The AMCS board requests that all types of AMCS members review this page annually.
Always report data security issues to the AMCS board as soon as possible so that any action needed can be taken quickly (email@example.com).
AMCS has a number of systems that hold data and accordingly AMCS provides resources and measures to ensure data is handled lawfully in accordance with the General Data Protection Regulations (GDPR) in the EU and UK. The need to provide such resources and measures is written into the AMCS constitution; Subsection 20.
AMCS systems have been setup to be GDPR compliant. The four main systems where AMCS data may be being stored and/or processed are:
- The AMCS websites (securely hosted in the EEA and UK for GDPR compliance).
- The AMCS file system (securely hosted in the EEA and UK for GDPR compliance).
- The AMCS communication platform/workspace (securely hosted in the EEA and UK for GDPR compliance).
- The AMCS email accounts (securely hosted in the EEA and UK for GDPR compliance).
In principle there could be other systems where some AMCS data may be being stored and/or processed, including:
- Cloud based service provider such as Doodle Poll, Survey Monkey and member’s own email accounts (often hosted outside of the EEA and UK, these services are only ever to be used where there is little personal data involved and never for “special category” personal data, see below).
- (BYOD) Bring Your Own Device (AMCS members may sometimes have AMCS files on their own devices but this should not include databases, spreadsheets or any other kind of file that systematically stores personal data and “special category” personal data should never be stored on a personal device).
The AMCS board should be notified if AMCS data is being stored or processed in a way not listed above.
The following information is provided to help all types of AMCS members handle data responsibly, whether they are busy members of the AMCS or a minimal user of AMCS services. The AMCS board has the authority to close accounts and remove services from any type of AMCS member if data is not being handled responsibly. Subsections 6 and 7 of the AMCS constitution give the board, in exceptional circumstances, the power to remove membership of the AMCS if needed.
AMCS resources and measures for lawful data handling
- The AMCS privacy notice (this is for anyone wanting to know about AMCS use of data in accordance with the General Data Protection Regulations).
- The AMCS GDPR and data security training page (this is the document you are reading and is for all types of AMCS members to ensure they are aware of their responsibilities regarding data privacy and security).
- The AMCS data principles; Subsection 20 of the AMCS constitution states the following principles for the board to follow:
- AMCS data is to be held securely.
- The GDPR regulations are to be observed.
- AMCS data is to be backed-up to prevent data loss.
- AMCS is to avoid the holding of members’ financial details whenever possible.
Training for all types of AMCS membership
Please read the following GDPR and data security training information.
The need to protect information
We all have an obligation to protect personal information. Individuals trust us to keep their personal information safe and to use it properly. We also have to meet legal obligations such as GDPR as well as terms of contracts in place with other organisations such as collaborators, funders or data providers.
Failure to protect information could lead to AMCS being fined, reputational damage and problems in securing future funding.
Protecting against threats
Information ending up in the wrong hands can be due to someone making a mistake or due to threats from scammers and hackers working for criminal gangs or even hostile state actors looking for academic intellectual property. We each therefore have a responsibility to keep information secure.
Data privacy and the law
It’s important for AMCS members to have an understanding of the data protection rules. These include the General Data Protection Regulations (GDPR) but there are also other relevant rules such as the Data Protection Act (DPA) and Privacy and Electronic Communications Regulations (PECR) in the UK which prohibits automated cold calling for example. These all apply to personal information.
Different types of personal information include:
- Membership number.
- IP address.
- Home address.
- Phone number.
- Email address.
Extra care is needed when handling what is called “special category” personal information which includes:
- Health and disability data.
- Race and ethnicity.
- Political opinions.
- Religious and philosophical beliefs.
- Trade union membership.
- Genetic information.
- Sexual orientation.
- Biometric data.
The rules apply to what is called the data controller (which in our case is the AMCS and all its members who handle AMCS data) and the data processors (which for us are any organisation which AMCS uses to store and process its data such as a web hosting company or cloud storage provider).
Data processing includes:
- Collecting data.
- Analysing data.
- Looking up data.
- Filing and storing data.
- Applying an algorithm to a set of data.
- Entering data into a system such as a spreadsheet or database.
- Querying a database.
- Keeping a mailing list.
Every EU country, and also the UK, has an authority such as an Information Commissioners Office (ICO). Such authorities can fine organisations for breaching data protection rules. Organisations need to provide points of contact internally to support data protection. In our case the AMCS board provides this support and training to AMCS members.
The main GDPR principles for good data handling are:
- Data must be processed lawfully, fairly, securely and in a transparent way. There must be a lawful reason for processing someone’s data and we must be open and honest about what we are using data for.
- We should not collect more data than what is needed for the purpose the data is being collected.
- The data should be accurate and, if needed, kept up to date.
- Data should not be kept longer than is needed and should be deleted when no longer needed.
- Providers of data should be asked before any data is used for an alternative purpose to what it was collected for and also if the data is to be kept longer than was originally stated.
- Processing must only be undertaken in a secure and accountable way.
Note that, avoiding collection of sensitive data in the first place is the best way to avoid significant GDPR violations.
