Privacy Notice


(system) #1

Privacy Notice

1. Definitions
2. Lawful basis for processing your data (incl. legitimate interest)
3. Who is involved in collecting and processing your data on the OGN Forum?
4. Information about how CDCK collect and use data about you
4.1. What is CDCK?
4.2. How does CDCK collect data about me?
4.3. What data does CDCK collect about me, and why?
4.4. Where does CDCK store data about me?
4.5. Does CDCK comply with the EU General Data Protection Regulation?
4.6. Does CDCK make automated decisions based on data about me?
4.7. Does CDCK share data about me with others?
5. Information about how the OGN collects and uses data about you
5.1 What is the OGN?
5.2. How does OGN collect and process data about me?
5.3. What are the access permissions of Moderators and Admins on the OGN Forum?
6. Your rights
6.1. How can I make choices about data collection?
6.2. Where can I access data about me?
6.3. How can I change or erase data about me?
6.4. Who can I contact about my privacy?
6.5. How can I find out about changes?

1. Definitions

When we say “We”, “Us”, “the Open Government Network(s)”, “the OGN”, “the UK Open Government Civil Society Network”, “The OGN Forum”, we refer to the Open Government Network secretariat hosted by the Involve Foundation, based at 18 Victoria Park Square, London, E2 9PF. The OGN uses Discourse as the software for its discussion forum for network members.

When we say “Discourse”, “CDCK” - we refer to Civilized Discourse Construction Kit, Inc. (“CDCK”) who owns and operates Discourse.org, an open source discussion platform. CDCK hosts the https://discuss.opengovernment.org.uk discussion forum for the OGN on their servers and provides maintenance, upgrades and technical support.

When we say “you” or “your”, we refer to anyone who is a member or user of the https://discuss.opengovernment.org.uk platform.

2. Lawful basis for processing your data (incl. legitimate interest)

To sign up to the discussion OGN Forum and sister networks, you give consent relating to the processing and control of your personal data.

You have a number of rights relating to the processing of your personal data (See Section 6., Your Rights). However, there may be cases in which an overriding legitimate interest means we must retain your personal data. This will be assessed on a case-by-case basis.

For example, if you participate in the OGN Forum by sending posts as part of the development of a UK Open Government Action Plan, or a campaign with the intention of influencing government policy, we will not delete your posts or your name, as there is a legitimate interest in maintaining an accurate historical record of this. It is important that we maintain an accurate historical record of the interactions on the OGN Forum, particularly it is important to ensure accountability in conversations and of decisions made relating to OGN policy, influencing UK Government decision-making processes, and the development of any Open Government action plan or other similar government policy related to the Purpose of the OGN.

3. Who is involved in collecting and processing your data on the OGN Forum?

The OGN Forum is hosted by CDCK. CDCK collects and processes data every time you provide information, read or use the OGN Forum and operates under the General Data Protection Regulation (GDPR).

The Open Government Network is the OGN Forum administrator and also has obligations as a data controller under the General Data Protection Regulation (GDPR).

You can contact CDCK or the OGN about your privacy rights and use of personal data in Section 6., below.

4. Information about how CDCK collects and uses data about you

This notice describes how Civilized Discourse Construction Kit, Inc., or CDCK for short, collects and uses data about you.

4.1. What is CDCK?

CDCK is the company home and primary developer of Discourse, open source software for hosting Internet discussion forums. As a company, CDCK hosts forums using Discourse for customers, as well as meta.discourse.org, a discussion forum about Discourse itself.

CDCK sets only its own privacy practices, not the privacy practices of CDCK customers or others who host Discourse forums for themselves or others. You should ask all of those involved in administering and hosting Discourse forums (the OGN) that you use for information about their privacy practices.

CDCK is based in the USA and is a certified organisation under the EU-US Privacy Shield.

