The European Union's General Data Protection Regulation (GDPR) is a legal framework around data protection which came into force on 25 May 2018 and applies to any organisation that offers products or services to EU data subjects.
We have an article which explains how Delib products comply with the GDPR.
This article brings together FAQs which go into more detail about how our products can help you to manage the personal information you are collecting and storing within them.
We will add to this article as new questions and answers come in. If you have a question that isn't covered below, or a suggestion that you would like to share, please contact us on firstname.lastname@example.org.
FAQs - All products
Q: Do Delib’s products collect IP addresses? Why?
A: All of our products automatically collect the internet protocol (IP) addresses of each visitor to your site. This is specifically for the purpose of detecting and responding to security incidents (such as denial-of-service attacks). This data is stored securely in Delib’s logs.
The collection of IP addresses for this operational purpose is covered by Recital 49 of the General Data Protection Regulation (GDPR):
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.
This data belongs to you, the customer organisation. Though it’s not available to access via your site, we can of course share it with you on request.
Separately, Citizen Space also collects the IP address of each person who starts a response. This data is collected to help protect the integrity of your response data by providing potentially useful evidence should you suspect a deliberate attempt to skew the results via multiple submissions. Please note that multiple submissions from an individual IP address or particular address range are not necessarily indicative of suspicious activity, since IP addresses can be shared across families, organisations and users of publicly accessible devices (for example a library computer). However it can often serve as useful supporting evidence when investigating suspicious behaviour.
This data is stored securely within Citizen Space and automatically shared with you, the customer organisation and data owner, as part of your response data — you will see it in one of the later columns when you export all of your responses in a spreadsheet, or towards the bottom of the data when you view or download an individual response.
We are able to disable the collection of IP addresses for this purpose, so that you have the option to disable it if you definitely don’t want it to be collected and included in your data exports. If you would like us to disable this on your Citizen Space site, please contact us via our support email address.
FAQs — Citizen Space
Q: I understand that we need to reference privacy information at the start of each activity before respondents submit any response and also at the end of the activity (under right to be informed). Is there a way in which we can automatically include our privacy information at the beginning and end of every activity we create on Citizen Space, so that no activity can be published without this?
A: There isn't a way in which you can automatically include the privacy information at the beginning of each activity, (on the overview page for example). That said, your Citizen Space-wide privacy notice is editable by you, and the link is there at the bottom of every page as respondents move through a survey. Here is an article about how to edit your Citizen Space Privacy notice.
You can edit the Online survey 'confirm submit' page, and include information there which will automatically include the privacy information for all activities created on your site. Information about how to edit that page can be found here.
You may choose to have a standard privacy notice that you ask all admins to include in their Overview pages. The benefit of having that short sentence to copy in to the Overview page is that it can be added in 'Edit Activity Details' at any time without having to retract a survey, so if you do wish to add privacy information in the overview, it can be done at any point.
A number of customers already use a template survey that all users clone, as a way to ensure that standard questions are always included (for example demographics questions). We think this is an excellent idea, and suggest that if you will be adding a GDPR information/consent question, this could be added to the template, which will ensure it is included when users start their activity build process by cloning the template.
Q: Do I need a consent question at the start of every activity? If so, what should my consent question include?
A: You should get support and legal advice from your own organisation. This excellent article about consent from the ICO is well worth a read and should help you to decide if a consent question is required or not.
It is likely that a proportion of work carried out on Citizen Space would be classed as a 'public task', which would be a more appropriate basis for processing than requesting consent.
This excellent article about 'public task' from the ICO contains the following information:
Article 6(1)(e) gives you a lawful basis for processing where:
“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
This can apply if you are either:
- carrying out a specific task in the public interest which is laid down by law; or
- exercising official authority (for example, a public body’s tasks, functions, duties or powers) which is laid down by law.
The same ICO article also states:
"Individuals’ rights to erasure and data portability do not apply if you are processing on the basis of public task."
If you do decide that a consent question is necessary, Site Administrators can add this as a saved question, or a template activity could be created for cloning as detailed in the question above.
The 'Public task' basis for processing data would not also cover the use of that data for other purposes, such as if you wished to use the personal data submitted to an activity in order to also contact respondents about issues unrelated to that activity. In that instance, consent would need to be requested for the additional processing purposes.
