Data sharing and security agreement

Updated 4 March 2022

Our responsibilities for data protection under the GDPR.

SocietyWorks Ltd (05798215) is a wholly owned subsidiary of mySociety, a registered charity in England and Wales (1076346) and limited company (03277032).

mySociety is a registered data controller (Z9602302). From hereon, this document refers to the group as ‘mySociety’, for the sake of simplicity.

1. Roles

These roles impose certain responsibilities on both parties under the GDPR which came into force in May 2018.

If a member of the public submits a request or report via the client’s branded version of one of SocietyWorks’ services (including FixMyStreet Pro, WasteWorks, NoiseWorks, FOIWorks or ApplyWorks), mySociety is acting as a data processor for the client. In this instance the client is then the sole data controller.

If a member of the public goes directly to the national FixMyStreet site and reports a fault the client is responsible for, mySociety will be considered the data controller for this processing. In accordance with the stated terms of the service mySociety will transfer the fault report to the client, but this transfer takes place as a data controller to data controller transfer.

2. Data Controller responsibilities

• An online privacy policy which is easy to locate, written in plain English, and which outlines the users’ rights and any purpose/s for which the data will be used. The client shall take responsibility for informing users who enter their personal data on the branded client site in the form of a privacy policy that covers the necessary information. We advise clients to refer users to both our Privacy Policy and their own from the gateway webpage to their FixMyStreet Pro installation. All FixMyStreet Pro installations include a Privacy and Cookies page within the Help menu. mySociety takes responsibility for informing users who enter their personal data on the national site, with the privacy policy at https://www.fixmystreet.com/about/privacy.
• To record the purposes for processing data and to be clear, open and honest about that purpose.
• Data must not be used for purposes beyond that covered by the lawful basis (see ‘lawful basis for processing’, below), without consent from the users, a clear basis in law, or a purpose that is compatible with the original purpose.
• An internal data processing policy which is accessible to all staff, and which includes details of retention periods, privacy expectations and subject access protocols.
• Security measures to ensure that users’ personal data is not compromised.
• Notification of any data breaches to the ICO. The Working Party Guidelines on breach notification recommend that the contractual arrangements between joint controllers include provisions that determine which controller will take the lead on, or be responsible for, compliance with the GDPR’s breach notification obligations.
• Creation of a Data Protection Officer role (this applies to public authorities only; mySociety is exempt due to the limited extent of its personal data processing).

3. What personal data is collected and shared

When a user submits a report through FixMyStreet or FixMystreet Pro, the following personal data is collected:

• The user’s name
• The user’s email address
• Optionally, the user’s phone number
• Occasionally, the body of the report may also contain personal data such as a postal address, although this is not recommended use of the site

When a user submits a report or request through WasteWorks, the following personal data is collected:

• The user’s name
• The user’s email address
• The user’s postal address
• Optionally, the user’s phone number

mySociety does not handle any payment information via WasteWorks. Payment details are handled by the client’s payment provider, who provides mySociety with an authorisation response to indicate the status of a transaction.

When a user submits a request through FOIWorks, the following personal data is collected:

• The user’s name
• The user’s email address
• Sometimes users might include personally identifiable information in their request
• We delete requests and all user’s personal information;
  • 1 week after the request(s) has been successfully submitted or
  • 4 weeks after being entered into the site and the request remains unsubmitted.

When a user submits a report through NoiseWorks, the following personal data is collected:

• The user’s name
• The user’s email address
• The user’s postal address
• Optionally, the user’s phone number

4. Who has access to personal data

At mySociety, some members of staff have access to this data (see below under Security for details of access control). During any period of time, 1-3 members of mySociety staff may be actively moderating the site. They are trained to protect personal data, not sharing it with anyone outside the direct SocietyWorks team other than in exceptional circumstances (for example, if required by law to hand it over to police; if serious abuse of the site prompts them to escalate to the wider team of developers; or if concerns for a user’s safety causes them to seek advice from the Chief Executive or trustees).

Clients also have access to the admin function of their SocietyWorks product, giving them access to reports within their own boundaries. The authority’s own data protection policies apply when this data is accessed by their employees.

5. How the data is used

mySociety only uses users’ personal data for the purpose of sending their report or request to the relevant authority; and, except in the case of NoiseWorks, to send them follow-up emails to ask if their issue has been fixed. 

Clients should use this data only to action and respond to the reported issue, and should not add it to any other database, eg a newsletter list.