4.2. How does CDCK collect data about me?

CDCK collects data about you:

  • when you browse a forum that CDCK hosts
  • when you create and use an account on a forum that CDCK hosts
  • when you post, send private messages, and otherwise participate in a forum that CDCK hosts

CDCK collects data when you use forums that Discourse hosts, whether you use the forums using a web browser on your own computer, or use CDCK’s Discourse apps for mobile devices.

CDCK does not buy or otherwise receive data about you from data brokers.

4.3. What data does CDCK collect about me, and why?

CDCK collects data about visits to forums.
When you visit a forum that CDCK hosts, whether you have an account or not, the forum uses cookies, server logs, and other methods to collect data about what pages you visit and when.

CDCK uses data about how you use the website to:

  • optimise the forum, so that it’s quick and easy to use
  • diagnose and debug technical errors
  • defend the forum from abuse and technical attacks
  • compile statistics on forum and topic popularity
  • compile statistics on the kinds of software and computers visitors use

CDCK usually stores data about how you use the forum in identifiable form for just a few weeks. In special circumstances, like extended investigations about technical attacks, CDCK may preserve log data longer, for analysis. CDCK stores aggregate statistics about use of the forum for as long as CDCK hosts the forum, but those statistics don’t include data identifiable to you personally.

CDCK collects account data.
Many features of forums that CDCK hosts require a forum account. For example, most forums that CDCK hosts require an account to post and reply to topics.

To sign up for a forum account, Discourse requires your name, a user name, and an e-mail address.

CDCK uses your account data to identify you on the forum, and to create pages specific to you, like your profile page. If the forum is public, CDCK publishes your account data. If the forum is access-restricted, CDCK makes your account data available to everyone who can access the forum, according to the forum administrator’s configuration.

CDCK uses your e-mail address to:

  • notify you about posts and other activity on the forum
  • reset your password and help keep your account secure
  • contact you in special circumstances related to your account
  • contact you about legal requests, like DMCA takedown requests

You may provide additional data for your account, like a short biography, your location, or your birthday, on the profile settings page for your account. CDCK makes that data available to others who can access the forum. You don’t have to provide this additional information, and you can erase it at any time.

CDCK stores your account data as long as your account remains open.

CDCK collects data about posts and other activity on the forum.
CDCK collects the content of your posts, plus data about bookmarks, likes, and links you follow in order to share that data with others, through the forum. If the forum is public, CDCK publishes your activity. If the forum is access-restricted, or access restrictions apply to the specific post, CDCK makes your activity available only to users permitted to see it.

CDCK also collects data about private messages that you send through the forum. CDCK makes private messages available to senders and their recipients, and also to forum administrators.

CDCK stores your posts and other activity as long as your account remains open.

4.4. Where does CDCK store data about me?

Most forums that CDCK hosts store all data in CDCK’s data center in San Jose, California, USA. Some forums that CDCK hosts store data in data centers in multiple jurisdictions, such as the United States and the European Union.

4.5. Does CDCK comply with the EU General Data Protection Regulation?

CDCK respects privacy rights under Regulation (EU) 2016/679, the European Union’s General Data Protection Regulation (GDPR). Information that GDPR requires CDCK to give can be found throughout this privacy notice. So can information about specific rights, like access, rectification, erasure, data portability, and objection to automated decision-making.

CDCK is a certified organisation under the EU-US Privacy Shield Agreement - you can find its entry on the list of certified organisations here. This framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. The framework also brings legal clarity for businesses relying on transatlantic data transfers.

4.6. Does CDCK make automated decisions based on data about me?

CDCK classifies posts as spam automatically.

CDCK uses data about your posts and other activity on many forums to make automated decisions about whether your posts to meta.discourse.org and most forums that CDCK hosts are spam. When Akismet decides that a post is likely spam, the forum refuses to accept the post.

If you think a post has been wrongly blocked or removed, contact an administrator of your forum. They can override the decision that a post was spam.

CDCK uses data about posts and activity to set trust levels automatically.

