GDPR - implications for regional/division websites

[Nick Johnston]

Is there any news in terms of VATSIM's compliance with the upcoming GDPR legislation?

 

The legislation comes into effect in three and a half weeks, and seems to have the potential to effect not only vatsim.net but also the various regional and division websites around the world, particularly if they handle or store any personal information for EU citizens.

 

I understand that VATSIM has a working group that is looking into the implications of the GDPR on its operations.

 

Can someone please confirm:

 

• whether they are also addressing the implications for the regional/division websites, or whether we need to figure this out ourselves?
  
• when they expect to be in a position to outline their GDPR strategy and to provide guidance to the regional/division webmasters re any changes that will affect us, and/or that will require changes to our websites/services.

 

A large share of divisions around the world would likely have EU members - both VATPAC and VATNZ have users with EU countries in the user's country code, and you literally can't get further away from the EU geographically. Will the working group be providing guidance to those divisions on what our obligations are towards those users? Do we (the regional/division websites) require these users' explicit consent to store their personal information? If so, is there a process to facilitate obtaining that consent? Is the country code field in the CERT record sufficient and complete basis to identify users that are subject to the GDPR's protections?

 

Even websites for sub-organisations that don't have any EU members seem likely to still be impacted. If we have a membership roster/flight or controller activity leaderboard/current flight or controller screen/training system/booking system/etc on our sites, do we have to anonymise the identities of EU users who have not explicitly consented to our using their information? Will the information in the client data feed be similarly anonymised for EU users, and if so, how? At the very least, presumably the data feed would need to be adapted to indicate which clients are subject to GDPR protection?

 

These are just the questions I thought of while typing this. I have no doubt that there are more that will need to be addressed to ensure that all of the regions/divisions and their website are GDPR compliant.

 

Given that there is less than four weeks until the GDPR takes effect, and given that the likely answer to many of the questions above will require code changes in the division/regional websites, that will need to be developed and tested, time is very much of the essence.

 

 

Thanks,

Nick

[Sean Harrison]

Nick,

 

Maybe check the VATOCE recent meeting minutes. I didn’t pay a lot of attention, but I’m sure it’s in there.

[Nick Johnston]

Maybe check the VATOCE recent meeting minutes. I didn’t pay a lot of attention, but I’m sure it’s in there.

 

Yes, there's an update saying that VATSIM has some GDPR issues that are being worked through, and that having resolved the issues for VATSIM, the BOG will then look to address the regions/divisions. There's also an action on each of the Division Directors to give their respective IT departments a heads-up on the fact that there may be changes.

 

There's nothing about what those changes will be or what the timeframe for implementing them will be.

 

The key point I'm making here is that even if there were FTE staff in the regions'/divisions' IT departments (which of course there aren't), any changes - particularly around sensitive data - need time to be planned, implemented, and tested before going live. They can't be left until the last minute; and with three and a half weeks to go, the last minute is fast approaching.

 

Here's an example: the Single Sign-On system, and the client data feed -- both of these VATSIM-provided services are used by many (if not most) regional/division websites for a variety of uses, and both of them p[Mod - Happy Thoughts] personal and/or identifying information to the downstream sites. If VATSIM are forced to make changes to either of those services, they will be potentially breaking changes to the sites that consume them. Any site that's using a third-party library to interact with those services may end up having to wait for the third-party to modify their library. Anyone else will potentially be faced with having to find resource to modify their own code at short notice.

 

Maybe there won't be any major impacts for us downstream users, but it seems more likely that there will be some. The point is, three weeks out, it's time for the GDPR Working Group to be having a conversation with those of us on the regional/divisional coal face, even if it's just to say "nah, at this stage, the changes we're implementing at VATSIM will have you covered" or "this information won't be in the client data feed any more".

 

These changes aren't state secrets, and the sooner they can share the scope of the upstream changes with us, the sooner we can [Mod - Happy Thoughts]ess their impacts on our individual situations and start planning accordingly.

 

 

Nick

[Mark Richards]

Nick

 

Expect an email in the next week or so

 

Mark

[Daniel Hawton]

Any updates??? We're a week away from it being in effect, and there is no guidance for divisions, regions and even the sub-divisions here. That gives us very limited time to implement the guidance provided by VATSIM to ensure our systems are compliant without being liable under the new law.

[Alex Long]

Any updates??? We're a week away from it being in effect, and there is no guidance for divisions, regions and even the sub-divisions here. That gives us very limited time to implement the guidance provided by VATSIM to ensure our systems are compliant without being liable under the new law.

 

Agreed. We're approaching a week until enforcement of this law, any sort of guidance on this would be great.

