FixMyStreet Pro Data Sharing and Security agreement

Updated 7 May 2020

This page lays out the responsibilities for data protection under the GDPR, both for mySociety and for FixMyStreet Pro clients.

1. Roles

Data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed

Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Processing, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including —

  1. organisation, adaptation or alteration of the information or data,
  2. retrieval, consultation or use of the information or data,
  3. disclosure of the information or data by transmission, dissemination or otherwise making available, or
  4. alignment, combination, blocking, erasure or destruction of the information or data.

Ico.org.uk

 

These roles impose certain responsibilities on both parties under the GDPR which came into force in May 2018.

There are two possible methods for a member of the public to report a street fault to the client via the FixMyStreet platform. The route chosen results in different data controller and data processor arrangements between mySociety and the client. 

If a member of the public reports a fault via the client’s branded FixMyStreet Pro service, mySociety are acting as a data processor for the client. In this instance the client is then the sole data controller. The G-Cloud call-off contract and Schedule 7 describe the data controller / data processor roles and responsibilities in detail. 

If a member of the public goes directly to the national FixMyStreet site and reports a fault the client is responsible for, mySociety will be considered the data controller for this processing. In accordance with the stated terms of the service mySociety will transfer the fault report to the client, but this transfer takes place as a data controller to data controller transfer.

2. Data Controller responsibilities

3. What personal data is collected and shared

When a user submits a report through FixMyStreet, the following personal data is collected:

4. Who has access to personal data

At mySociety, some members of staff have access to this data (see below under Security for details of access control). During any period of time, 1-3 members of mySociety staff may be actively moderating the site. They are trained to protect personal data, not sharing it with anyone outside the direct FixMyStreet team other than in exceptional circumstances (for example, if required by law to hand it over to police; if serious abuse of the site prompts them to escalate to the wider team of developers; or if concerns for a user’s safety causes them to seek advice from the Chief Executive or trustees).

Clients also have access to the FixMyStreet admin function, giving them access to reports within their own boundaries. The authority’s own data protection policies apply when this data is accessed by their employees.

5. How the data is used

mySociety only use FixMyStreet users’ personal data for the purpose of sending their report to the relevant authority; and to send them follow-up emails to ask if their issue has been fixed.

Clients should use this data only to action and respond to the reported issue, and should not add it to any other database, eg a newsletter list.

6. Security

All passwords on FixMyStreet must meet minimum complexity requirements, and login attempts are throttled, mitigating against remote brute-forcing. All passwords are stored in the database encrypted with a one-way bcrypt hash, mitigating against local brute-forcing. mySociety administrator accounts must adhere to mySociety’s own strict security policies, plus have two-factor authentication (whereby a changing code on a device needs to be input in addition to a password in order to log in).

mySociety servers are hosted by Bytemark. Their data centres employ CCTV, 24 hour security and biometric sensors, and their operator is certified to ISO27001:2005. Every mySociety server runs a host based firewall to restrict inbound and outbound access of traffic. All servers and the packages on them are regularly and routinely patched to minimise the potential for vulnerabilities. mySociety maintains a least-permissive access control model to reduce potential cross-contamination of access in the event of a security compromise.

Privileged credentials are only transmitted to mySociety servers via encrypted protocols (HTTPS or SSH). Credentials are only exchanged in person or out-of-band with manual integrity checking.

A summary of our security measures will be maintained on the FixMyStreet Pro website here: https://www.fixmystreet.com/pro/features/hosted-secure/

7. Lawful basis for processing

mySociety’s lawful basis for processing is legitimate interests – we have an interest in running our problem reporting service for the benefit of the users and for society, and process personal data in a way that has a minimal impact on privacy and in ways they would reasonably expect. We take the submission of a report on FixMyStreet to be consent to the processing of the user’s personal data as described on this page and in the privacy policy. 

FixMyStreet’s submission form clearly states how different types of users’ data (personal and public) will be processed, and we can make this explicit, both on the page and on the confirmation email. We believe that no other active consent is required from the user since, as the ICO says, there is “a positive action that makes it clear someone is agreeing to the use of their information for a specific and obvious purpose”.

8. Retention periods

We remove user accounts and anonymise problem reports that have been inactive for a period of two  years. Except in exceptional circumstances, we do not delete problem reports or updates made through FixMyStreet. The ICO states that requests for erasure may be turned down when personal data is processed for archiving purposes in the public interest, scientific research, historical research or statistical purposes.

Historic FixMyStreet reports provide an invaluable resource for researchers into the quantity and type of street problems made across the UK during the years the site has been running. This research can help inform civic planners, developers, coders, historians and social scientists, among others.

Therefore, if a user asks for a report to be removed, in most cases we will instead invite them to anonymise it (which they can do themselves when logged in to the site), so that there is no personal data present, or public connection between the content and the user’s name.

10. Research

mySociety sometimes shares anonymised data with researchers, and sometimes performs its own research on data generated by our websites. In the case of reports sent through FixMyStreet, this data will never include the user’s name, address, email address or any other identifying information. Data is only looked at in aggregate, for example to see how many reports were made in a specific area or within a specific category.

11. Client checklist

We advise clients to check the following:

This document has been prepared by the FixMyStreet client team who can be contacted at clientsupport@fixmystreet.com