Depending on how administrators of your forum configure the forum, the forum may use data about your posts and activity to award you badges and calculate a trust level for your account. Your trust level may affect how you can participate in the forum, such as whether you can upload images, as well as give you access to moderation and management powers in the forum. Your trust level therefore reflects forum administrators’ confidence in you, and their willingness to delegate community management functions, like moderation.

If you think your trust level has been set incorrectly, contact an administrator of your forum. They can manually adjust the trust level of your account.

4.7. Does CDCK share data about me with others?

CDCK shares account data with others as mentioned in the section about account data.

CDCK shares data about your posts and other forum activity with others as mentioned in the section about account data.

Apart from making data available to the customer that pays CDCK to host a forum, CDCK does not sell or give information about you to other companies or services. However, CDCK does use services from other companies on some forums that it hosts. The companies behind those services may collect data about you on their own, for their own purposes. Some of these services may be used to collect information about your online activities across different websites. All of these services are based in the United States.

Akismet - reduces spam posts on some forums

Google Analytics - Compiles visitor statistics on some forums, including meta.discourse.org. You can opt out of Google Analytics using a browser extension.
https://www.google.com/analytics/terms/

Amazon Web Services - Provides cloud servers and services, in service regions across the world, to host and back up some forums.
https://aws.amazon.com/privacy/

Digital Ocean - Stores backups for many forums.

Fastly - Provides a content delivery network of servers that host copies of content like images and website files, so that users around the world can download them quickly, from servers close to where they are.

KeyCDN - Provides a content delivery network.

MaxCDN - Provides a content delivery network.

Apple Push Notification Service - Sends push notifications to users of the Discourse iOS app.
https://www.apple.com/legal/privacy/

Google Cloud Messaging - Sends push notifications to users of the Discourse Android app.
https://policies.google.com/privacy/

Other individuals and companies may also reuse data about you that CDCK publishes, such as your posts to public forums.

5. Information about how the OGN collects and processes data about you

5.1. What is the OGN?

The UK Open Government Civil Society Network (OGN) is a coalition of active citizens and civil society organisations committed to making government work better for people through increased transparency, participation and accountability.

The OGN is coordinated by Involve – a charity specialising in public participation, based at 18 Victoria Park Square, London, E2 9PF. Involve was selected by members of the OGN to become the coordinator in September 2012.

The OGN has sister networks in Scotland (coordinated by SCVO), Wales (coordinated by the Electoral Reform Society Wales and WCVA) and Northern Ireland (coordinated by Environment Link).

The four sister Open Government Networks share the online platform Discourse.org, which is managed overall by the OGN.

5.2. How does OGN collect and process data about me?

The OGN uses CDCK to ensure the running of the OGN Forum.

Information you provide when you sign onto and use the OGN Forum is collected by CDCK. The way CDCK uses and processes this information is explained in Section 4. of this privacy notice.

The OGN has access to publicly-visible data, including user membership of groups and networks. Sister networks also has access to publicly-visible data, which is necessary to help them to effectively organise their members and moderate their relevant group in the OGN Forum. For example, if you apply to join a group, the OGN or sister networks may need to access the data you provide in order to accept you into one of the groups in the OGN Forum.

The OGN is also able to access some data which is not publicly visible - such as some website activity data or logs. We will not use this data beyond what is already stipulated by CDCK to carry out their function as data processor for the OGN Forum.

The OGN will not use your information or share any data with other third parties, unless we either obtain your express permission, are required by law, or unless it is necessary in pursuing the purpose of the OGN. For example, if you wish to run for a position on the Steering Committee in an election, we may need to collect and publish some personal information that you provide to us via Google Forms (such as your name and job history), in order to effectively carry out that election.

5.3. What are the access permissions of Moderators and Admins on the OGN Forum?

There are moderators and admins in the OGN Forum, with different access to personal data and information settings.

Admin users are the superusers in the system, they can impersonate non admins, change site settings, create groups, amend site customizations, perform all the actions moderators can perform, read any personal message. Only the UK OGN coordinators are Admins and are identifiable by the badge next to their name.

