Voluntarily Platform

What personal information will be involved?

Outline of functionality of the platform

Voluntarily provides the following functions for people

Anonymous visitors

Registered and signed in people

Activity Providers

Opportunity Providers

Organisation Administrators

Personal Information Collected

Anonymous users

· IP address and other platform information collected in the course of providing the web service. Retained by Google Analytics and system logs.

Logged in users

· Personal Profile information entered by user (* required)

Field

Description

Use

Required

name

full name - longform

in formal communications

required

email

validated email address

for validation as a human and communications

required

nickname

short form name how person would like to be addressed

general use on the site e.g 'nickname' is interested in this opportunity

optional

about

Anything the person wants to tell others about themselves. formatted text

Informing others, used to select recommended volunteering opportunities

optional

location

region or city

used to recommend opportunities by location

optional

phone

Contact phone number

made available to organisers when person is committed to an event

optional

pronoun

how to address someone appropriately - subject, object and posessive forms : them/they/their

to ensure communications are rendered using appropriate terms

optional

language

preferred language code (en, mi, fr etc)

to provide appropriate translations

optional

imgUrl

URL of image representing the person

Represents the person in various listings pages

optional

website

personal website URL

social network

optional

facebook

Facebook link

Allows share to facebook function when participating in an activity

optional

twitter

twitter handle

Allows share to twitter function when participating in an activity

optional

status

active, inactive or on hold

inactive and hold people are not available on the site for opportunities

optional

dateAdded

when person first joined the site

administrative tracking

optional

tags

list of words describing skills, interests etc.

matching people to appropriate opportunities

optional

Interest and Attendance

We record the relationship of a person with an opportunity through a lifecycle of being interested, invited, committed and finally having attended or not attended the event.

Before the event only the organisor ( and admins) is able to see the list of interested people. At any time the person can withdraw interest or commitment to an event.

After an event actual attendance is recorded for downstream reporting and to improve the effectiveness of the platform. This information is available to people on their personal history page.

Badges Issued to Person

Each badge represents an award recognizing that the person has met specific criteria. Badges are illustrated with a small icon and a link to the badge description which may include the purpose of the badge, when issued, and a citation regarding the achievement or evidence provided to receive the badge.

Badges are portable and may be imported and exported from the platform to other systems including learning management systems, and social media sites.

Badges are intended to be made public and shared. However, badge receivers will be able to suppress the fact that they have a badge if they wish.

Badges fall into the following categories:

System Administration Badges

Badges are used instead of status flags to indicate that a person has a certain status on the platform. These include:

Note that absence of the badge does not reveal whether a person has failed a police vet as other steps such as email & identity validation, training etc. are also required.

Requirements and Skills Badges

These badges are used to indicate that a person meets specific requirements for an activity or has been assessed to have specific skills. Providers may require at least one person attending to meet these requirements.

These may include:

Achievements and accomplishments

These badges are used to encourage participation and reputation in volunteering by recognizing attendance, special effort, key capabilities etc.

These may include:

Is any of the information likely to be sensitive?

Provide details of any information involved in the change that is likely to be viewed as sensitive by the individuals that it relates to.

Most of the information stored in the system is both non sensitive and under the control of the person in question as to how much the share about themselves.

In the personal profile the telephone number and social media links are probably the most sensitive. Telephone number is not made publicly available and is only shared with people attending an event as a necessary communications tool. Social media links are shown on a person’s profile but are optional.

For Badges the most sensitive information would be whether the person has completed and failed police vetting. This specific information is not stored but is a requirement for a school ready badge that includes other steps.

In obtaining police vetting a more specific set of personal identity information is required. E.g full address, date of birth etc. This is collected as part of the vetting process through a form on the platform which collects data that is not stored in the platform. Instead it is transmitted to an API which results in a formal police vetting request. Once the information has been submitted it is not retained. Once the process has completed the badge is issued.

Where did we get the information from?

Individual

What information are we collecting directly from the individual involved? For this information, how have we made sure that the individual understands what we are collecting and the purpose that we are collecting it for?

Most information is collected from the individual concerned and is available to them to be updated, removed or corrected.

Profile page forms give details on the purpose of each piece of information requested with further details in associated help.

Third party

What information is Voluntarily collecting from other third party sources?

List the source(s) and outline why it is being collected from the source and what consent / authorisation we have to do so.

Where are we storing the information?

