Data and Privacy Policy

[Norman Cates]

We’re needing a Data and Privacy Policy for a New Zealand Worldcon.

We do adhere to the Privacy Laws of New Zealand which require us to let people know what we are doing with their data, and also allow access to the data to check and correct it.

We do need to make it clear what we do with the data, and who we pass it on to.

For instance, we need to inform people that we will be passing their information to future Worldcons for the purposes of Hugo nomination and administration.

And we will be receiving information from Worldcons for OUR Hugo administration. And so we need to have a policy for that.

One policy I’ve seen is from TitanCon.

https://titancon.com/2018/data_policy.php

I’m sure there are others…

If you have other links or suggestions, we’d love to hear about them

[Kelly Buehler]

This is the Privacy Commission’s advice:

Information Privacy Principles
These principles can be summarised as:

1. Only collect personal information if you really need it
2. Get it straight from the people concerned where possible
3. Tell them what you’re going to do with it
4. Collect it legally and fairly
5.Take care of it once you’ve got it
6. People can see their personal information if they want to
7. They can correct it if it’s wrong
8. Make sure personal information is correct before you use it
9. Get rid of it when you’re done with it
10. Use it for the purpose you got it
11. Only disclose it if you have a good reason
12. Only assign unique identifiers where permitted.
Together, these principles form a ‘life-cycle’ for personal information.

Also, Section 23 of the Privacy Act states that all agencies must have at least one privacy officer. They provide free training for a privacy officer. Looks like another volunteer.

Cheers,
Kelly

[Esther MacCallum-Stewart]

Dublin are talking about this at the moment in reference to a couple of things:

– GDPR
– what to do if someone does not want to be contacted
– when to delete info post con.

Possibly worth mailing JC (finance-dh@dublin2019.com) as he’s spearheading it and has the GDPR training (or rather, he is the person we are deferring to. A number of us have had the training but it’s definitely not cohesive – I know mine from my university is rather different, so we’re avoiding crossing the streams).

Esther

[Norman Cates]

These policies SEEM to be thin on the ground… TitanCon has a page. (Referenced in the forum post).  I’ve just done an update to WordPress and it has a suggested set of boiler plate for such a policy. Clearly we need to conform to NZ laws, but GDPR is also a factor.

But it’s also valuable to think about what we do with our data, who can see it, where it resides etc.

And does where it reside cause us any problems?

We can’t shackle our selves so much that our job becomes impossible, but people also need to know what we are doing with the data, and WE need to know that we have policies in place to protect it.

I have SOME idea, but this isn’t my area of expertise….

[Norman Cates]

I’ve gone ahead and written a Privacy Policy page, based on boiler plate from WordPress and their prompts.

The WordPress boiler plate explains how a WordPress site deals with personal information.

And I’ve added various information based on a couple of Privacy sites.

https://nzin2020.nz/privacy-policy/

Anything egregious, wrong or “hands waving in panic” here?

[Ross]

From what I understand of the GDPR, it applies to us if we are selling goods or services to EU residents. Is membership a service? Is pre-support a service? (If not, what are they?)

The safest way out would be to fully comply with the GDPR. I suspect that our laws line up fairly well with the GDPR, but somebody needs to be tasked with wading through the swamp to check.

[Author]

Posts