GDPR (Section 7) states that withdrawing consent should be as easy as giving it, at any time. With this in mind we recommend making it clear to respondents what the process is for contacting you should they wish to remove their data (the right to erasure/be forgotten).
Q: I understand that if a respondent requests to be 'forgotten' we need to remove their details from our databases, but am unsure as to how we could remove them from our files held on Citizen Space to be compliant?
A: Citizen Space allows users to remove responses from analysis but does not enable users to fully delete individual responses. This is by design to protect against mistakes resulting in data loss, and to defend against any real or perceived concern that individual responses can be tampered with.
Erasure is achievable in Citizen Space, but there are certain elements to consider. For some types of activity, public sector organisations may be acting in the public interest, exercising official authority, and may also be exercising or defending legal claims (judicial review for example), which limit the right to erasure; whereas other activities may not meet these criteria. You should seek your own legal advice or consult with those handling GDPR compliance at your organisation for more on this in your particular circumstance.
It is possible for customers to delete an entire activity and all of its associated response data.
However if a respondent requests for their data to be 'forgotten', Delib has the power to permanently erase part or all of an individual response on the customer's behalf if given a clear written instruction.
In this situation we recommend that you contact us with details of the request at email@example.com (for compliance purposes we require erasure requests in writing) and an Account Manager will be in contact to discuss the best solution depending on the specific circumstances.
Q: Can you let me know how long the response data for any activity is stored on the site for?
A: The response data for any activity is stored on your Citizen Space indefinitely, or until you delete the activity, or end your Citizen Space subscription.
Many organisations have a data management policy that requires the deletion of response data after a set time (for some customers this is 2 years, for others it is 5 years).
In March 2018 we released a new optional feature called 'Activity completion' which allows an activity owner to indicate once they’ve finished working with the data and all work on that activity is complete. When switched on, this tool appears on the dashboard. This feature was requested by the Scottish Government and is designed to help administrators from all organisations manage data retention periods. By logging the date that all work was completed on the activity, it means your organisation will now have a record of how long it is holding data for, making it easier to keep in line with data protection guidelines and delete data once it has reached its retention limit.
If you would like the 'activity completion' feature switched on for your site, please contact your Account Manager who will do it for you.
Q: If an individual completes an activity, but doesn't leave an email address or any other information which would make them identifiable, could their response be exempt from GDPR?
A: No responses are exempt from GDPR. Citizen Space collects IP addresses with all responses and these count as personal data so should be treated in the same way as all other personal information for the purposes of GDPR. The IP address for each response is available on the 'Download all responses' xlsx export. This means any response to an online survey includes personal data under the terms of GDPR, even if there aren't any questions specifically asking for identifiable information.
Importantly, it is also worth bearing in mind that if there are any free text questions, a respondent may have also included personal data within any answer, regardless of whether the question asks for it or not.
Q: Does Citizen Space have the functionality to bulk delete response data from activities?
A: Yes, the quickest and simplest way to remove response data from an activity while keeping a record on your site that the activity took place is to clone the activity, delete the original activity and change the new version so that it has the same URL as the original activity did.
If there is any response data you wish to keep (such as questions that don't contain any personal data) you can export this from Citizen Space before cloning and deleting the activity.
Q: What do we do if a free text answer contains Personal Information, even if we haven't asked for it?
A: Respondents can (and do) provide Personal Information in free text answers. The new GDPR should act as a good catalyst for your organisation to look at your data management policy, but is also a good time for you and your colleagues to look at any practices and procedures with regard to how you manage activities and associated data.
Citizen Space is GDPR compliant, and much of the onus will be on you to find the best solution based on the specific scenario.
For example, if you are concerned that you may need to flag any personal information (PI) that has been entered into free text responses for a specific activity, you may choose to add a tag called 'Contains PI' or similar, which analysts can tick if and when they come across some personal information in a free text response. This will enable you to find and manage that data more easily, should you need to access it and erase it following a request from a respondent.
Or, if a respondent contacts you asking for any personal information in their response to be deleted, you could choose to email them a PDF of their full response, asking for them to get back with you specifically detailing what they would like to be removed.