Data Management Policy
You are reading this document because you are considering participating in the weDialogue global citizens’ science experiment – or because you are already participating and want to check our data management policy again.
Participation in weDialogue entails personal data collection and processing. weDialogue is delivered using this site – that contains the enrollment process and the site www.weDialogue.eu that contains the experiment platform. In this document we refer to these two websites as the “Site”. We need to collect personal data through this Site from participants like you; data will be used to verify your identity and for research purposes explained further in this policy.
There are rules to process personal data and who is asked to share personal data. According to law, you are a “data subject” and have rights that must be enforced. In this document, you will find all the information you need about data processing through this Site and your rights regarding the protection of personal data.
If you do not understand your rights or have questions about how your data will be used, you can contact the research team at firstname.lastname@example.org. Feel free to ask any questions about your data.
If you have concerns or wish to make a complaint about the conduct of the research, please contact Professor Dibyesh Anand, Head of School of Social Sciences, University of Westminster, 309 Regents Street, London, W1T 3UW. d.anand <at> westminster.ac.uk. +44 20 7911 5000 ext 65159
This Data Policy should be read alongside another legal document, called the Terms of Service. The two documents provide the ethical and legal framework for weDialogue.
2. Legal Basis and Informed Consent
The regulatory framework for weDialogue is defined by the General Data Protection Regulation (Regulation 2016/679 of the European Parliament and of the Council), more commonly known as GDPR.
In addition to this general regulatory framework, weDialogue requires your consent to the present data management policy as a legal basis: we can process your data only with your explicit authorization.
In order to complete the registration process to the Site you will be asked to provide a clear consent to the conditions described in this policy. At any moment, you can withdraw your consent according to the procedure defined in the Section 13 of this policy.
In the following sections of this policy we will provide details regarding the purposes and the means through which your data will be collected and managed.
3. Purposes of Data Collection
Personal data are collected and managed under this policy for the following purposes:
- To ensure the unique authentication of users, necessary to take part to the weDialogue process managed through this Service;
- To communicate with users regarding eventual updates to the Service and to its policies;
- To provide periodic information regarding the content of the Site, in accordance with the notification preferences configured by each user;
- For research purposes
Your personal data will not be sold, rented, transferred or used for any commercial purpose.
4. Data Collected
The following kind of personal data are collected in this site:
4.1. User Data
These data are requested to create your profile in this platform, and to authenticate your identity.
- Email address
- Entry survey, which contains questions on demographics, political attitudes and media usage.
All personal data will be publicly released only after undergoing a process of anonymization (as described in Section 10 of this policy). Your email address will never be released.
4.2. Votes and Preferences
During the weDialogue experiment, you will be asked to comment on content created by other users. Data regarding your preferences are considered in this policy as personal data and will be publicly released only after undergoing a process of anonymization (as described in Section 10 of this policy).
4.3. User Generated Contents
WeDialogue collects User Generated Contents (UGC). UGC consists mainly in the discussion threads, comments, proposals and other content generated from participants like you during the weDialogue process. Generally speaking, the UCG is not a data category that falls under the responsibility of the data controller. Participants like you are free to generate or not generate such content and you remain fully responsible for what you generate on this Site. We strongly advise you not to share personal data while generating content on this Site. We cannot be held responsible for UGC that you post. For further information about UGC, please refer to the Terms of Service.
4.4. Usage data
Apart from the data we collect for research purposes through the survey and UGC as a part of weDialogue process, we may process what we call “usage data”. These data are embedded in your internet connection and consist mainly of your IP address, geographical location, browser version and type, operating system, time of visit. This is information about the timing, frequency and pattern of your use of the platform. We process usage data for the purposes of analyzing the use of this Site and its services. This is a legitimate interest for the research team which is the legal basis for this processing.
4.5. Surveys and Questionnaires
Apart from the data we need to collect directly as part of the weDialogue experiment, you will be asked to answer surveys and questionnaires that ask you about your user experience of the platform. By accepting this Data Management Policy you only give permission to be contacted to take part in surveys that are delivered directly by the project team.
4.6. Further Data Processing
In the case of a legal action we may process any kind of data referring to you, if and where necessary for exercising our rights of action or defense in legal claims, whether in judicial, administrative proceedings. Being a plaintiff or a defendant in a legal action, protecting or asserting our, yours or third parties’ rights is a legitimate interest, acts as a legal basis for this processing.
In addition to the specific purposes for which we may process your personal data set out above we may also process any kind of data referring to you, where such processing becomes compulsory in compliance with a legal obligation or if it is necessary to protect the vital interest of another human being.
5. Roles of the organizations and individuals involved
The data management for this Site is shared between the following people:
- Data Controller and responsible for the enforcement of the Data Management Policy: Professor Graham Smith, Department of Politics and International Relations, University of Westminster, London, W1T 3UW, g.smith <at> westminster.ac.uk. The Data Controller makes the final decision and has the final responsibility on every issue regarding the collection and management of personal data in this research project
6. Third Parties
Some of the services delivered through this site could entail the involvement of third parties that could have access to part of your data.