Provide details of the system / location where information will be stored, including whether it will be hosted in the cloud. If the information will be stored outside the TEC environment, provide details of where and what contractual arrangements are in place.

This is where we need to talk about voluntarily, their security processes and what contractual arrangements are in place around this.

The voluntarily platform is realized through the following components

  1. Source code

  2. Integration and deployment tools

  3. Cloud service accounts and configuration

  4. Secrets

  5. Run time instances

  6. Databases associated with the run time instances.

Source code

Voluntarily is an Open Source platform under the Mozilla Public Licence (https://opensource.org/licenses/MPL-2.0)

This means that all source code including management and deployment scripts are available for public inspection.

Voluntarily source code is currently stored on Github.com at: https://github.com/voluntarily/vly2

The platform is based on the following key technologies:

Integration and deployment tools

Voluntarily platform makes use of the following integration and deployment tools (CI/CD)

Cloud service accounts and configuration

Voluntarily platforms are currently hosted on Amazon Web Services (AWS) using the following services

It is a possibility that the production deployment may move to Microsoft Azure. There it will use a similar set of container and repository services.

Auth0

For identity management, user registration, sign in, social sign in, and enterprise sign in we use the identity services provided by Auth0.com.

Auth0 Data Privacy statement https://auth0.com/docs/compliance

The personal data stored in Auth0 is used only for the purposes of providing its services, namely authenticating users

Secrets

Secrets are maintained for the following:

Primary values for these secrets are held in a LastPass password manager.

Run time values for these secrets are stored as encrypted strings in the build scripts and then injected into the docker containers during construction by the CI system.

Run time instances

Voluntarily will maintain and operate the following run time instances of the platform

The above instances are hosted in Sydney with the exception of alpha which is hosted in Singapore (will move to Sydney eventually)

Databases associated with the run time instances.

All information used on the platform not in the source code, or secrets, is placed in the database. This is a mongoDB database hosted at https://cloud.mongodb.com/

The databases are currently hosted in Singapore.

Atlas Cloud Privacy Policy https://www.atlascloud.co.uk/privacy-policy/

How are we keeping the information safe?

Provide details of security controls that are in place to protect the information. If a security risk assessment or penetration testing has been completed, provide a summary of the outcomes here.

Security controls exist at the following levels

1. Access to Open source code.

2. Access to platforms

3. Access to Database contents

4. API Services

Access to Open source code

The source code is readable by anyone. Changes to the source code are subject to the following controls:

Access to platforms

Access to platform for deployment is granted to staff via an AWS IAM account. Access is tracked. Deployed systems run as web services within docker containers and do not have shell access.

Website is HTTPS only so all information transmitted is secured in transit. Information at rest is stored only in the AltasCloud database or in S3 buckets in the case of uploaded images. Both these storage locations are encrypted.

Access to Database contents

Direct access to the database through the atlas cloud service is limited to key administrative staff of voluntarily. (Currently only (Andrew and Walter). Code level access requires a secret which is not stored in the open source code base except in an encrypted form.

API Services

All information in and out of the database is provided by Server side APIs. These allow clients with appropriate credentials to make create, read, update, and delete requests on entities in the database which include people, activities, opportunities, organisations etc.

The API is secured via the CASL library https://github.com/stalniy/casl

This provides fine grained controls on

For example, this allows us to provide general access to a personal profile while restricting access to edit the profile to the owner and not giving out phone numbers unless the requestor has the required status.

Security Risk Assessment

Penetration Test

How will people be able to access and correct their information?

Provide details of how individuals will be able to access and correct their information. Will it be through standard TEC processes or will additional steps need to be put in place?

All personal information held on the platform will be able to be edited and maintained by the person themselves through their personal profile.

With the following exceptions:

In both above cases the error can also be corrected by making a help desk request (through the site) and an admin will be able to correct the data.

How do we know personal information is accurate before we use it?

Provide a summary of any validation / accuracy controls that are being put in place to check personal information is accurate before it is used or disclosed.

If collection is from source then we would know.

Other than the person maintaining their profile information directly we perform the following

1. Email validation.

2. Real person validation as part of police vetting

How will the information be used?

Provide a summary of how personal information will be used in the change. For example, if we are using information to assess an individual’s eligibility for a service and then delivering it, outline what information is being used for assessing the eligibility and what is required to deliver the service.

Information is used to match volunteers with opportunities to carry out educational activities in schools.

