Versions Compared

Version Old Version 26 New Version 27
Changes made by

Roxy Sanchez

Benjy Meyer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Expand
titleWhich countries do you store personal data in, or transfer personal data to? Are any transfers of the personal information outside of the UK?

Which countries do you store personal data in, or transfer personal data to? Are any transfers of the PI outside of the UK?

Our application and data is hosted in AWS in London, UK.

Sub-processors operate data in the following:

  • United Kingdom of Great Britain and Northern Ireland

  • United States of America

  • India

More information on sub-processors: https://www.commonplace.is/subprocessorsMore information: https://commonplace.atlassian.net/l/cp/11d1YW76

Expand
titleDo you use appropriate legal mechanisms for all international transfers of personal data?

Do you use appropriate legal mechanisms for all international transfers of personal data?

We use sub-processors to deliver various parts of our service, some of which are outside the UK. We have a signed contract with every sub-processor, each of which includes Standard Contractual Clauses (SCCs) that are sully GDPR compliant and have been approved by the UK Information Commissioner’s Office (ICO).

More information: https://commonplace.atlassian.net/l/cp/hTQ1VG7K

Has your organisation been subject to any personal data access requests from governments or other authorities in the last 24 months?

No. Our local government customers are data controllers and so have access to their own data. We have not had personal data access requests from governments in any other context.
Expand
title Has your organisation been subject to any personal data access requests from governments or other authorities in the last 24 months?

More information: https://commonplace.atlassian.net/l/cp/cWvQfw1h

We do not have a Data Protection Officer. Leigh Gordine is our Data Protection Manager.
Expand
Does your organisation have a nominated Data Protection Officer (DPO)?
titleDoes your organisation have a nominated Data Protection Officer (DPO)?

More information: https://commonplace.atlassian.net/l/cp/DnNqrb94

Does your organisation have an up-to-date Data Protection Policy?

Yes. Our GDPR Compliance Statement details how we comply with GDPR and is available on request from customers@commonplace.is. This includes information on data controllers and processors, sub-processors and data retention.
Expand
titleDoes your organisation have an up-to-date Data Protection Policy?

More information: https://commonplace.atlassian.net/l/cp/kLj7m2Q0

Expand
titleDoes your organisation maintain a record of all personal data collection & processing activities?

Does your organisation maintain a record of all personal data collection & processing activities?

Yes, we maintain an audit of key events around personal data collection and processing.

More information: https://commonplace.atlassian.net/l/cp/3N6QRRc2

Expand
Has your organisation defined and documented the lawful basis of each instance of personal data collection or processing?
titleHas your organisation defined and documented the lawful basis of each instance of personal data collection or processing?

Yes, see our privacy policy: https://www.commonplace.is/privacy-policyMore information: https://commonplace.atlassian.net/l/cp/aZNL5wpE

As part of ISO27001 certified ISMS we have a documented Change Management Policy that incorporates information security and data protection elements including DPIAs, including the appointment of new suppliers. A standardised template record is used for operational changes. The development of the Commonplace platform is managed through the development lifecycle.
Expand
Does your organisation conduct a Data Protection Impact Assessment (DPIA) for all processing that is likely to result in a high risk to individuals?
title Does your organisation conduct a Data Protection Impact Assessment (DPIA) for all processing that is likely to result in a high risk to individuals?

XXXXX

More information: https://commonplace.atlassian.net/l/cp/GEF1vUvs

Yes, please see details in our https://www.commonplace.is/privacy-policy and our GDPR compliance statement.

Respondents can use their profile: profile.commonplace.is to update their data at any time. This includes all demographic data (except anonymised special category data) and communication preferences. They can also request deletion from here or by emailing support@commonplace.is
Expand
Can your organisation facilitate an individual's data privacy rights?
title Can your organisation facilitate an individual's data privacy rights?

Two years after the license ends at the latest, each project is archived and anonymised.

