Data sharing and security agreement

Updated 5 October 2023

Our responsibilities for data protection under the GDPR.

SocietyWorks Ltd (company number: 05798215) is a wholly owned subsidiary of mySociety, a registered charity in England and Wales (charity number: 1076346) and company limited by guarantee (company number: 03277032).

SocietyWorks Ltd is a registered data controller (ICO registration number: ZA937521). mySociety is a registered data controller (ICO registration number: Z9602302).

1. Roles

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Processing, in relation to personal data, means any operation or set of operations which is performed on personal data or on sets of personal data (whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction).

Ico.org.uk

These roles impose certain responsibilities on both parties under the UK GDPR.

If a member of the public submits a request or report in relation to the provision of SocietyWorks’ services (including FixMyStreet Pro, WasteWorks, FOIWorks or ApplyWorks), the processing of the data involved is covered by SocietyWorks and the client acting as joint controllers.

2. Controller responsibilities

An online privacy policy which is easy to locate, written in plain English, and which outlines the users’ rights and any purpose/s for which the data will be used. The client shall take responsibility for informing users who enter their personal data on the branded client site in the form of a privacy policy that covers the necessary information.
To record the purposes for processing data and to be clear, open and honest about that purpose.
Data must not be used for purposes beyond that covered by the lawful basis (see ‘lawful basis for processing’, below), without consent from the users, a clear basis in law, or a purpose that is compatible with the original purpose.
An internal data processing policy which is accessible to all staff, and which includes details of retention periods, privacy expectations and subject access protocols.
Security measures to ensure that users’ personal data is not compromised.
Notification of personal data breaches to the ICO and, where necessary, other supervisory authorities in the EU, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Affected individuals must also be notified if the breach is likely to result in a high risk to their rights and freedoms.
Creation of a Data Protection Officer role (this applies to public authorities only; SocietyWorks and mySociety are exempt due to the limited extent of their personal data processing).

3. What personal data is collected and shared

When a user submits a report through FixMyStreet or FixMystreet Pro, the following personal data is collected:

The user’s name
The user’s email address
Optionally, the user’s phone number

When a user submits a report or request through WasteWorks, the following personal data is collected:

The user’s name
The user’s email address
The user’s postal address
Optionally, the user’s phone number

SocietyWorks does not handle any payment information via WasteWorks. Payment details are handled by the client’s payment provider, who provides SocietyWorks with an authorisation response to indicate the status of a transaction.

When a user submits a request through FOIWorks, the following personal data is collected:

The user’s name
The user’s email address

4. Who has access to personal data

At SocietyWorks, some members of staff have access to this data (see below under Security for details of access control). During any period of time, 1-3 members of SocietyWorks staff may be actively moderating the site. They are trained to protect personal data, not sharing it with anyone outside the direct SocietyWorks team other than in exceptional circumstances (for example, if required by law to hand it over to police; if serious abuse of the site prompts them to escalate to the wider team of developers; or if concerns for a user’s safety causes them to seek advice from the Managing Director (SocietyWorks), Chief Executive (mySociety) or non-executive directors / trustees).

Clients also have access to the admin function of their SocietyWorks product, giving them access to data within their own boundaries. The authority’s own data protection policies apply when this data is accessed by their employees.

5. How the data is used

SocietyWorks only uses users’ personal data for the purpose of sending their report or request to the relevant authority and to send them follow-up emails to ask if their issue has been resolved.

Clients should use this data only to action and respond to the reported issue, and should not add it to any other database, eg. a newsletter list.

6. Joint control arrangement

Where SocietyWorks and the client are independent controllers in relation to the processing of client personal data, each party shall comply with UK GDPR in relation to its processing of client personal data.

Where the parties are joint controllers, the client is the point of contact for data subjects and is responsible for all steps necessary to comply with the UK GDPR regarding the exercise of data subjects of their rights under the UK GDPR. The client shall direct data subjects to its data protection officer or suitable alternative in connection with the exercise of their rights as data subjects and for any enquiries concerning their personal data or privacy.

SocietyWorks and the client acknowledge that a data subject has the right to exercise their legal rights under UK GDPR as against the relevant party as controller.

SocietyWorks and the client shall:

Notify each other promptly on receiving any communication exercising rights under UK GDPR (Data Subject Request) from the data subject.
Provide the other party with the full cooperation and assistance in relation to any Data Subject Request to enable the other party to comply with its obligations in relation to the Data Subject Request and within the relevant timescales set out in UK GDPR.
Not disclose or transfer any internal data to any third party unless necessary for the provision of the services and subject to obtaining any necessary consent; complying with any obligations arising from such a transfer and imposing any obligations on the third party as may be required by UK GDPR.
Ensure that at all times it has in place appropriate measures to guard against unauthorised or unlawful processing of the personal data and/or accidental loss, destruction or damage to the personal data and unauthorised or unlawful disclosure of or access to the personal data.
Take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the personal data and ensure that its personnel:
- are aware of their employer’s duties under this schedule and those in respect of confidential information;
- are informed of the confidential nature of internal data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the internal data to any third party where that party would not be permitted to do so;
- have undergone adequate training in the use, care, protection and handling of personal data as required by UK GDPR

Ensure that it has the capability (whether technological or otherwise), to the extent required by UK GDPR, to provide or correct or delete at the request of a data subject all the personal data relating to that data subject that SocietyWorks holds.
Ensure that it notifies the other party as soon as it becomes aware of an event that results, or may result, in unauthorised access to personal data being processed under this agreement and/or actual or potential loss and/or destruction of any such personal data in breach of this agreement, including any personal data breach.

