Virtual Region Data Protection Policy
Virtual Region of Overeaters Anonymous is committed to protecting the rights and freedoms of all individuals in relation to the processing of their personal data and provides the Data Protection policy for everyone to follow.
• Governing Law and Jurisdiction
• Scope of this policy
• Definitions
• Processing
• Personal data
• Sensitive personal data
• GDPR data protection principles
• Data Protection Responsibilities
• Prohibited activities
• Implications of breaching this policy
• Version
Scope of this policy
The Virtual Region (VR) needs to collect and keep certain types of information about the people with whom it deals. This includes designated VR Board members, the Committee Chairs and member, Event Chairs and members, Subcommittee Chairs and members and other service fellows and OA members. The VR needs to process this information for a variety of reasons, such as to record who has attended meetings or Events, distribute notifications, eblasts, newsletter and share contact details for members who provide translations and service.
The Virtual Region uses reasonable efforts to comply with the General Data Protection Regulation (GDPR), which is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area, when processing this kind of information. To this end, a VR policy has been developed which sets out the obligations of designated VR Board members and its designees, the VR, Committee Chairs and members, Subcommittee Chairs and members and other OA members.
This policy and the principles of the GDPR apply to all personal information handled by the VR, both that are held in paper files and electronically. So long as the processing of the data is carried out for VR purposes, this policy also applies regardless of where data is held, (for example, it covers data held on shared cloud storage service providers such as Dropbox folders, Google workspace and on mobile devices such as mobile phones or laptops) and regardless of who owns the PC/device on which it is stored.
To comply with the law, personal information is to be collected and used fairly, stored safely and not disclosed unlawfully.
Governing and Law and Jurisdiction
The Virtual Region is organized and incorporated as a not for profit entity under the laws of the State of New Mexico, the United States of America. This Policy and all other policies of the Virtual Region, and any dispute or claim arising out of or in connection with this and other Virtual Region policies or their subject matter, shall be governed by and construed exclusively in accordance with the laws of the State of New Mexico, United States of America.
The Virtual Region, all Board members (who act as directors of the Virtual Region) and any other persons designated by the Board in terms of the Bylaws of the Virtual Region to undertake various service for the Virtual Region, agree that the courts of New Mexico, United States of America, shall have exclusive jurisdiction to adjudicate on and/or settle any dispute or claim arising out of or in connection with this and other VR policies, or their subject matter.
Definitions
Processing
‘Processing’ data is widely defined and includes every plausible form of action that could be taken in relation to the data such as obtaining, recording, keeping, or using it in anyway; sharing or disclosing it; erasing and destroying it.
Personal data
Data which relates to a living individual who can be identified from that data or from that data and other information which may be in the possession of the person who has access to the data.
Sensitive Personal data
Sensitive personal data is personal data consisting of information relating to any of the following 9 categories:
• race or ethnic origin of the data subject
• their political opinions
• their religious beliefs or other beliefs of a similar nature
• whether they are a member of a trade union
• their genetic or biometric data
• their physical or mental health or condition
• their sexual life
• any commission or alleged commission by them of any offence
• any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
VR will rarely have access to sensitive personal date, save for the fact that any member of OA has, by reason of declaring their membership, shared information about their physical or mental health or condition or spiritual beliefs, or that any member of OA who is a speaker at VR Event shares or submits creative materials or written materials documents, articles, blog shares information, of their own volition, which amounts to sensitive personal data.
Particular care should be taken in collection and in processing sensitive personal data.
GDPR data protection principles
Anyone using personal data is to take reasonable efforts to comply with the six Data Protection Principles set out in Article 5 of the GDPR. These Principles define how personal data can be legally processed. In summary these state that personal data is to be:
• processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
• collected for specified explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’).
• accurate and kept up to date (‘accuracy’). • kept for no longer than is necessary (‘storage limitation’).
• processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organizational measures (‘integrity and confidentiality’).
Consent to share information outside EU
The Virtual Region covers all geographical areas, extending beyond the EU to include all countries and territories. This means that VR Officers, trustees, OA members, and Committee and Subcommittee Chairs and Co-Chairs, service volunteers and members who are based outside the EU may receive personal data via VR. Some of these countries where members are based may have data protection policies akin to the GDPR and others may not. In these latter circumstances the GDPR requires specific consent to be obtained from data subjects in order to permit their personal data to be processed. Such consent will be sought.
