...
| Table of Contents |
|---|
What personal information will be involved?
...
Registered and signed in people
· Register and sign in using username, password, social media or enterprise credentials.
· Maintain a personal profile page
· Browse opportunity listings
· Express interest in, be invited to, and commit to opportunity listings.
· Access contact details (email, phone) of person organizing the opportunity to which they are invited.
· Complete activities and training and receive microcredentials (badges) for same.
· View the personal profiles of other volunteers including their listed skills and badges.
· Follow or join organisations.
Activity Providers
· Create and edit activity listings.
· Link and attach resources required for activity listings
· Define assessment requirements and issue badges to people meeting specified criteria.
Opportunity Providers
· Create and edit opportunity listings
· Link and attach resources required for opportunity listings
· Review profile, skills and badges of people expressing interest in an opportunity
· Accept and invite people to commit to the opportunity
· Access contact details – email and phone number of interested parties.
Organisation Administrators
· Edit organisation profile
· Access listings and contact details of followers and members (email only)
· Create and issue badges
Personal Information Collected
Anonymous users
...
IP address and other platform information collected in the course of providing the web service. Retained by Google Analytics and system logs.
Logged in users
...
Personal Profile information entered by user (* required)
Field | Description | Use | Required |
name | full name - longform | in formal communications | required |
validated email address | for validation as a human and communications | required | |
nickname | short form name how person would like to be addressed | general use on the site e.g 'nickname' is interested in this opportunity | optional |
about | Anything the person wants to tell others about themselves. formatted text | Informing others, used to select recommended volunteering opportunities | optional |
location | region or city | used to recommend opportunities by location | optional |
phone | Contact phone number | made available to organisers when person is committed to an event | optional |
pronoun | how to address someone appropriately - subject, object and posessive forms : them/they/their | to ensure communications are rendered using appropriate terms | optional |
language | preferred language code (en, mi, fr etc) | to provide appropriate translations | optional |
imgUrl | URL of image representing the person | Represents the person in various listings pages | optional |
website | personal website URL | social network | optional |
Facebook link | Allows share to facebook function when participating in an activity | optional | |
twitter handle | Allows share to twitter function when participating in an activity | optional | |
status | active, inactive or on hold | inactive and hold people are not available on the site for opportunities | optional |
dateAdded | when person first joined the site | administrative tracking | optional |
tags | list of words describing skills, interests etc. | matching people to appropriate opportunities | optional |
...
Badges fall into the following categories:
· System administration.
· Requirements and Skills
· Achievements and accomplishments
...
Badges are used instead of status flags to indicate that a person has a certain status on the platform. These include:
· Email validation – confirmation that the person has reply access to the email address they have provided.
· Completion of personal profile – this indicates that a person has provided information on skills and interests etc. so that an organizer can assess their suitability for an activity. Note website and social media links are not required for profile completion.
· Identity validation – this indicates that the person has been validated as a ‘real person’ through various mechanisms that may include ‘RealMe’, viewing of passport or drivers licence. Note: identity validation is a pre-requisite for being able to request a Police vetting process.
· School Ready – this indicates that a person has completed preparatory training for volunteering in a school and has a passed police vetting. Opportunity and Activity providers may require volunteers to have the school ready badge prior to attending an event or working with children.
...
These badges are used to indicate that a person meets specific requirements for an activity or has been assessed to have specific skills. Providers may require at least one person attending to meet these requirements.
These may include:
· First Aider – person has a current first aid certificate
· Organisation specific training – such as TEC or OMGTech onboarding
· Language skills – competency in Te Reo Maori, NZSL, Chinese etc.
· Specific Technical or educational competency
...
These badges are used to encourage participation and reputation in volunteering by recognizing attendance, special effort, key capabilities etc.
These may include:
· First time school volunteer
· Regular volunteer
· Going the extra mile – for volunteering further from home
· Volunteering where its most needed.
...
List the source(s) and outline why it is being collected from the source and what consent / authorisation we have to do so.
· A teacher on the system may enter their teacher ID and we may autofill some information that can be obtained from this ID
· When an organisation, acting as a volunteer provider, has integrated into our authentication system so that their staff can sign in directly using their enterprise credentials, we will obtain initial values for Full Name, Nickname, Image and potentially role and skills from the enterprise source. People are then prompted to correct this information on their profile.
· When a person signs into the platform using a social media account such as Facebook, Twitter, GitHub etc. we will obtain initial values for Full Name, Nickname, Image and potentially role and skills from the social media source. People are then prompted to correct this information on their profile.
· If permitted by the person we may obtain initial values for skills and interests from sources such as LinkedIn.
· If permitted by the person we may import badges and credentials from alternative sources such as a learning management system.
· Some organisations may choose to bulk register their members by uploading a table of information. This will contain only basic account information (name, email, role, image)
...
The platform is based on the following key technologies:
· Node – javascript runtime library
· Express – Web service library
· React – Web UI framework
· MongoDB – document management database
...
Voluntarily platforms are currently hosted on Amazon Web Services (AWS) using the following services
· Elastic Container Service (ECS) – Fargate
· Elastic Container Repository (ECR)
· Load balancer
· CloudWatch – status monitoring and logging
· Certificate management
· CloudFormation – scripts to build the deployed instances and services.
· Simple Email Service (SES)
· Simple Storage Service (S3) – used to hold uploaded images and attachments.
...
Secrets are maintained for the following:
· AWS account credentials used for site construction and deployment.
· AWS account credentials used to access run time services such as email (SES).
· AWS account credentials used for account management and billing
· Atlas Cloud account credentials used to access the MongoDB database.
...
Alpha.voluntarily.nz – used as a staging and test site for changes
· Beta.voluntarily.nz – used for field trials and beta testing
· Gamma.voluntarily.nz – used for performance and load testing
· Voluntarily.nz – NZ production site.
...
The source code is readable by anyone. Changes to the source code are subject to the following controls:
· To commit code people must have a github account and be added to a voluntarily members team to get the ability to create a branch, commit to a branch and issue pull requests. To get this access contributors must demonstrate basic capability in using the system and must communicate directly with the team to request access.
· Deployments are made only from the master branch. To commit to the master branch contributors must issue a Pull Request (PR). A restricted group of staff members have permission to accept a PR into the master branch, and the request must pass a suite of unit, function, end to end and coverage checks plus personal code review.
· Code base and libraries used are monitored by GitHub for known vulnerabilities.
...
This provides fine grained controls on
· Who can have access
· What requests they are able to make
· What data fields can be accessed or sent in requests.
For example, this allows us to provide general access to a personal profile while restricting access to edit the profile to the owner and not giving out phone numbers unless the requestor has the required status.
Security Risk Assessment
· To be carried out
Penetration Test
...
With the following exceptions:
· If badges are issued in error they will need to be rescinded by the badge issuer
· If people are marked as either attending or not attending an event in error, then the organizer of the event will need to correct the error.
...
Organisations registered on the platform will have access to the following information:
All
· Name and email address of followers
· Name and email address of members
· List of all people expressing interest, invited, committed, attended or not attended an opportunity they have organized.
· List of all opportunities, activities, events created on the system by the organisation or their members.
Volunteer providers
· List of their staff members who have attended/not attended volunteering events, which events and how frequently.
· Reporting dashboard showing overall statistics.
Activity providers
· List of opportunities created based on their activities including school, requestor and attendance list.
· Reporting dashboard showing overall statistics on the use and popularity of their activities.
...