Data Policy

Who we are

This Data Policy sets out how DigiLocal CIO (referred to as ‘we’, ‘us’, or ‘DigiLocal’) uses and protects any information that you give us when you use this website or access our services.We are committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified, then you can be assured that it will only be used in accordance with this policy.We may change this policy from time to time by updating this page. If we are storing any personally identifying information about you, we will advise you of any changes the email address provided.

This policy is effective from 31 March 2020 in compliance of the General Data Protection Regulation (GDPR).

DigiLocal is a Registered Charity (1185746) established for the public benefit, to advance the education of young people in the UK from groups that are under-represented within the technology industry, in particular but not exclusively by supporting free technology clubs.

DigiLocal is a registered Tier 1 Data Processing Organisation with the Information Commissioner’s Office: Certificate ZA775553 (view a copy of the certificate here)

The Data Protection Officer is the CEO (Dr John Bradford). For any queries about our Data Policy, Data Protection, or the data we may hold about you, please contact us on dpo@digilocal.org.uk

What data security procedures we have in place

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online. Your data is stored in up to to two places: our CiviCRM system on a hosted WordPress website, or our DigiLocal Online system hosted by Google Workspace.

DigiLocal website & CiviCRM

DigiLocal manages a Contact Relationship Management System (CRMS) called CiviCRM that is part of a WordPress website hosted by Cloudways using a Digital Ocean server in London. CiviCRM is a widely installed CRMS for community and social organisations. It has a strong focus on security and open source code development to ensure the highest standards of data integrity.

We have installed a Let’s EncryptTM certificate to validate the SSL credentials of our website.

An SSL Certificate is a small computer file that digitally combines a cryptographic key with an organization’s details. On a web server, for example, it allows secure connections to a web browser. Depending on the type of SSL Certificate being used by the organization, different levels of checks will be made by the Certificate Authority (CA) issuing the certificate. The CA itself holds a Root Certificate.

An SSL Certificate awarded to an organisation is derived from the Root Certificate. The same Root Certificate must be present on the end user’s computer in order for the issued SSL Certificate to be trusted. Browser and operating system vendors work with Certificate Authorities, so the Root Certificate is embedded in their software. Certificates from Let’s Encrypt are renewed every 3 months, further enhancing your security.

The site is further protected by the 7G Firewall code. The 7G Firewall is a powerful, well-optimised blacklist that checks all URI requests against a set of carefully constructed .htaccess directives. This happens quietly behind the scenes at the server level, which is optimal for performance and resource conservation. That gives us better performance while saving server resources for legitimate traffic.

Our website address is: https://digilocal.org.uk.

The majority of user accounts are classed as ‘Ambassador’. These provide no editing rights in WordPress, and view-only rights over a reduced set of contacts on our CRM. This user level is for Ambassadors to monitor and update attendance registers.

Responsible adults and young people do not have access to the website or CiviCRM.

The Designated Safeguarding Lead has additional privileges to view all notes on contacts as part of our safeguarding policy. This account is protected by time-based two-factor authentication.

The site administrator is protected by time-base two-factor authentication, and no, the administrator account name is not admin.

DigiLocal Online – Google Workspace

Google Workspace is a fully certified Cyber Essentials package for holding your data securely. The only personal data we hold as part of G Suite are names and email addresses.

All young people, staff, and volunteers are allocated a unique email address and password to access Google Workspace. Recovery emails are held for staff and volunteers. No other personal data is stored in Google Workspace.

In addition to Google Workspace we also make use of slack for running our virtual clubs. Only @digilocal.org.uk email addresses are permitted to register accounts to access our slack channel. No personal data is stored on slack.

Responsible adults do not have access to Google Workspace.

What personal data we collect and why we collect it

You may request to have your personal data deleted at any time by contacting the Data Protection Officer. This does not include any data we are obliged to keep for legal, or security purposes.

For more information about this right see the Information Commissioner’s Office: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

DigiLocal participation

There are three reasons we may hold personal data from you on our systems:

  1. You volunteer with, organise, or in some other way help support a DigiLocal club, or
  2. You are the responsible adult for a young person at a DigiLocal club, or
  3. You are a young person at a DigiLocal club.

If you are 1 or 2 in the list above, then the personally identifiable data we ask from you is;

  • first name, last name;
  • email;
  • mobile phone for contact in case of emergency,
  • Postcode data is held so that we can report back to funders where our beneficiaries are based. We do not report individual postcodes but aggregated data.

To help understand our community we ask for, but do not require;

  • employer, and job title,
  • principle trading address for each organisation

Additional data held for DigiLocal Volunteers, Responsible Adults, and Young People

Note: if you are both a responsible adult, and a volunteer, we will hold both sets of additional data against the same record for you.

Volunteers

  • to maintain a register of Disclosure and Barring Service (DBS) cleared volunteers in support of DigiLocal clubs we hold DBS certificate numbers and Date of Birth for all volunteers so that their status can be verified, we also record the date DBS certificate status was last checked.

Parent / guardian

  • No additional identifying data is held for responsible adults.

Young people

No contact information is held for young people. Any communications outside face-to-face club sessions will be with the registered responsible adult.

When a responsible adult contacts DigiLocal about places at a club, a note is made on their record of how many young people will be attending and ages (if given), but not names.

Young people are entered as individual records only when we receive a signed permission form from the parent / guardian / responsible adult.

  • Names of young people attending DigiLocal clubs (first name, last name – but no contact information) are held so that attendance at club sessions can be monitored.
  • Date of birth is held so that we can evaluate how well DigiLocal is doing with different age groups.
  • An internal CRM link is maintained with the parent / guardians so that we can maintain an accurate record of emergency contact information.

DigiLocal withdrawal

If you withdraw from DigiLocal we will contact you to see if you would like us to stay in touch. If we do not receive your explicit permission we will delete your personal data. We will also delete all data relating to your child / children (name, date of birth, club registrations, etc).

General Website data

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms

For people that register on our website, we also store the personal information they provide in their contact form profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). DigiLocal administrators and Designated Safeguarding Leads can also see and edit that information.

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.