Virtual Region Convention Information Security Policy
- Introduction, Governing Law and Jurisdiction
- Scope of this policy
- General principles
- Hard copy documents
- Electronic data
- Mobile devices
- Data breach
- Reporting to VRC Chair
- Notification to ICO
- Notification to data subject(s)
Introduction, Governing Law and Jurisdiction
The Virtual Region isorganized and incorporated as a not for profit entity under the laws of theState of New Mexico, the United States of America.
This Policy and all other policies of the Virtual Region, and any dispute or claim arising out of or in connection with this and other Virtual Region policies or their subject matter, shall be governed by and construed exclusively in accordance with the laws of the State of New Mexico, United States of America.
The Virtual Region, all Board members (who act as directors of the Virtual Region) and any other persons designated by the Board in terms of the Bylaws of the Virtual Region to undertake various service for the Virtual Region, agree that the courts of NewMexico, United States of America, shall have exclusive jurisdiction to adjudicate on and/or settle any dispute or claim arising out of or in connection with this and other VR policies, or their subject matter.
The sixth data protection principle
under the General Data Protection Regulation (GDPR), which is a regulation inEU law on data protection and privacy in the European Union and the EuropeanEconomic Area, calls for organizations to employ appropriate technological and organisational measures for the security of personal data.
In this policy the Virtual RegionConvention (VRC), in seeking to take reasonable efforts to comply with the GDPR, has set out the processes which are to be followed to keep data secure(organisational measures), and the technological measures which are to be adopted.
Scope of this policy
All are responsible for ensuring that if they deal with any personal data, it is kept securely and is not disclosed(either orally or in writing or accidentally) to any unauthorized third party.
This policy applies to everyone who processes personal data from or on behalf of Virtual Region Convention. This includes designated VR board members, VRC Chairs and where applicable, Co-Chairs,Committee Chairs and members, Subcommittee Chairs and members, service coordinators, Convention hosts and co-hosts, translators, moderators and other OA members giving service.
OA is an anonymous fellowship, and our 12th Tradition states that: “Anonymity is the spiritual foundation of all these Traditions, ever reminding us to place principles before personalities”. We hold information about other fellows in confidence. This policy upholds the 12th Tradition.
We will only use your personal data for the purposes for which we collected it as described above. Only authorized people are permitted to access your data, which is kept secure and confidential for the time period as described above, and then deleted/destroyed using secure methods.
Hard copy documents
When personal data is stored on paper (for example: a register of meeting attendess), it is to be kept in a secure place where unauthorized people cannot see it.
When not required, paper or files are to be kept in a locked drawer or filing cabinet.
Printouts are not to be left where unauthorized people could see them, like on a printer, or on the kitchen table.
Paper copies are to be securely shredded or burned when no longer required. Tearing or screwing up paper is not a secure means of disposal.
The computers and devices that are used to access the personal data of others are to have current software installed, as legacy software is not supported by security patching. Security updates are beinstalled. Devices should always have anti-virus / anti-malware software installed, and kept updated.
Strong passwords are to be used to secure electronic devices and also services used to access data (email, dropbox, Microsoft account etc). Passwords are not be reused, shared, saved to file, or saved to non-secure password key chains or browsers. Ideally, password management software is be used, and protected with a strong password. Guidance on choosing and using passwords can be found here.
If using a shared computer, passwordprotected services are to be closed down when work is finished. Files andfolders are not to be left open, and the screen is to be locked when away fromit.
Home Wi-Fi is to be encrypted to thehighest standard available (ideally WPA2). Suggestions for securing home Wi-Fiare:
- Change your router admin username and password so that they are not the standard for your router.
- Change the broadcast name for your Wi-Fi (the SSID) so that it does not describe the router.
- Activate firewalls and turn off guest networks
- Keep firmware updated.
- Unless your router is locked away, turn off WPS (the one-push button to connect to your router).
Open Wi-Fi networks are not be used to access personal data.
You have explicitly consented to the transfer of your information, and you have been warned of the possible risks of the transfer.
Particular care is to be taken to keep mobile devices secure: they are to be password protected, and ideally encrypted. Unencrypted USB devices are especially insecure as they are so easy to lose. Ideally devices are to have remote wiping agents installed so that they can be erased if stolen.
Cloud Storage Service Providers
The designated VR Board members, the VRCChair or Co-Chairs where applicable, the VRC Committee and Subcommittee Chairs are all to make use of secure cloud storage service providers such as Dropbox(basic) or Google Drive to save personal information. Two-step verification is to be activated, and a strong password used.
Documents are to be saved in the most suitably secure location, and multiple copies of the same documents not allowed to proliferate. Any document which contains personal data is to be saved using a filename with the suffix PD, for example: ‘Website Invoices (PD)’. The suffixPD stands for Personal Data.
Each VRC Chair, VRC Committee Chair andSubcommittee Chair is responsible to manage access to their own Dropbox folder, ensuring that access is only granted to authorized fellows giving service, and also to outgoing VR Board members and other authorized fellows who are conducting a handover. Once a service fellow has completed their handover then they will be removed from shared folders, and synced copies of information removed from their personal Dropbox by those managing access.
VRC Chairs or Co-Chairs, Board members, Committee and Subcommittee Chairs, are to use alias email accounts for their VR OA service from any one of the following 5 email service providers: Google, AOL, MSN(Microsoft),Yahoo or Bluehost and other that may be identified and approved by VR.
