Version 1
Effective Date: 8th June 2018
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.
VATSIM refers to the organisation at https://www.vatsim.net/. VATSIM UK refers to the organisation at https://www.vatsim.uk/.
This policy has been put in place to achieve the following aims:
VATSIM UK collects a range of personal data on members, both provided by the members directly and from third parties.
While a member is using VATSIM UK services, or when they request to join the VATSIM UK division, data is transmitted from VATSIM centrally to VATSIM UK for the purpose of ensuring the efficient functioning of our services and to provide the requested user experience. This data includes:
Whilst using our services, additional data is collected from and about you. This allows us to provide the efficient functioning of our services and to provide the requested user experience. This data includes:
Communication platforms, including our forum, have the functionality to receive any data, in the form of free- text. Any personal data willingly submitted here by individuals (e.g. personal data such a telephone numbers or addresses) will be retained and stored, even if removed from public view. This data is then only available to a limited number of authorised individuals.
VATSIM UK has an unequivocal commitment to:
Key risks are detailed in Section 4 .5 of this document.
Overall responsibility for ensuring data protection and overall compliance with the relevant standards and legislation rests collectively with the VATSIM UK Division Staff Group (DSG).
The appointed Data Protection Officer is listed on the VATSIM UK staff page here: https://vatsim.uk/staff.
Several members of the DSG have specific responsibilities to oversee others accessing personal data collected by VATSIM:
Other members of the DSG may from time to time be tasked with specific responsibilities pertaining to the control and storage of data.
All staff are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work within VATSIM UK as detailed in this policy. VATSIM UK expect the highest standard of probity of all staff at all levels. No access to data can take place unless there is a valid network related reason for such access.
VATSIM UK has a zero-tolerance policy towards inappropriate access to data stored within our systems. Any such access will result in the individual concerned being prohibited from having further access until such a time that the risk to personal data has been suitably mitigated.
This section applies to all VATSIM UK's servers belonging to or donated to the VATSIM UK division, including, but not limited to Data Servers, Statistic Servers, or Web Servers.
VATSIM UK operates on a segmented security approach, where only the access required (with approval members holding the status of “Privileged Access”) to complete a required job is granted.
VATSIM UK employs access monitoring systems to ensure that access is not being abused and can be traced back to a specific individual.
VATSIM UK employs standard methods of encryption to safeguard data, such as TLS encryption for accessing data via a web browser. VATSIM UK also implements additional change-audit scripts and monitors to provide visibility into server activity.
IP Address and asymmetric based security settings are used to only allow server access to authorised users or servers.
Passwords (excluding your network password which is never passed to VATSIM UK) are stored as salted hashes, preventing them from being viewed in plain text. This includes your secondary password for Core, if set.
In order to ensure business continuity, VATSIM UK retains data backups of relevant systems to ensure a speedy recovery of impacted systems while maintaining data integrity and security.
These backups are encrypted, and access is granted only to authorised individuals.
The main specific risks to the security of data are:
Mitigation of the first two risks is firstly by screening all individuals before granting access and secondary, encouraging members who have a higher level of access to ensure they adhere to good security practices on their personal systems. The last risk is mitigated by access logging and reverting changes made by those who misuse access.
The majority of membership data is passed to VATSIM UK by VATSIM. As such, we assume that this data is accurate. Where it is not, we facilitate the rectification of this, as set out in section 8 of this policy.
A VATSIM member may request an update of his/her retained information by making a request in writing to [email protected].
Data is stored in standard file systems and databases. Access to these systems is controlled by secure direct access to the controlling machine or application, or via a secure web interface. Access is further controlled and protected against unauthorized access using standard measures, such as role-based access control.
VATSIM UK is bound by the retention periods of VATSIM, set out in their Data Protection and Handling Policy. Requests for erasure can be processed by VATSIM UK but may need escalating to VATSIM in order to fulfil the entirety of the request.
VATSIM UK does not archive any data to other servers at this point in time for long term storage. Data is either maintained within the production environment and backed up as per section 4 .4, or deleted entirely.
VATSIM UK is committed to ensuring all members are aware of what data is collected and why we do so.
As outlined in the statement of legitimate interests within the VATSIM UK Privacy Policy, data is collected for the purpose of ensuring the provision of, and smooth operation of the VATSIM UK division so that members can jointly enjoy the simulated aviation environment it provides.
Data may be transferred to other organisations affiliated with, or associated with, the division to provide services to enhance and extend the simulated aviation environment. Who we transfer data to is covered within the VATSIM UK Privacy Policy. Where it is not covered, we will seek your permission to pass on personally identifiable data before doing so.
