Opt-out/unsubscription methods will be accessibly signposted in our regular communications. However, we will retain the right to send you a minimal number of important communications for the purposes of pursuing the legitimate interests or meeting the statutory requirements of the IWW as a trade union (namely for union ballots and communicating our Annual Returns Statement).

We will keep your personal data confidential and will take appropriate measures to protect it against loss, theft or misuse and to safeguard your privacy. The IWW uses industry standard efforts to safeguard the confidentiality of your personally identifiable information

We retain your data only for the period necessary to enable us to fulfil the purpose(s) for which we collected it, to comply with our legal obligations and/or whilst we maintain your consent or a legitimate interest in retaining it.

Personal data about members in good standing and any personal data we hold about non-members will be retained in our Membership Database and/or organising and casework records for as long as members remain in good standing or we maintain a lawful basis and purpose to retain it according to our Privacy and Data Protection Policy and the applicable legislation.

Additionally, the standard retention period is 7 years, In the IWW WISE-RA Membership Database and/or in our organising and casework records, for personal data about lapsed, cancelled or deceased members, and for personal data about non-members, where we no longer maintain a lawful basis and purpose for retaining the data longer according to our Privacy and Data Protection Policy or applicable laws. At the end of this standard retention period, the personal data will be erased (either deleted, or anonymised so that it is no longer personally identifiable), except in rare cases where we maintain a lawful basis and purpose for retaining it for longer. If you make a legitimate personal data erasure request, your personal data may be erased (deleted or anonymised) sooner than this.

By default, contents that you have emailed, posted or uploaded yourself via IWW communications services (email accounts, email lists, internal chat, forum, file repository, etc.) will remain indefinitely stored and visible to users on those platforms, even if you are no longer a member, unless you delete them yourself or explicitly request their erasure (the default, when we apply such requests, is anonymisation).

Likewise, on third-party communications (or data processing) platforms where you have given your consent to the IWW to share your personal data in order to connect/subscribe you and communicate with you (e.g., Whatsapp or Signal chat groups, Slack Channels, Loomio, etc.), contents that you post may remain indefinitely stored there unless you take action to delete them yourself or request their erasure by that third party Data Controller. You can ask us us to remove the subscription/connection/contact-data, that you had initially given us to add/subscribe you to a third-party platform, and we will comply with your request (except in rare cases where we maintain a lawful basis to delay or refrain from doing so), but we cannot, on your behalf, erase the content you posted yourself from those platforms, and it is your responsibility to do so.

If you have any questions or concerns about our Data Protection and Privacy Policy or would like to request access, deletion or restricted use of your personal data directly from the Data Protection Officer, you can send an email to the IWW Data Protection Officer (click here); members can also do this by clicking here to submit a request via the members’ website contact form (password protected site) (select the ‘Personal data requests’ category), or by post at the following address:

Data Protection Officer, IWW, PO Box 111, Minehead, TA24 9DH, United Kingdom.

IWW DATA PROCESSORS' AGREEMENT

SIGNATURE

Please enter the appropriate Subject description for this submission: *
Please replace the parts within brackets inside the text field with the appropriate information (removing the brackets). For example, if your name is Joe Hill and you are signing this DPA form in your capacity as the London Branch Secretary, please enter: "Signed DPA submitted by FW Joe Hill as London Branch Secretary". Other examples: "Signed DPA submitted by FW Joe Hill as Organising Depatment Chair" or "Signed DPA submitted by FW Joe Hill as London Workplace Representative". This is so that the form submission activity can be recorded on the database with a standard subject description.

Signed and submitted by: *
Please type in your full name to sign. IMPORTANT: If you have registered your membership with the IWW under a different name than your legal name (the name used on your official Identification Documents, e.g., Passport or Drivers License) please include both the names you are registered under as a member followed by your legal name in brackets. for example: "Joe Hill (legal name: Joel Emmanuel Hägglund)".

IWW membership number: *
Please type in your IWW membership number. If you are a non-member, third-party-organisation data processor, please type in "Third party data processor" instead.

You are here