Third-party services active on this site
JISC Online Surveys are used to collect personal information during the enrollment phase
Polis is used as the commenting platform for some users
We also use Matomo to gather website traffic analytics.
7. Cookies policy
A cookie is a small text file that a website saves on your computer or mobile device when you visit the Site. It enables the website to remember your actions and preferences (such as language, font size and other display preferences) over a period of time, so you do not have to keep re-entering them whenever you come back to the site or browse from one page to another.
A cookie can be classified by its lifespan and the domain to which it belongs. By lifespan, a cookie is either:
- a session cookie which is erased when the user closes the browser, or
- a persistent cookie which remains on the user’s computer or device for a pre-defined period of time.
As for the domain to which it belongs, there are either:
- first-party cookies which are set directly in this Site
In WeDialogue we use a first-party session cookie to record the encrypted ID of the currently logged-in user.
You can control and/or delete cookies as you wish – for details, see https://www.aboutcookies.org/. You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.
8. Data Archiving and Storage
The data collected by the research study will be stored, for the duration of the experiment, on a dedicated MacStadium.com cloud server located in Dublin Ireland. Once the experiment is completed the data will be processed, anonymized and released as open data. The Data Processors will take all necessary measures to ensure that data and content are preserved from data loss, misuse, data breach, data leak, data altering and deletion.
9. Physical Data Security
MacStadium facilities are equipped with a wide range of security systems including biometric access control, security cameras, and on-premise security staff.
9.1 Logical Data Security
The MacStadium server is password-protected and can only be accessed by the maintenance personnel at MacStadium and Mark Klein, one of the Data Processors.
10. Data Preservation
Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose and in any case no longer than one year after the last access to this Site by each user. The data already at the disposal of the Data Controller or the Data Processor are not affected by this legal notice even if processed during the weDialogue experience.
10.1 Open Access and reprocessing of Data for scientific purposes
weDialogue supports an Open Access policy. This means that the data and the knowledge gathered and generated in this process will be made publicly accessible in an open format feasible for any re-processing, particularly further research activity and independent monitoring and assessment.
11. Your rights
Here you will find the rights that are defined in the GDPR. You can contact the research team at email@example.com to ask any question you may have regarding your rights and their activation.
11.1. Right to be informed
You have the right to obtain from the controller confirmation as to whether or not any of your personal data are being processed, and, where that is the case, have access to the personal data and any other information regarding their processing.
11.2. Right to correction / rectification
You have the right to obtain from the controller the rectification of inaccurate personal data. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
11.3. Right to get your data deleted
You have the right to request that the data controller erases or destroys your personal data, ceases further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for deletion are outlined in Article 17 of the GDPR, and include the data no longer being relevant to original purposes for processing, or the withdrawal of your consent. This right requires controllers to compare your rights to “the public interest in the availability of the data” when considering such requests.
11.4. Right of restriction
Pending the verification of the balance of interests discussed in section 4.6, you have the right to ask for restriction in the processing of your data. If you ask for this restriction we will continue to store your data on our servers, but we will process them only if you give us consent to do so; if it is necessary for acting or defending ourselves in a legal claim; if we are compelled to protect rights and interests of another human being or legal person; for demonstrated reasons of unavoidable public interest.
11.5 Your right to data portability
The personal data collected on in this Site are your data; you have the right to receive a copy of the data that you provided any time in a structured and machine readable format of common use, for purposes of data transfer.
11.6. Notification obligation regarding rectification or deletion of personal data or restriction of processing
The controller will communicate any rectification or deletion of your personal data or restriction of processing carried out in accordance with your rights.
11.7. Right to object
Since this data collection relies on lawful obligation as its legal basis, you have the full right to oppose the data processing carried out by the research team on the basis of a particular situation of your own that you want to be considered. If you raise such an objection, the processing of your personal data will be stopped and it will be for us to demonstrate that we have legitimate grounds, overriding your right and interest, to continue the data processing. A specific legitimate ground for continuing the data processing is acting or defending ourselves in a legal claim.
11.8. Breach Notification
In case a data breach is likely to result in a risk to the rights covered by this Policy you will be notified within 72 hours of the research team first having becoming aware of the breach.
To enforce any of the aforementioned rights, please contact the DPO. If you think that we are operating on your data in violation of the data protection regulation, you have the right to start a legal action relying on your state’s data protection legal framework, the one of the state in which you live, the one of the state in which you work, the one of the state in which you think the infringement has taken place.
12. Changes to this document
It is always possible to halt your participation to the weDialogue process and to the activity carried out through this Site. Exiting the weDialogue process does not mean that the data we store about you are automatically erased or destroyed.
You can make an Opt-Out request by contacting the research team at firstname.lastname@example.org.
It is our responsibility to communicate to third parties involved in the delivery of the services accessible to this site that you have activated the right to Opt-out.
The right to deletion does not generally apply to the content (UCG) you have created, generated and shared during your participation; your UCG will not containing personal data and will be released as open data following anonymization.
14. Contact information
For further information about the project, contact email@example.com.
The current version of this document is version 1. It has been approved on October 24th 2018 and is valid since October 24th 2018.