Each joint controller shall use its reasonable endeavours to assist the other controller to comply with any obligations under UK GDPR.

SocietyWorks and the client shall notify the other party promptly, and in any event within 48 hours, upon becoming aware of any personal data breach or circumstances that are likely to give rise to a personal data breach, providing the other party and its advisors with sufficient information in a timescale which allows the other party to meet any obligations to report a personal data breach under UK GDPR, and all reasonable assistance.

SocietyWorks and the client shall provide all reasonable assistance to the other to prepare any data protection impact assessment as may be required (including provision of detailed information and assessments in relation to processing operations, risks and measures); and maintain full and complete records of all processing carried out in respect of the personal data in connection with the agreement.

In respect of any processing of personal data performed by a third party on behalf of SocietyWorks or the client, that party shall carry out adequate due diligence on such third party to ensure that it is capable of providing the level of protection for the personal data as is required by the agreement and UK GDPR, and provide evidence of such due diligence to the other party where reasonably requested; and ensure that a suitable agreement is in place with the third party as required under UK GDPR.

SocietyWorks and the client agree to cease processing personal data as practicable after it has ceased to be necessary for them to process such personal data for any lawful purpose and in compliance with any data retention terms in their privacy policy.

7. Security

All passwords on our services must meet minimum complexity requirements, and login attempts are throttled, mitigating against remote brute-forcing. All passwords are stored in the database encrypted with a one-way bcrypt hash, mitigating against local brute-forcing. SocietyWorks Administrator accounts must adhere to our own strict security policies, plus have two-factor authentication (whereby a changing code on a device needs to be input in addition to a password in order to log in).

SocietyWorks’ services are hosted on mySociety’s scalable, automated and secure server platform that makes use of both public and private cloud infrastructure. All systems are hosted in secure, access-controlled data centres in the UK and Ireland. All data centre operators have ISO27001 certification.7

Every server runs a host based firewall to restrict inbound and outbound access of traffic. All servers and the packages on them are regularly and routinely patched to minimise the potential for vulnerabilities. SocietyWorks maintains a least-permissive access control model to reduce potential cross-contamination of access in the event of a security compromise.

Privileged credentials are only transmitted to SocietyWorks servers via encrypted protocols (HTTPS or SSH). Credentials are only exchanged in person or out-of-band with manual integrity checking.

A summary of our security measures will be maintained on the SocietyWorks website here: https://www.societyworks.org/features/hosted-secure/

8. Lawful basis for processing

SocietyWorks’ lawful basis for processing is legitimate interests – we have an interest in running our problem reporting service for the benefit of the users and for society, and process personal data in a way that has a minimal impact on privacy and in ways they would reasonably expect. We take the submission of data on our services to be consent to the processing of the user’s personal data as described on this page and in the privacy policy.

We clearly state how different types of users’ data (personal and public) will be processed. We believe that no other active consent is required from the user since, as the ICO says, there is “a positive action that makes it clear someone is agreeing to the use of their information for a specific and obvious purpose”.

9. Retention periods

We remove user accounts and anonymise problem reports that have been inactive for a period of two years on FixMyStreet and WasteWorks. Except in exceptional circumstances, we do not delete problem reports or updates made through FixMyStreet and WasteWorks.

Historic FixMyStreet reports provide an invaluable resource for researchers into the quantity and type of street problems made across the UK during the years the site has been running. This research can help inform civic planners, developers, coders, historians and social scientists, among others. Therefore, if a user asks for a report to be removed, in most cases we will instead invite them to anonymise it (which they can do themselves when logged in to the site), so that there is no personal data present, or public connection between the content and the user’s name.

The retention period for FOIWorks requests are as follows: We delete requests and all user’s personal information;

1 week after the request(s) has been successfully submitted or
4 weeks after being entered into the site and the request remains unsubmitted.

10. Research

SocietyWorks and mySociety sometimes share anonymised data with researchers, and sometimes perform their own research on data generated by our websites. In the case of reports sent through FixMyStreet, this data will never include the user’s name, address, email address or any other identifying information. Data is only looked at in aggregate, for example to see how many reports were made in a specific area or within a specific category.

11. Client checklist

We advise clients to check the following:

That you have an accessible plain English privacy policy in place and that this is easy for users to find. It is likely that this policy will cover your site as a whole. We can/will link to this from your installation of the service.
Once we have passed users’ data on to an authority, it should be handled according to their own data protection protocols. The authority should have internal data-handling policies which all staff are aware of and may access easily. These should include requirements for security and privacy of data, how to handle subject access requests, retention periods, and limitation of data use (ie using it solely for the purpose for which user consent was given).
You may also wish to include (or link to) instructions on how and when to moderate FixMyStreet reports; plus an email contact for the SocietyWorks team who can assist with any issues that arise.
That the authority has a policy for reporting personal data breaches to the ICO and that staff know how to recognise a breach. In case of any data breach affecting FixMyStreet users, please also report it to SocietyWorks.
That the authority has appointed a Data Protection Officer.

This document has been prepared by the SocietyWorks client team who can be contacted at clientsupport@societyworks.org