The coordinators of the various sister OGN Networks (in Scotland, Wales and Northern Ireland) have Moderator permissions on the OGN Forum. This means they can process flagged issues, delete topics and posts, split topics, merge topics, hide topics and so on, view user info including email address, accept users into groups. They are also identifiable via the badge next to their name.

Coordinators of sister OGN Networks therefore have a slightly lower set of access permissions compared to the UK OGN coordinators.

List of OGN Forum Admins and Moderators
Andreas Pavlou - Involve - Admin
Tim J Hughes - Involve - Admin
Paul Bradley - SCVO - Moderator
Jess Blair - ERS Wales - Moderator
David McBurney - Northern Ireland Environment Link - Moderator

6. Your Rights

6.1. How can I make choices about data collection?

You can make choices about how data about is used on the settings page for your account.

When a CDCK-hosted forum uses access restrictions that vary by category, you can choose who will see your post by choosing the appropriate category. The OGN Forum is split into various sub-network forums, where some messages may only be visible to that particular network membership. For example, the ‘Advocacy’ category is only visible to Network members.

CDCK does not respond to the Do Not Track HTTP header.

6.2. Where can I access data about me?

You can see your account data at any time by visiting your account page on the OGN Forum. Your account page also lists your posts and other activity on the forum.

Your account activity page also includes a link to download all of your activity in standard comma-separated values format.

6.3. How can I change or erase data about me?

You can change your account data at any time by visiting the profile settings page for your account.

It is possible to edit your posts on the OGN Forum. When you edit posts, CDCK will keep all versions of your posts. OGN Forum admins can view old versions of posts, and optionally make them visible to other forum visitors.

There is also a short ‘holding’ period between drafting a post and sending it, so you have the option to correct or delete a post before it is sent out to other forum members.

You can close your account if you have never interacted with the OGN Forum. Closing your account starts a process of erasing or anonymising CDCK’s records of data you provided for your account. OGN Forum admins can also erase and anonymise accounts.

Legitimate interest in not fully deleting your data
If you have posted or replied to a message via the OGN Forum, then there may be legitimate interests in not erasing your data fully. For example, if you have interacted with the Forum by posting messages related to influencing an Open Government Action Plan or a campaign to influence government policy, there is an overriding interest in the OGN Forum maintaining a historical record of the conversations for accountability purposes.

We consider this on a case-by-case basis. For example, after considering the legitimate interests, we may decided to anonymise your account but maintain the content of all your messages on the forum.

If you want to delete information which might need consideration against the legitimate interest, please get in contact with the OGN Forum Administrator: Andreas Pavlou andreas@involve.org.uk

6.4. Who can I contact about my privacy?

The OGN is the forum administrator and data controller. CDCK is the data processor.

You can contact Andreas Pavlou andreas@involve.org.uk for any questions or complaints relating to the privacy policy and/or OGN Forum.

If you have any questions or complaints about CDCK’s processing of data, you can contact Civilized Discourse Construction Kit, Inc: team+privacy@discourse.org

European Users with questions or complaints about GDPR compliance should also address CDCK’s representative in the Union:
Régis Hanol
regis.hanol@discourse.org

For complaints under GDPR more generally, European Union users may lodge complaints with their local data protection supervisory authorities:
UK Information Commissioner’s Office (ICO) https://ico.org.uk/

6.5. How can I find out about changes to the privacy notice?

The section about CDCK’s privacy questions and answers (section IV) took effect 1 May 2018.

CDCK will post the next version at https://meta.discourse.org/privacy. CDCK may change how it announces changes in future versions.

In the meantime, CDCK may update its contact information without announcing a change. Please refer to https://meta.discourse.org/privacy for the latest contact information at any time.

The OGN-related questions of this privacy notice took effect on 22 May 2018. If we decide to change any part of our privacy policy, we make an announcement and will post those changes on this page and make a note of the date of the changes.


(system) #2

Edit the first post in this topic to change the contents of the Privacy Policy page.