Individuals also have rights over their data. See https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/. All requests to AMCS under these rights should be forwarded to the AMCS board (firstname.lastname@example.org).
Accessing and sharing information
AMCS members need to ensure they use strong passwords for accessing any of the AMCS systems including email. The best way to create a strong password is for it to be long and rather obscure and yet something you remember. Never share your passwords with anyone and be careful not to fall for scammers.
In undertaking the lawful processing of data there can be the need to share information with a colleague also working on processing the data. When sharing information always take care. In particular:
- Use the right tools for the work.
- Make sure you are only sharing the information with the person you are intending to share it with.
- Avoid sharing more information than is needed.
- Encrypt files before sending when there is any risk of a third party seeing the data, e.g. email attachments are not usually secure.
- Check security and privacy policies before sharing data.
The most common type of data breach is accidentally sharing something by email. For example:
- Accidentally disclosing peoples email addresses when sending an announcement. Remember to always use bcc rather than outing everyone’s email addresses on a circular.
- Accidentally pressing “reply all” rather than just “reply” when sending some data.
- Accidentally sending an email with a long email trail which some way down includes personal information that the recipient does not need to see.
- Accidentally attaching a data file without encryption.
Always check your emails for personal data issues before pressing send. If you think you may have shared personal data with someone you should not have then you must let the AMCS board know (email@example.com). The AMCS board will notify the authority if needed.
By becoming any kind of AMCS member you agree to use AMCS systems in a responsible way. Please:
- Respect copy right.
- Do not transmit offensive material or deliberately misleading information.
- Do not try to access systems “hack” that you have not been given permission to access.
- Do not post or send emails that harass or deliberately harm others.
- Do not deliberately misrepresent the AMCS internally or externally.
The AMCS communication platform/workspace and social media in general
Be careful when using social media since you may be seen as an AMCS representative even in your leisure time.
Particular care must be taken when using the AMCS communication platform. Channels can have a long history and can be accessible to a large number of users of the platform. Take care not to disclose personal information on the platform particularly special category information. This can be easy to do such as mentioning that someone is recovering from a significant health problem. Unless the person has consented to this information being disclosed, this is a data breach.
AMCS is an international association with members in many countries working in different situations such as at home, in the office or on the train for example. Leaving your devise unlocked can lead to data breaches and scam emails even if your device isn’t stolen.
- If at the office, always lock your device when not at your workstation.
- Make sure that portable devices such as laptops and smart phones have a lock setup.
- Never leave portable devices unattended in public.
- Be careful not to use unsecure public Wi-Fi systems when sending data, and also use encryption of files.
- Do NOT use an internet cafe computer to access AMCS systems since they might have key logging setup on them.
- If you use your smart phone for AMCS work then look into setting up remote wipe so that you can wipe the device remotely if it ever gets stolen.
- Remember, anything important or involving systematic personal data and particularly any special category information should only be on the AMCS GDPR compliant systems and NOT on personal devices.
Phishing and malware
Be aware of phishing emails. If you are ever asked by email or over the phone to login to an AMCS system then always go to that system in the normal way instead of clicking on an email link or giving login details over the phone. If ever in doubt about whether an AMCS communication is genuine simply contact the AMCS board (firstname.lastname@example.org).
Also be careful when installing freeware on your computer. Always check it is trusted before downloading since it could contain malware such as key logging. Always make sure your devices have good quality antivirus, antimalware software installed.
Always let the AMCS board know of anything suspicious so that they can warn other AMCS members and, if needed, suspend accounts whilst security is reasserted (email@example.com).
Never trust a sender’s name or email address in the “from” field in an email. You can always lookup the sender’s email address and ask them whether they sent an email you are not sure about. Never click a link or open an attachment on an email you don’t completely trust.
Bring your own device (BYOD)
AMCS is an international association and is largely decentralised. This means its members will be using devices not provided by AMCS to access AMCS systems. Using your own devices is very useful but also brings risks. Here are measures to take to minimise these risks:
- Use a supported operating system and web browser.
- Install all security updates to your operating system, web browser and other software.
- Install anti-virus software and use a device firewall, keep it updated and schedule regular scans.
- Never install pirated software or open attachments from sources you don’t know or trust.
- Schedule regular backups of all your files.
- Use different device accounts for different users of the same device.
- Use a strong password for locking your device and lock it when unattended.
- Don’t share USB devices.
- Consider encrypting your laptop or other portable device.
- Setup remote wipe facility on your device if used in public places.
- Always minimise storage of sensitive information on your device since if the data isn’t there to start with then it can’t end up in the wrong hands.
Consumer services such as Dropbox, Google Drive, Doodle Poll, SurveyMonkey and EventBrite are very useful but there are GDPR compliance issues with these services. In particular, such services should NOT be used for:
- Confidential data.
- Large volumes of personal data.
- Any amount of sensitive (special category) personal data.
Always report issues to the AMCS board as soon as possible so that any action needed can be taken quickly (firstname.lastname@example.org). This may prevent a data breach and AMCS being fined.
Thank you for looking over this training page, the AMCS board.