[Matthew Cianfarani]

Agreed. We're approaching a week until enforcement of this law, any sort of guidance on this would be great.

 

We are working with Regions already - And some further guidance will be coming shortly.

[Kieran Samuel Cross]

Agreed. We're approaching a week until enforcement of this law, any sort of guidance on this would be great.

 

We are working with Regions already - And some further guidance will be coming shortly.

 

5 Days until GDPR comes into effect, and only regions have guidance? What about Divisions, vACC/ARTCCs? Are we expected to hang a closed sign on our things when the 25th comes - especially since this is a voluntary organisation, so for many subdivisions, if the guidance wasn't announced very, very soon, they wouldn't be able to get them into effect in-time?

 

Doesn't look to me like VATSIM has really prepared this, or thought this one through ?

 

[Mark Richards]

Kieran

 

Like every single organisation involved with GDPR implementation, we must pay due diligence to ensure that we are not only ready but that we continue to improve on what we already do.

 

This work will continue for as long it needs to.

 

Mark

[Mark Richards]

The following email was sent to Regional Directors and Division Directors at 10:55z on Sunday 20MAY18

 

Gents,

Firstly I recognise many of you are anxious that we have not spoken to you sooner about how we are going to ensure VATSIM is compliant with GDPR. I apologise we have not done this sooner, however we have set about trying to get this substantively right on the first go, rather than having to make multiple changes to our response. It has taken up the vast bulk of the free time of a number of members of the Board of Governors over the past few months. In this email I will detail the measures we are putting in place and hopefully see if I can allay your concerns.

 

You will all shortly get access to two docomeents. One is the Privacy and Data Collection Policy which is a revised version of the existing docomeent. It is currently being voted on by the BoG, but so far unless someone changes their mind this is the new docomeent that will be promulgated shortly. The Data Protection and Data Handling Policy (DPDHP) is an entirely new docomeent which is somewhat more technical in nature and details more of the nuts and bolts of our compliance measures. It is in final draft stage (there may be one or two more small alterations), and has just gone to the BoG for a vote in the past couple of hours. Once that has taken place it too will be promulgated.

 

We have had extensive consultations on this, as well as a lot of legal advice. We believe the risk to us is low, but we cannot afford to be non-compliant. The risk if there is an action against VATSIM falls squarely on the Founders and to a lesser extent the Board of Governors.

 

We have determined that VATSIM is quite clearly a data controller for the purposes of the regulation. Our belief is that VATSIM's many subsidiary parts are part of the whole, and that the leadership or head office probably holds the liability for them as well (outside of gross negligence). We are also confident that all of the subsidiary parts of VATSIM are also controllers for those bits of the data that they hold individually. We do not appear to have any outside processors, with all data processing being done in house. Any data sent to outside organisations (such as vRoute or other statistics aggregators) are data transfers, although this information is mostly of a less personal nature. The only personal data that is sent is the individual's name and that is publicly visible when flying or controlling on line in any event. The individual's location may or may not be personal data, as there is no guarantee that an individual has entered their actual physical location into their client when logging on, they can just as easily (and many do) enter their virtual location.

 

We have also established legitimate interest as our lawful basis for data collection, storage, and processing. This obviates the need for individual consent, and the reasons and justifications we have for this position are set out in the DPDHP. This docomeent also sets out how we will institute the various rights individuals have under GDPR, and how we will manage requests made under them. In terms of Right of Access and Right of Erasure we are going to manage all of these issues centrally. Any request for data held by VATSIM, or for erasure will be handled by Membership. They will then action the request, along with safeguards to ensure that the person making the request is who they say they are. Where SSO is not being used once we have made an erasure we will have a process in place to have any other portion of the organisation holding data to also effect a deletion. Access requests will have to be p[Mod - Happy Thoughts]ed to Membership, even if it's a verbal request. Membership will be asking individuals for confirmation before proceeding, so that the request can be docomeented. While it would be nice to have this automated we are not confident that we can redact information automatically that needs to be removed (such as the name and IP of people making comments on CERT, which is that person's personal data and can't be revealed). Erasure requests will be handled in a similar fashion. Requests for rectification will be handled through the existing Membership ticket system.

 

We are confident that as CERT records all the divisional and regional transfers made by a member throughout their time on the network that we can track all the sub-portions of the organisation where data requiring deletion may be held. You yourselves could not be liable for any action by another division or region that didn't action such an instruction.

 

As we are using legitimate interest we are also going to have to honour requests under the Right to Object and the Right to Suspend Processing.