More information: https://commonplace.atlassian.net/l/cp/R0PB2KEf

Yes, please see details in our https://www.commonplace.is/privacy-policy and our GDPR compliance statement.

Respondents can use their profile: profile.commonplace.is to update their data at any time. This includes all demographic data (except anonymised special category data) and communication preferences. They can also request deletion from here or by emailing support@commonplace.is
Expand
Does your organisation have a Records Retention Policy?
titleDoes your organisation have a Records Retention Policy?

Two years after the license ends at the latest, each project dataset is archived and anonymised. It will not be deleted. The archiving process anonymises all data and removes relationships between data and people, but maintains the website as published (with visible status completed / closed) in the interest of public / open data.

More information: https://commonplace.atlassian.net/l/cp/aSNRQm92

Does your organisation have robust detection, investigation and reporting procedures in place for personal data breaches, including maintaining a record of all personal data breaches?

We log every data breach or suspected data breach. We track the date, severity and resolution.
Expand
titleDoes your organisation have robust detection, investigation and reporting procedures in place for personal data breaches, including maintaining a record of all personal data breaches?

Upon becoming aware of a security incident an assessment must be made to understand if a data breach has occurred, and if so to what extent. The assessment is broken up into 2 stages: triage and investigation. The purpose of this is to ensure that appropriate mechanisms are in place to identify when a data breach has occurred with a proportional amount of resource. The objectives of this procedure are:

  • To identify if a data breach has occurred

  • To identify the nature of the breach (from where it originated and if malicious, erroneous, etc)

  • To identify the outcome of the breach (what has happened to the data - temporary/permanent loss, erroneous transmission to a trusted supplier, theft, accidental/malicious change)

  • To identify the categories of data subject affected by the breach (clients, employees, etc)

  • To identify the number of data subjects likely to be affected by the breach

  • To identify the categories of data affected by the breach

  • To identify if the data is likely to be used in a manner that could be detrimental to data subjects (risks to rights and freedoms)

  • To identify the classification of Commonplace in relation to the affected data (Controller or Processor)

  • To identify if a data breach needs to be reported to the ICO, Data Controllers or Data Subjects.

We also have a guidance document as part of our Information Security Management System.

More information: https://commonplace.atlassian.net/l/cp/qQevr3Wm

Expand
titleDoes your organisation have a process for notifying the relevant Authority and all relevant parties (e.g. data controllers) when a breach occurs?

Does your organisation have a process for notifying the relevant Authority and all relevant parties (e.g. data controllers) when a breach occurs?

Yes. XXXXX

More information: https://commonplace.atlassian.net/l/cp/DFkVe71a

Expand
Has your organisation suffered a security incident that led to a Personal Data breach in the last 6 months?
titleHas your organisation suffered a security incident that led to a Personal Data breach in the last 6 months?

No.

More information: https://commonplace.atlassian.net/l/cp/s3UCWyCu

Not normally. Occasionally, our customers will ask to upload an existing user database into Commonplace so that these users can be subscribed to receive emails about the Commonplace from our system. In all cases, customers will be asked for confirmation that they have the right to share this data with Commonplace.
Expand
Does your organisation process personal data on behalf of another organisation?
titleDoes your organisation process personal data on behalf of another organisation?

We do not process personal data on behalf of any other organisation.

More information: https://commonplace.atlassian.net/l/cp/BJAo0kxx

The data will be owned by the customer organisation (or multiple organisations, so long as they are listed on the Team page from the project go live date) and Commonplace as independent controllers.

Further detail is available in our GDPR Compliance Statement.
Expand
Who owns the data collected via Commonplace?
titleWho owns the data collected via Commonplace?

More information: https://commonplace.atlassian.net/l/cp/JFbR22ok

Expand
titleIs your organisation registered with the Information Commissioner’s Office for Data Protection purposes?

Is your organisation registered with the Information Commissioner’s Office for Data Protection purposes?

Yes. Further information is available in our GDPR Compliance Statement.

More information: https://commonplace.atlassian.net/l/cp/6npzwGTU