Activity and Opportunity providers are able to define the requirements for volunteers participating in an event. This is done by listing the badges required. Badge requirements may be either mandatory or optional. When assessing volunteers organisers have visibility of whether the volunteer has the necessary mandatory badges and how well they match the overall optional requirements.

Policy on whether a particular badge is required is therefore set by the organisation creating the request. In the case where an opportunity is generated from an activity both sets of requirements will be used.

Hence either a school, activity provider (such as ITF) or the voluntarily platform itself may set a policy.

Will there be any areas where we use algorithms or automated decision making?

Voluntarily will use algorithms to make recommendations to volunteers as to which opportunities they should consider e.g. by locality, skills matching, interests etc. Similar algorithms may be used to identify potential candidates for helping with an opportunity (shoulder tap).

Presence of absence of specific badges will be involved in automated decision making e.g. excluding non police vetted people from attending events that require it.

If the information is being used for research / analysis, will individuals be identifiable during the analysis or in the outputs?

In general no. However should we make available a complete set of volunteer activity data for analysis, even without personal identity information it may be able to identify people from other correlations such as social media postings about attending events etc.

Do we have the right permission / basis to use it for this

Do we have consent / authority or a legal basis to use the information in this way? If so, provide the details here.

Yes it is a condition of using the site and becoming a volunteer that the information provided can be used to

a) provide the service

b) report on and improve the service

There will be a privacy section in the terms and conditions.

A consent check box is required at the point of first expressing interest in an activity and thus wishing to be considered for invitation.

Volunteers will be required to tick the terms box each time the click the I’m interested button unless they visit the Terms page and click the accept button at the bottom.

How have we communicated to individuals how we will be using their information?

We will need to write a statement to sit on voluntarily that talks about why we collect what we collect and what we will do with it, storage etc etc.

Are we going to be sharing the information with anyone else?

If so, list all parties who will have access to information, what information they will have access to and why they need to have it?

Reports, and Dashboards showing Information on volunteering and usage of the platform will be available to the following parties:

The information available will be restricted to that relevant to the organisation. Access to organisation reporting and data features is restricted to a member of the organisation designated OrgAdmin. Organisations may assign one or more Org Admin.

Organisations registered on the platform will have access to the following information:

All

Volunteer providers

Activity providers

Do we have consent / authority or a legal basis to share the information in this way?

Consent is a condition of using the platform and is indicated by accepting the terms when volunteering.

How have we communicated to individuals how we will be sharing their information and who we will be sharing it with?

A plain English & Te reo Maori version of this document will be provided as part of the terms and conditions.

Assurance that the information will be protected by the people / organisations we are sharing it with.

All organisations have to be created in the system by Voluntarily admins and onboarded by providing an OrgAdmin and configuring their profile. This orgAdmin must accept the terms on behalf of their organisation.

Information regarding privacy and the use of voluntarily data and reports will be communicated to organisations when being onboarded.

What will we do when we don’t need the information any longer

Do we know how long we will need to retain the information for? Why is it for this period?

We plan to retain information about opportunities and the interested attendees indefinitely in order that effectiveness over time can be assessed.

When an event is completed then a subset of information about the event is moved to an archive collection along with feedback comments and attendance information. Transitory information such as questions asked, emails or chat discussions, invites sent or withdrawn etc will be discarded.

If a person decides to leave the site their personal information will be discarded. In order to maintain database integrity their account id will be retained and their profile details replaced with anonymized default values. E.g. name: volunteer ABCED.

How will the information be disposed of when it is no longer required?

Any non required records in the database will be deleted. In order to maintain database integrity some keys and non identifying information may be retained.

Termination

Should the Voluntarily platform close down. The information retained in the database will be made available to (The National Library of New Zealand) (TBD?) for long term data retention.

Are we using unique identifiers?

Are we using any specific unique identifiers for individuals as a part of this change (i.e. NSN, Driver Licence)? If so, provide details of what and why we are using them.

Probably not relevant but we should check that no unique identifiers will be created.

Personal email address is used as the unique identifier for a person in the system. However this may be changed along with name and nickname.

A database key is also used internally to identify the person. This is a non sequential, randomized string e.g 5d957d1094bcb300124d3d4f

This key cannot be used to identify the person in any other system.

Passport and Driver license information may be collected as part of the Police Vetting process. This is not stored in the personal data and not retained once the process has been completed.