 

All of the likely requests (access, erasure, objection etc) from the membership are to be handled centrally. Until the formal guidance on how each of these processes is to be detailed, if you receive one between now and 25 May inform the member they will need to repeat their request after this date. After this date please p[Mod - Happy Thoughts] it on via the membership team, as in all cases the responsibility for carrying out the request lies with them. This includes both written and verbal requests, and if you receive a verbal request ask the individual to follow it up with a confirmation in writing. It may well be there will be a large number of requests in the initial period. GDPR dictates that requests must be met within one calendar month of being received. There is further advice that this month commences on the day after the request is received, so requests made on 25 May 18 will be due on 26 June 18. There is also a provision for the organisation to claim a two month extension. If this proves necessary due to the volume of requests we will do so.

 

We've determined that GDPR represents a high water mark for pretty much all of the organisation and have decided to make it the defacto standard across all of VATSIM. The reasons for this are many fold. Firstly, as I've discussed with some of you before our main data repository, CERT, is physically located in Germany. Therefore every record held in CERT is covered by GDPR, without exception. Secondly it will be difficult to determine if members of divisions outside of Europe are actually located within the EEA, note they only have to be residing there, not be EEA citizens to be covered so in the case an American currently living in the EEA who is a member of VATUSA they will be covered by GDPR. It is almost certain most of you will have members in this category. Finally it will be even more difficult to determine if you have members who are EU citizens and live outside the EU who are still covered. Indeed there will be some in this category who do not even know they are EU citizens, as citizenship law in some EU countries grants citizenship automatically to spouses, children, grand-children and in some cases even more distant descendants of those born in the EU. And there is zero uniformity across the EU on this.

 

On the technical side a NOTAM is due for release later today detailing these issues and also our technical responses. The Access and Erasure I have already covered. For those who either object to our legitimate interest or who request we suspend processing this will be actioned by issuing a permanent suspension and then holding the data for a set period to allow the member a chance to reconsider. If the time runs out their data will be deleted as our legitimate interest is no longer valid, but we are anxious to allow individuals an opportunity to reconsider. We also want to ensure those with bad CERT records don't use this as a potential means to wipe the slate clean and start again. There will also be a new acknowledgement process that all members will have to go though. On their first sign in to the network on or after May 25 they will have to go through the new policies and signify their [Mod - Happy Thoughts]ent to them. New members will get the same process as part of the registration procedure.

 

New data access guidelines will also be issued shortly. Every member with access to CERT above Level 0 will be sent a copy, these will outline who when where when why and how CERT is to accessed. It will also detail how to deal with requests by members who wish to [Mod - Happy Thoughts]ert any of the rights they have under GDPR, as well as the consequences of not following the guidelines (the DPDHP stipulates they will loose their CERT access, and be ineligible to have it restored for 10 years). Members will be required to acknowledge receipt of and agreement with the guidelines, and their acknowledgement will be detailed in their CERT record. The same basic principles will be required of members when accessing any local data collections you maintain, but this will have to be managed at a local level.

 

Individual subportions of your respective divisions (ARTCCs, FIRs, vACCs etc) will all have to ensure they are now in compliance. For the most part this will be ensuring they have had members opt-in to marketing emails and the like, this includes notification of events and other such emails which many parts of the network utilise to keep the membership informed of activities. If they are unable to do this prior to 25 May 18 they will have to stop sending such emails until they have completed this task. They will also need to draft their own policies on how they handle deletion of data, and access requests. Divisional directors should ask to have copies of all of these policies. These policies must not contradict the main VATSIM policy. In particular legitimate interest is the only lawful means that should be relied upon for data collection, using the same justifications as is given in the DPDHP. Communication means such as forums, facebook pages and groups, twitter feeds etc are by their nature already opt-in platforms.

 

We believe that what we are doing is broadly the same as other organisations (like me, my guess is you have had a torrent of emails from organisations telling you about their new privacy policy +/- asking you to opt in again) and that we have bought the organisation into full compliance. We are confident that the work done to date should result in their being no significant risk to any individual member.

 

Feel free to discuss any or all of these points with myself, Mark Richards, or Gunnar Lindahl. I hope this helps puts your minds at ease.

 

Regards,

Jackson Harding

 

--

Jackson Harding

Vice President Regions

VATSIM Board of Governors

 

Please channel enquiries through your Division Directors in the first instance.

 

The two policies have now been published on the VATSIM website.

 

Direct links are:

 

• Privacy Policy - https://www.vatsim.net/docomeents/privacy-policy

• Data Protection and Handling Policy - https://www.vatsim.net/docomeents/data-protection-handling-policy

 

They can be found under Docomeents | Policy from the top menu.

 

A NOTAM is due to be published on the VATSIM Website, VATSIM Forums, Social Media in the next few hours and it will also be emailed to every VATSIM member progressively over the next 24 hours (as there are 80,000+ emails to send).