Updated 5th June 2018
This page lays out the responsibilities for data protection under the GDPR, both for mySociety and for FixMyStreet Pro clients.
In collecting, publishing, sending and storing the personal data of FixMyStreet users, mySociety is both a data processor and a data controller.
In receiving, processing and storing the personal data of FixMyStreet users, the council is a data processor and data controller.
These roles impose certain responsibilities on both parties under the GDPR which came into force in May 2018.
When a user submits a report through FixMyStreet, the following personal data is collected:
At mySociety, some members of staff have access to this data (see below under Security for details of access control). During any period of time, 1-3 members of mySociety staff may be actively moderating the site. They are trained to protect personal data, not sharing it with anyone outside the direct FixMyStreet team other than in exceptional circumstances (for example, if required by law to hand it over to police; if serious abuse of the site prompts them to escalate to the wider team of developers; or if concerns for a user’s safety causes them to seek advice from the Chief Executive or trustees).
Council clients also have access to the FixMyStreet admin function, giving them access to reports within the council boundaries. The council’s own data protection policies apply when this data is accessed by council employees.
mySociety only use FixMyStreet users’ personal data for the purpose of sending their report to the relevant authority; and to send them follow-up emails to ask if their issue has been fixed.
Client councils should use this data only to action and respond to the reported issue, and should not add it to any other database, eg a newsletter list.
All passwords on FixMyStreet must meet minimum complexity requirements, and login attempts are throttled, mitigating against remote brute-forcing. All passwords are stored in the database encrypted with a one-way bcrypt hash, mitigating against local brute-forcing. mySociety administrator accounts must adhere to mySociety’s own strict security policies, plus have two-factor authentication (whereby a changing code on a device needs to be input in addition to a password in order to log in).
mySociety servers are hosted by Bytemark. Their data centres employ CCTV, 24 hour security and biometric sensors, and their operator is certified to ISO27001:2005. Every mySociety server runs a host based firewall to restrict inbound and outbound access of traffic. All servers and the packages on them are regularly and routinely patched to minimise the potential for vulnerabilities. mySociety maintains a least-permissive access control model to reduce potential cross-contamination of access in the event of a security compromise.
Privileged credentials are only transmitted to mySociety servers via encrypted protocols (HTTPS or SSH). Credentials are only exchanged in person or out-of-band with manual integrity checking.
A summary of our security measures will be maintained on the FixMyStreet Pro website here: https://www.fixmystreet.com/pro/features/hosted-secure/
i) Reports If a user contacts us to ask that a report they have made in the past be removed, in most cases we will offer to anonymise it, removing the personal data from the database, but retaining the report’s content, thus effectively removing any link between the report and the user’s online profile.
We take this course in preference to deleting reports, because we consider them to be important historic data which allows researchers to understand trends in street faults across the country for the lifetime of the site. See below for more details about retention periods.
There are some circumstances in we will unpublish reports: if they are abusive or contain sensitive information. Council staff with the relevant access permissions can also action this, or moderate the report. In such cases the user’s personal data remains in our backend admin. There is also the ability to edit the report, which will remove such data from the backend.
ii) Personal details FixMyStreet is a site on which users must register in order to send a report or make an update. Like most sites offering registration, we retain users’ details until they terminate their account. This allows users to see their entire history of reports under a single log-in.
Therefore we have no policy of scheduled deletion of personal details. On request by users, we will terminate a user’s account.
Users may contact us at any time to ask to see what personal data we hold about them.
We are prepared to handle objections to our processing of personal data. If a user is unsatisfied with our handling of an objection, they have the right to lodge a complaint with the Information Commissioner’s Office.
All FixMyStreet emails allow users to opt out of future communications.
FixMyStreet’s submission form clearly states how different types of users’ data (personal and public) will be processed, and we can make this explicit, both on the page and on the confirmation email. Meanwhile we believe that no active consent is required from the user since, as the ICO says, there is “a positive action that makes it clear someone is agreeing to the use of their information for a specific and obvious purpose”.
Except in exceptional circumstances, we do not delete reports or updates made through FixMyStreet. The ICO states that requests for erasure may be turned down when personal data is processed for archiving purposes in the public interest, scientific research, historical research or statistical purposes.
Historic FixMyStreet reports provide an invaluable resource for researchers into the quantity and type of street problems made across the UK during the years the site has been running. This research can help inform civic planners, developers, coders, historians and social scientists, among others.
Therefore, if a user asks for a report to be removed, in most cases we will instead invite them to anonymise it (which they can do themselves when logged in to the site), so that there is no personal data present, or public connection between the content and the user’s name.
mySociety sometimes shares anonymised data with researchers, and sometimes performs its own research on data generated by our websites. In the case of reports sent through FixMyStreet, this data will never include the user’s name, address, email address or any other identifying information. Data is only looked at in aggregate, for example to see how many reports were made in a specific area or within a specific category.
We advise clients to check the following:
This document has been prepared by the FixMyStreet client team who can be contacted at firstname.lastname@example.org