Data Protection Responsibilities
Designated Board members of the VR and where applicable the Convention Chair or Co-Chair having responsibility for data protection, have the responsibility of carrying out and/or overseeing the work of VR, as directed by the Chair, Designated Board Member or where applicable the Committee Chairs, and in accordance with the Virtual Region Bylaws and the Policy and
Procedure Manual. This will involve the processing of personal data. Other OA members may carry out service which will require them to process personal data, and may also have access to and may process personal data when attending Events, E-mailing subscribers or participating in the work of VR.
All Virtual Region Service fellows are to:
• Be mindful of the fact that individuals have the right to see their
‘personal data’ if they ask to see it. They should not therefore record comments or other data about individuals which they would not be comfortable were these to be seen, either in emails or elsewhere.
• Immediately report the matter to the VR Chair, Designated VR Board Member [ or where there are committee chairs, to the Chair or Co-Chair designated as the person responsible for the protection of privacy and of personal data], if they find any lost or discarded data which they believe contains personal data, (for example, may include a memory stick).
• Immediately report the matter to the VR Chair or the board designee or where there are committee Chairs designated as the person responsible for the protection of privacy and of personal data], if they become aware that personal data has been accidentally lost or stolen, inadvertently disclosed (for example, if their laptop is stolen or their phone is lost and it has personal data stored on it)or if they are notified by their email provider of any data breach related to the personal data in their emails.
• Hold the contents of any personal data which comes into their possession securely.
• Use reasonable efforts to ensure that any personal data they record or provide to VR (for example, their contact details as a meeting or group or service board representative) is accurate.
• Notify the VR Chair or designated VR Board member or where there are Committee Chairs, to the Co-Chair designated as the person responsible for the protection of privacy and of personal data], promptly of any changes to their personal data (for
example, change of address or email address, or end of service position).
• Only ever obtain or use personal data relating to third parties for approved OA purposes.
The VR Chair [or where there is a designated board member, the designated as the person responsible for the protection of privacy and of personal data] and each person processing personal data, is to use reasonable efforts to:
Ensure that they only ever process personal data in accordance with the GDPR and in particular follow the six Principles it contains. The key requirements are:
• Fair processing – for example, use reasonable efforts to ensure that the individual consents to their data being used and knows what it will be used for, and to ensure that it is not subsequently used for something else,
• Data Security – use reasonable efforts to ensure any personal data which is held is always kept and disposed of securely, (taking into account any cyber security considerations). The information security policy should be followed.
• Non-disclosure – use reasonable efforts to ensure personal data is not disclosed to any unauthorized third party.
Familiarize themselves with this guidance and other data protection policies and take reasonable efforts to follow them at all times.
Be mindful of the scope of Data Protection. This includes that fact that ‘personal data’ is widely defined, (and so will cover for example comments made about an individual in an email to someone else), and the fact that it covers data held on remote devices (such as tablets and on mobile phones) regardless of who owns the actual device and where the device is stored. Seek advice whenever a new or novel form of processing personal data is contemplated or if any data protection related concerns ever arise.
Prohibited activities
The following activities are strictly prohibited:
• using data obtained for one purpose for another supplemental purpose (for example, using contact details provided for meeting attendance purposes to send convention announcements); and
• disclosing personal data to a third person outside of VR and its service work, without the consent of the data subject, save where this is specified or is required by law, in which latter case the data subject will be informed prior to disclosure, unless this is prohibited, or proves impossible (e.g. where contact details are not available or are not working).
Implications of breaching this policy
The designated VR Board members, the VR Committee chairs where applicable, Committee Chair and members, Subcommittee Chairs and members and other OA members giving service for the VR will take reasonable efforts to comply with this data protection policy.
Any breach of this policy will be considered to be a serious matter, and may result in an officer or fellow being removed from their service position. Also, OA is a 12-step fellowship, and so any unauthorized disclosure of personal data would also stand outside our 12th tradition of anonymity. This may be very damaging to fellows, and also undermines the fellowship and so limits our ability to carry the message of recovery.
Version
This first version of the “Data Protection Policy” was updated on behalf of the VR Board.
Any questions about this policy or any queries concerning data protection matters should be raised with the Chair or to the designated responsible board member for the protection of privacy and of personal data, at privacy@oavirtualregion.org.