Details on how to exercise rights in relation to the data held is detailed in the relevant sections of this policy.
All staff within VATSIM UK are responsible for the data they access at all times. The various departments most closely associated with members' data are the Web Services Department and Division Staff Group.
Where staff are required to use data for statistical and management purposes, anonymous aggregated or pseudonymised data will be used where possible.
Requests for personal data under the Right of Access are the responsibility of the appointed Data Protection Officer and their team. Such requests are required to be complied with within one month of the request being received. If circumstances prevent this from occurring, an extension of a further two months may be instituted by VATSIM UK, providing that the member making the request is informed of this fact before the expiration of the original one month deadline.
Right of access requests must be sent via email to [email protected].
If staff at a lower level receive anything that might reasonably be construed to be a request for access they have a responsibility to pass this to the appointed Data Protection Officer, as defined in section 3.2.
Where the person managing the access procedure does not know the individual personally, the individual's identity will be verified before handing over any information.
VATSIM UK will not charge any fee for processing or providing data for requests under the Right of Access.
The appointed Data Protection Officer is responsible for handling requests under the Right of Access provisions.
Requests will be made via [email protected].
Only personal data will be shared with the member. Other individuals’ personal data will be redacted.
Accurate data is in the best interests of both the network and the membership. The appointed Data Protection Officer is responsible for the management of such requests.
Right of rectification requests should be made to [email protected].
If staff at a lower level receive anything that might reasonably be construed to be a request for rectification they have a responsibility to direct the member to the above email address.
VATSIM UK will not charge any fee for requests under the Right of Rectification.
VATSIM UK asserts that it has a legitimate interest in collecting and storing the personal data outlined above. The reasons for this claim are:
VATSIM UK is a voluntary community promoting flight simulations and virtual air traffic control, and all members seeking to join have an obvious interest in such activities.
The data collected is the minimum required to allow for the smooth and optimal running of the division, solely for the enjoyment of its members.
That the data is necessary to allow for VATSIM UK staff to properly manage the division, both in day to day operations, and in circumstances where a member(s) may act in a manner contrary to the rules and regulations that govern the division.
VATSIM UK relies on VATSIM to ensure that parental consent is collected from users unable to provide their own consent (because they fall below the minimum age to do so, as defined under the GDPR or other local regulations).
VATSIM UK acknowledges its responsibility to inform VATSIM of any members that may be below this age and that are actively participating on the network without suitable consent.
Notwithstanding VATSIM UK’s claim of legitimate interest, members may object to this claim and/or request that VATSIM UK cease processing of a member’s personal data. These two rights are known as the Right to Object, and the Right to Restrict Processing.
Members must be aware that if they choose to exercise either of these rights VATSIM UK is obliged to lock their accounts in order to comply with their wishes and their request may be referred to VATSIM to take the appropriate action for their network account too.
While a notification of an objection to VATSIM UK’s claim of legitimate interest, or a request to suspend processing may be made at any time, such claims may not be made retrospectively.
Requests for deletion of personal data under the Right of Erasure are the responsibility of the appointed Data Protection Officer and their team. Such requests are required to be complied with within one calendar month of the request being received.
If circumstances prevent this from occurring, an extension of a further two months may be instituted by VATSIM UK, providing that the member making the request is informed of this fact before the expiration of the original one-month deadline.
The appointed Data Protection Officer is responsible for handling requests under the Right of Erasure provisions.
Requests will be made via [email protected].
If staff at a lower level receive anything that might reasonably be construed to be a request for erasure they have a responsibility to pass this to the appointed Data Protection Officer without delay.
Where the person managing the erasure procedure does not know the individual personally, the individual's identity will be verified before handing over any information.
VATSIM UK will not charge any fee for deleting data under the Right of Erasure.
VATSIM UK shall evaluate all requests for erasure. VATSIM UK reserves the right to retain any data that it believes is in its legitimate interest to do so, or that is required to establish, exercise, or defend any legal claims.
All staff who have access to any kind of personal data should have their responsibilities outlined during their induction procedures. Formal guidance on data access and use of this data is explained within their induction.
Opportunities to raise Data Protection issues shall be undertaking, including, but not limited to, during staff training, team meetings, and supervisions.
All staff within the division are required to agree to the relevant policies, as outlined within the VATSIM UK Privacy Policy.
The responsibility for review of this policy rests with the nominated Data Protection Officer, as defined in section 3.2 of this policy.
At a minimum this review shall require:
In order for the required review to be completed by the required date (24 May 2021) such consultation shall commence no later than 24 Nov 2020.