-
Notifications
You must be signed in to change notification settings - Fork 4
Data Protection Analysis
The ADC has commissioned a new online web-based system to manage the booking of its rehearsal spaces. This document examines and considers the safeguards for protection of personal information necessitated in such a system.
The European Union's General Data Protection Regulation (GDPR) defines personal data as data relating to an identified or identifiable living individual. This includes, for example, a person's name or phone number. It also makes a distinction between a data controller and a data processor:
- A data controller is the person or organisation which determines the purposes and means of processing personal data.
- A data processor processes data on behalf of the controller.
The GDPR also details the different precedents that can be used as legal bases for the processing of personal data. The two that are relevant in this case are consent and legitimate interests. Processing under the consent basis occurs when an individual makes a positive, explicit opt-in to have their data processed. As part of processing under the consent basis, the data controller must inform individuals of the nature of the processing and their right to withdraw consent. Processing under the legitimate interests basis occurs when:
- It is in the legitimate interest of the data controller or a third party to process the data.
- This interest is balanced against the individual's interests, rights and freedoms.
The official guidance from The Information Commissioner's Office states that processing under the legitimate interests basis is likely to be appropriate when individuals' data are processed "in ways they would reasonably expect and which have a minimal privacy impact".
The ADC Theatre is a community theatre and department of the University of Cambridge located in the city of Cambridge, England. In addition to its main premises on Park Street the theatre also manages The Corpus Playroom on behalf of Corpus Christi College. During daylight hours when public performances are not taking place, rooms within the buildings managed by the ADC are instead used as venues for a wide variety of meetings, rehearsals, auditions and other such events. As such, part of the day-to-day management of the theatre involves the scheduling of room and theatre-space bookings.
To simplify administration, a new online system has been developed to replace an existing and increasingly outdated legacy solution. This will allow users who are responsible for a particular show or society to register and book rooms on behalf of that show or society during certain times of the day. The ADC's Management will also be able to use this new system to restrict a show or society's bookings in order to ensure a fair distribution of booking time amongst other shows and societies. In respect of all such booking data, The ADC Theatre would be acting both as data controller and data processor. We propose to undertake this processing under the legitimate interests basis as without it, keeping track of rehearsal bookings would become impossible.
In order minimise disruption between different users of the buildings and rooms that the system will manage, each booking and the registered name of the user who made it will be displayed publicly. We propose to display these data under the legitimate interests basis with an explicit message detailing this shown to users once at each login. We consider that there is minimal privacy impact in such an undertaking - auditions, meetings and rehearsals are routinely shared amongst building users via alternative means such as social media, for example.
For the avoidance of doubt, the ADC Room Booking System does not process and does not intend to process any special categories of personal data as defined by Article 9 of the GDPR.
Camdram is a website which acts as an online portal for theatre, film, drama and comedy taking place within the city of Cambridge. It predominantly serves the needs of the student amateur theatrical community, both at the University of Cambridge and at other further education institutions, however it also has a not insignificant non-student user base as well. Camdram is used as an information hub to detail productions that take place, the location & time of any performances of that production and to record the list of persons involved together with their role or roles.
Camdram offers a service to third-party websites to act as an external login provider using the industry standard OAuth2 protocol. This allows another organisation to authenticate and authorise their users by having a given user complete a login process on the Camdram website before being redirected back to the organisation's own site. After successfully completing this process, a variety of information about the user can be requested by the third-party organisation from Camdram, for example the user's name, email address and a list of productions for which they have a management or supervisory role. This information can be accessed by the third-party only once the user has given their explicit consent for Camdram to disclose the requested data to the party in question (which they are prompted to do and may refuse if they so desire).
The new ADC Room Booking System uses this service firstly to allow users to login using a single unified account. Upon login, the name and email address with which the user has registered their Camdram account will be copied across to the Room Booking System; the login page will clearly and prominently state this. These data are believed to be processed under a legitimate interests basis because without them the ADC Theatre would not be able to uniquely identify a user.
Additionally, the Camdram OAuth2 service will be used to determine which shows and societies a given user should be able to make bookings on behalf of. These data are believed to be processed under a legitimate interests basis because without them the ADC Theatre would not be able to determine what privileges a user should be given on the Room Booking website. This will also be detailed on the login page as well.
Other personal data about a user that is not needed might nevertheless be transmitted from Camdram to the ADC Room Booking System due to limits in the granularity of the interface used to request such data. In these circumstances, such data would be discarded upon receipt.
Under the GDPR, website cookies fall under the definition of personal data as they are identifiers. The ADC Room Booking System uses cookies for two primary purposes:
- To ensure users remain logged in.
- To prevent malicious behaviour by preventing Cross-Site Request Forgery attacks.
This usage is believed to be processing under the legitimate interests basis as without them, the ADC Room Booking System would either not function, or be vulnerable to attack by malicious users. The ADC Room Booking System does not use cookies for marketing or tracking purposes.
To protect the personal data of users, a number of safeguards have been built into the ADC Room Booking System. Foremost among them is the provision that contact details (in this case, email addresses) of individual users will only be visible to that user and to the system's administrators who comprise of ADC Theatre management and anyone else who the they may so delegate from time to time on a temporary or permanent basis.
The Room Booking System will not transmit any data over an unencrypted connection and will use cryptographically signed & encrypted session cookies to ensure that users cannot be impersonated. The backend database that will be used to store data will be configured to only accept connections to/from the Room Booking System and will not be directly accessible from outside of the ADC's internal network. The ADC Room Booking System and the database will located on a virtual machine running on a server that is owned and hosted by the ADC Theatre.
This analysis was undertaken by Charlie Jonas (charlie@charliejonas.co.uk) on behalf of the ADC Theatre. Copyright (c) 2019 - All Rights Reserved.