Updated 7 May 2020
This page lays out the responsibilities for data protection under the GDPR, both for mySociety and for FixMyStreet Pro clients.
These roles impose certain responsibilities on both parties under the GDPR which came into force in May 2018.
There are two possible methods for a member of the public to report a street fault to the client via the FixMyStreet platform. The route chosen results in different data controller and data processor arrangements between mySociety and the client.
If a member of the public reports a fault via the client’s branded FixMyStreet Pro service, mySociety are acting as a data processor for the client. In this instance the client is then the sole data controller. The G-Cloud call-off contract and Schedule 7 describe the data controller / data processor roles and responsibilities in detail.
If a member of the public goes directly to the national FixMyStreet site and reports a fault the client is responsible for, mySociety will be considered the data controller for this processing. In accordance with the stated terms of the service mySociety will transfer the fault report to the client, but this transfer takes place as a data controller to data controller transfer.
When a user submits a report through FixMyStreet, the following personal data is collected:
At mySociety, some members of staff have access to this data (see below under Security for details of access control). During any period of time, 1-3 members of mySociety staff may be actively moderating the site. They are trained to protect personal data, not sharing it with anyone outside the direct FixMyStreet team other than in exceptional circumstances (for example, if required by law to hand it over to police; if serious abuse of the site prompts them to escalate to the wider team of developers; or if concerns for a user’s safety causes them to seek advice from the Chief Executive or trustees).
Clients also have access to the FixMyStreet admin function, giving them access to reports within their own boundaries. The authority’s own data protection policies apply when this data is accessed by their employees.
mySociety only use FixMyStreet users’ personal data for the purpose of sending their report to the relevant authority; and to send them follow-up emails to ask if their issue has been fixed.
Clients should use this data only to action and respond to the reported issue, and should not add it to any other database, eg a newsletter list.
All passwords on FixMyStreet must meet minimum complexity requirements, and login attempts are throttled, mitigating against remote brute-forcing. All passwords are stored in the database encrypted with a one-way bcrypt hash, mitigating against local brute-forcing. mySociety administrator accounts must adhere to mySociety’s own strict security policies, plus have two-factor authentication (whereby a changing code on a device needs to be input in addition to a password in order to log in).
mySociety servers are hosted by Bytemark. Their data centres employ CCTV, 24 hour security and biometric sensors, and their operator is certified to ISO27001:2005. Every mySociety server runs a host based firewall to restrict inbound and outbound access of traffic. All servers and the packages on them are regularly and routinely patched to minimise the potential for vulnerabilities. mySociety maintains a least-permissive access control model to reduce potential cross-contamination of access in the event of a security compromise.
Privileged credentials are only transmitted to mySociety servers via encrypted protocols (HTTPS or SSH). Credentials are only exchanged in person or out-of-band with manual integrity checking.
A summary of our security measures will be maintained on the FixMyStreet Pro website here: https://www.fixmystreet.com/pro/features/hosted-secure/
FixMyStreet’s submission form clearly states how different types of users’ data (personal and public) will be processed, and we can make this explicit, both on the page and on the confirmation email. We believe that no other active consent is required from the user since, as the ICO says, there is “a positive action that makes it clear someone is agreeing to the use of their information for a specific and obvious purpose”.
We remove user accounts and anonymise problem reports that have been inactive for a period of two years. Except in exceptional circumstances, we do not delete problem reports or updates made through FixMyStreet. The ICO states that requests for erasure may be turned down when personal data is processed for archiving purposes in the public interest, scientific research, historical research or statistical purposes.
Historic FixMyStreet reports provide an invaluable resource for researchers into the quantity and type of street problems made across the UK during the years the site has been running. This research can help inform civic planners, developers, coders, historians and social scientists, among others.
Therefore, if a user asks for a report to be removed, in most cases we will instead invite them to anonymise it (which they can do themselves when logged in to the site), so that there is no personal data present, or public connection between the content and the user’s name.
mySociety sometimes shares anonymised data with researchers, and sometimes performs its own research on data generated by our websites. In the case of reports sent through FixMyStreet, this data will never include the user’s name, address, email address or any other identifying information. Data is only looked at in aggregate, for example to see how many reports were made in a specific area or within a specific category.
We advise clients to check the following:
This document has been prepared by the FixMyStreet client team who can be contacted at firstname.lastname@example.org