Every Toastmaster club keeps information about its members.
After all, Toastmasters is all about communication, we need to keep in touch with each other and the club officers need some way of knowing who the current members are and their contact details.
What could be easier than to have the VP-Membership keep all of this in a spreadsheet and e-mail it around to the other club officers sometimes?
Unfortunately this simple approach brings some problems with it since the club now has multiple copies of its members personal data distributed around club officers and past officers.
Can the club be certain that each of these PCs is up-to-date with anti-virus, firewall, Windows updates and anti-spyware?
What if the PC is stolen, lost or sold - is the data secure?
Can the club be certain that old data is deleted when no longer needed - for example new club officers are elected?
Any e-mail communication should not disclose other recipients (eg should use blind copies) and the data only be used for club purposes but can the club be certain that this will always be the case?
Legal obligations are imposed in Europe and are similar elsewhere:
1. process personal data fairly and lawfully.
2. obtain personal data only for one or more specified and lawful purposes and to ensure that such data is not processed in a manner which is incompatible with the purpose or purposes for which it was obtained.
3. ensure that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held.
4. ensure that personal data is accurate and, where necessary, kept up to date.
5. ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained.
6. process personal data in accordance with the rights of the individuals to whom the information relates.
7. appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. ensure that personal data is not transferred to a country outside the European Economic Area unless the country to which the information is to be sent ensures an adequate level of protection for the rights (in relation to the information) of the individuals to whom the personal data relates.
Further information from the UK Information Commissioner's Office: http://www.ico.org.uk/for_organisations/data_protection/the_guide/the_principles
Clearly, having multiple copies of personal data on spreadheets is not:
- Controlled (How many copies? Are they all needed? Are they all current? Has something been changed)
- Secure (Virus and Spyware protection, Password protection, Secure deletion
If they thought about it, most clubs would find it impractical to comply with the requirement to protect their members personal data if they use a spreadsheet and pass it around.
This practice is also high risk:
- A recent survey found that although more than 70 percent of those who participated believed they were safe from viruses and online threats almost 20 percent of them were currently infected by a virus and 63 percent acknowledged being infected in the past.
- Spyware was an even more common and under-appreciated problem than viruses.
- Spyware or adware programs were found on 80 percent of the computers analyzed, with an average of 93 spyware or adware components on the infected machines.
Multiply this level of risk by the number of past and present club officers' PCs and you have an almost guaranteed problem.
Conclusion - you should NOT keep members personal data on a PC.
How does this website comply with the requrements of data protection?
- All data are kept in an encryped database behind a managed firewall with 24 hour support and daily data backup.
- A user may choose to enter their address and telephone numbers and has the additional choice of allowing this to be visible to their club officers, fellow club members or the public.
- A user may even place a restriction that their name will only be visible to their club officers or fellow club members.
- All data kept on an individual is ALWAYS visible to them (and also to the member's mentor).
- There is only one copy of the data
- Access is controlled by password
- Users are encouraged to keep their own data up-to-date.
- The site NEVER displays an e-mail address and takes special precautions to prevent any access by web-crawlers that try to harvest e-mail addresses.
- Registered users may send an e-mail to another user - but the recipient's e-mail address is never disclosed by the site.
- All the meeting e-mail and District/Club bulk e-mail is sent as a blind copy without disclosing e-mail addresses.
- Site security is reviewed and updated promptly for new developments
- Information on the Membership and Profile pages etc is listed as not to be indexed by 'good' robots such as Google.
- All access to the site is prohibited to 'bad' robots (More than 100 of them as at summer 2007)
If you have any concerns about Data Protection issues or would like further explanation please contact me by sending a Private Message to user Malcolmw on this site.