6. Security

All passwords on mySociety’s services must meet minimum complexity requirements, and login attempts are throttled, mitigating against remote brute-forcing. All passwords are stored in the database encrypted with a one-way bcrypt hash, mitigating against local brute-forcing. mySociety administrator accounts must adhere to mySociety’s own strict security policies, plus have two-factor authentication (whereby a changing code on a device needs to be input in addition to a password in order to log in).

mySociety makes use of both public and private cloud infrastructure. All systems are hosted in secure, access-controlled  data centres in the UK and Ireland. All data centre operators have ISO27001 certification. .

Every mySociety server runs a host based firewall to restrict inbound and outbound access of traffic. All servers and the packages on them are regularly and routinely patched to minimise the potential for vulnerabilities. mySociety maintains a least-permissive access control model to reduce potential cross-contamination of access in the event of a security compromise.

Privileged credentials are only transmitted to mySociety servers via encrypted protocols (HTTPS or SSH). Credentials are only exchanged in person or out-of-band with manual integrity checking.

A summary of our security measures will be maintained on the SocietyWorks website here: https://www.societyworks.org/features/hosted-secure/ 

7. Lawful basis for processing

mySociety’s lawful basis for processing is legitimate interests – we have an interest in running our problem reporting service for the benefit of the users and for society, and process personal data in a way that has a minimal impact on privacy and in ways they would reasonably expect. We take the submission of a report on FixMyStreet to be consent to the processing of the user’s personal data as described on this page and in the privacy policy. 

FixMyStreet’s submission form clearly states how different types of users’ data (personal and public) will be processed, and we can make this explicit, both on the page and on the confirmation email. We believe that no other active consent is required from the user since, as the ICO says, there is “a positive action that makes it clear someone is agreeing to the use of their information for a specific and obvious purpose”.

8. Retention periods

We remove user accounts and anonymise problem reports that have been inactive for a period of two years. Except in exceptional circumstances, we do not delete problem reports or updates made through FixMyStreet. The ICO states that requests for erasure may be turned down when personal data is processed for archiving purposes in the public interest, scientific research, historical research or statistical purposes.

Historic FixMyStreet reports provide an invaluable resource for researchers into the quantity and type of street problems made across the UK during the years the site has been running. This research can help inform civic planners, developers, coders, historians and social scientists, among others.

Therefore, if a user asks for a report to be removed, in most cases we will instead invite them to anonymise it (which they can do themselves when logged in to the site), so that there is no personal data present, or public connection between the content and the user’s name.

The retention period for FOIWorks requests are as follows: We delete requests and all user’s personal information;

• 1 week after the request(s) has been successfully submitted or
• 4 weeks after being entered into the site and the request remains unsubmitted.

9. Research

mySociety sometimes shares anonymised data with researchers, and sometimes performs its own research on data generated by our websites. In the case of reports sent through FixMyStreet, this data will never include the user’s name, address, email address or any other identifying information. Data is only looked at in aggregate, for example to see how many reports were made in a specific area or within a specific category. This does not apply to NoiseWorks.

10. Client checklist

We advise clients to check the following:

• That you have an accessible plain English privacy policy in place and that this is easy for users to find. It is likely that this policy will cover your site as a whole.
• You may wish to include a clause that points those residents who have privacy concerns regarding FixMyStreet reports to contact mySociety via support@fixmystreet.com (ideally, also note that users can anonymise their own reports directly, since this is a common concern).
• Please let us know if you would like to include a Privacy link within your FixMyStreet installation, which would refer back to our own page at https://www.fixmystreet.com/about/privacy.
• Once we have passed users’ data on to an authority, it should be handled according to their own data protection protocols. The authority should have internal data-handling policies which all staff are aware of and may access easily. These should include requirements for security and privacy of data, how to handle subject access requests, retention periods, and limitation of data use (ie using it solely for the purpose for which user consent was given).
• You may also wish to include (or link to) instructions on how and when to moderate FixMyStreet reports; plus an email contact for the mySociety team who can assist with any issues that arise.
• That the authority has a policy for reporting any data breaches to the ICO and that staff know how to recognise a breach. In case of any data breach affecting FixMyStreet users, please also report it to mySociety.
• That the authority has appointed a Data Protection Officer.

This document has been prepared by the SocietyWorks client team who can be contacted at clientsupport@societyworks.org