Email is not inherently secure. Most emails transmitted over the internet are sent in plain text, which makes them vulnerable to interception. Consideration is to be given as to the nature of the information that is being sent via email.
It is strongly suggested that email addresses without the surnames of the OA service fellows be used wherever possible, at all levels of OA service in respect of the Virtual Region Convention.
Email accounts are to be securely password protected, and security features not disabled.
Great care is to be taken when opening email attachments, in case they contain a virus, Trojan, spyware or other malware. It is now commonplace for ransomware attacks to be launched by ‘spoof’ emails which appear to come from a legitimate organization attaching an invoice or order form, which, if opened, installs malware which encrypts all data on the attacked device. A ransom is then charged for the decryption key. Under theGDPR, corruption of data is a data breach, and therefore a ransomware attack should be reported as such to the VRC Chair or where there are VRC Co-Chairs, to the Co-Chair designated as the person responsible for the protection of privacy and of personal data, as per the policy below.
When sending emails to a list, the email is to be addressed in the ‘To’ field back to the sender, with the recipients listed in the ‘BCC’ (blind carbon copy) field. This means that email addresses are not shared between the whole list.
Documents containing personal data may be attached to emails, either sent or received. These must be saved securely. The emails with the attachments are also to be kept secure, and themselves deleted in accordance with the archiving and retention rules set out in the PrivacyPolicy.
Reporting to VRC Chair or VRC Co-Chair, where applicable
If there is a personal data breach, theGDPR requires that OA Virtual Region notify the Data Protection Regulator of the relevant country (such as in the United Kingdom the InformationCommissioners Office of the United Kingdom) without undue delay and not later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. This might include loss of a USB stick with OA members’contact details, or accidental email of contact details to anyone not authorized to receive them.
Anyone handling personal data in connection with OA (designated VR Board members, Convention Committee Chairs and members, SubcommitteeChairs and members, hosts and co-hosts and other service coordinators and service fellows) is to notify the VRC Chair [ or where there are Co-Chairs of the VRC, the Co-Chair designated as the person responsible for the protection of privacy and of personal data] at email@example.com
as soon as they become award of a data breach. Anyone who has concerns aboutdata privacy or the risk of a breach should notify the Chair or Co-Chair oftheir concerns at the aforementioned email address.
Notification to the relevant Data Protection Regulator
The Chair [or where there are Co-Chairs, the Co-Chair designated as the person responsible for the protection of privacy and of personal data] will consider whether the breach is likely to result in a risk to the rights and freedoms of data subjects. If such a risk is unlikely then the breach will not be reported to the relevant Data Protection Regulator of the country of the data subject, but will be recorded in a data breach template document. Remedial action will be identified, and a timetable for completion will be drawn up.
If there is a risk to data subjects, theChair [ or where there are Co-Chairs, the Co-Chair designated as the person responsible for the protection of privacy and of personal data] is to take reasonable efforts to notify the relevant Data Protection Regulator of the country of the data subject, of the breach, describing:
- the nature of the personal databreach including where possible, the categories and approximate number of datasubjects concerned and the categories and approximate number of personal datarecords concerned,
- the name and contact details of the person from whom more information can be obtained. This may be the Chair [ or where there are Co-Chairs, the Co-Chair designated as the person responsible for the protection of privacy and of personal data] or it may be some other person assigned responsibility for handling the data breach,
- the likelyconsequences of the personal data breach,
- the name and contact details of the person from whom more information can be obtained. This may be the Chair[ or where there are Co-Chairs, the Co-Chair designated as the person responsible for the protection of privacy and of personal data] or it may be some other person assigned responsibility for handling the data breach,
The Chair [ or where there are Co-Chairs,the Co-Chair designated as the person responsible for the protection of privacyand of personal data] is to take reasonable efforts to provide the notificationwithin 72 hours of their being notified of the breach, unless this is notpossible, in which case it will take place as soon as possible, and reasonsgiven for the delay.
Where it is not possible to provide all of theabove information at the same time, the information may be provided in phaseswithout undue further delay.
The Chair [ or where there are Co-Chairs,the Co-Chair designated as the person responsible for the protection of privacyand of personal data] is to record the breach in a breach template document, statingthe nature of the breach, when and how it was reported, when it was notified tothe relevant Data Protection Regulator, its effects and the remedial actiontaken, and any response from that Regulator.
Notification to data subject(s)
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, and it is not possible to prevent this risk from materializing, the Chair [ or where there are Co-Chairs, the Co-Chair designated as the person responsible for the protection of privacy and of personal data] is to take reasonable efforts to inform the data subject(s) without undue delay. The following information will be communicated, using clear and plain language:
- The nature of the personal data breach,
- the name and contact details of the person from whom more information can be obtained. This may be the Chair [or where there are Co-Chairs, the Co-Chair designated as the person responsible for the protection of privacy and of personal data] or it may be some other person assigned responsibility for handling the data breach,
- the likely consequences of the personal data breach,
- the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The notice is to be sent directly to thedata subject, unless this would involve disproportionate effort, in which caseit can be published on the Virtual Region website.
The Chair [ or where there are Co-Chairs,the Co-Chair designated as the person responsible for the protection of privacyand of personal data] may delegate their responsibilities under this section toa named person, but will continue to hold ultimate responsibility for ensuringthat any breach is properly recorded and (if relevant) notified.
This Privacy Notice to Convention Attendees was updated on behalf of the VRC Chair on 10 January 2021 and is the second version of such Notice.