What we collect, and why we collect it
14th August 2017
We found the image here.
We work to collect the minimum amount of data that we need from you to do our jobs within the resources we have, and to protect and use that data in an ethical manner. We are expanding the ways we engage with our supporters, by rebuilding our technical services to ensure that we continue to live up to that commitment.
Here we explain what data we have access to, what we collect, and how we work to protect your data. This piece is more explanatory than our policy statement.
What data about you do we hold
There are six categories of data that we may have on people who engage with us.
- Data you disclose without any control. This is the log data from your visits to our websites. We are not directly able to minimise this data. We do run a Tor service that would minimise the invasiveness of the collection of this data.
- Data you disclose because you want to receive our newsletters. This includes the email address that you provide to us.
- Biographic data about yourself that you have volunteered when signing up to receive news from us and/or participate in a campaign. This voluntary information could include your name and country of residence.
- Data about your individual interests that you have volunteered when signing up to receive news from us. This is also voluntary. This can be sensitive as it could indicate your beliefs or opinions.
- A record of your engagement with our campaigns. If you engage with our campaigns, e.g. sign a joint letter asking internet companies not to help governments to hack you, we will keep a record of this interaction. This can be sensitive as it could indicate your political beliefs or opinions.
- Data relating to financial donations. If you donate to us, this is data required to process your donation. This may include payment data, biographic data (i.e. name, email address, physical address), and data about your tax residency.
Why do we want data on you?
There is some data that we collect just by you engaging with us (category 1 above for instance). We protect this data by deleting it with regularity. We don't systematically process the raw data to understand individual people or their behaviour -- though we may or may be required to for some exceptional reasons, e.g. investigation into a service error, or a security incident. Before deleting log data, we reduce the uniqueness of the data by reducing the granularity of the identifiers, and we aggregate this data for analytics. In particular, we obfuscate the last two octets of the IP address. The reason we run analytics is to help us identify how people are using our website and what content they are engaging most with. This helps us report to our board and funders about the usefulness of our content, and ultimately guide our organisational strategy.
The essential data we collect on our platform (category 2) is for the purpose of helping us communicate with our community of supporters. You can share data with us to be notified of specific areas of our work, receive newsletters, and you can also sign petitions, join actions launched by us, amongst other campaigning activities. The purpose is to help you engage with our content and on occasion to help you engage in our campaigns. We ask explicitly whether we can specifically contact you with direct appeals for fundraising purposes.
We give you the option to disclose more data to us (category 3). Having your name helps us address you, and it is entirely optional. This is the difference between Dear Sarah and Dear [blank]. Knowing your country allows us identify if we should contact you regarding a specific news development in your country. It also helps us know if we have a substantial supporters in a particular country. This would, for example, help us to better understand if we should be creating content in other languages. We do not use this data for additional purposes -- although some charities have been profiling supporters for wealth screening for instance.
Knowing what you're interested in helps us channel content to you (category 4). It also helps us understand what aspects of our work resonate with you and other supporters. It is entirely optional. It helps us to know if you are interested in consumer protection in Latin America; or data protection law in South Asia; or are interested in our investigations into surveillance in Eastern Africa. It would make it possible for us to contact you directly if we develop content that we think you may be interested in.
We will track your participation with our campaigns. While participation is optional, the nature of the campaigning action may require us to retain data on your participation. So if you signed a petition, we may need to keep a record the fact that you signed so that we can share this with the petition target. So long as the petition is an active campaigning or reporting artefact your data will be kept. Like the analysis of our log data of website visits (under category 1) it is helpful for PI to know how many people from what kinds of countries with what kinds of interests participated in our campaigns, but the detailed data is not shared with other parties.
How we protect your data
The most significant safeguard is that we minimise the data we hold on you. We work hard to minimise situations where we collect excessive data, and we work hard to only collect data in a fair manner, by directly asking you and reducing what data is mandatory. We also avoid using third party services who procure and process excessive amounts of data. We provide you opportunities to change or delete your data. If you ask for your preferences to change or for data to be deleted, we keep a record that we deleted your data, e.g. (in an analogue way) "email@example.com has unsubscribed from our fundraising newsletter and removed his country of residence".
Except for the financial data of donors, all the above-mentioned data resides on our server. We do the utmost we can to protect this data. We maintain control over the data and do not share it with third parties.
We apply security patches to our services as promptly as reasonably possible -- so if a known vulnerability is corrected by the software developers, or an underlying service, we work hard to ensure our system is updated.
Breaches may occur, despite all these measures. We will notify you as soon as possible of breaches that affect your data.
Finally, we believe that your consent to receive news from us has an expiration period: every two years we will ask you again to sign up to receive news about our work, otherwise we will delete your data.
Financial data, and financial services, are very different
If you donate to us, the ways we are able to protect your data are very different. We again work hard to host our own service, available here, and reduce the level of persistent data available on our server. But we necessarily have to rely on other parties.
When you donate on our server, we are providing a portal to third party payment processors. They collect your data and process the payment, and interact with your bank or credit card issuer. If you want your donation to be tax friendly, again more data is required. All this data is under the control of payment processors. Your financial data may be shared with others in the process of payment, as well as our auditors, and possibly tax authorities.
Financial processes grab more data on people than we would like. The purposes for their data collection are broad. Because of changes in laws and the desires of the financial sector, the purposes for which they are collecting your data are broadening, quickly.
Though we try to choose payment processors who minimise data processing, we are frustrated by the lack of choices and verifiable protections. They may claim they require more data for more purposes for lengthier periods of time than we can control. This is one reason we advocate for changes in financial surveillance laws and practices.