Data protection. Pilotech practises in short
Answering these questions:
- What data are we collecting?
- Where are we storing the data?
- How do we protect and document the data?
- How long do we keep the data?
- Do we have a function for every piece of data?
- What is the process for honoring a request to delete data?
- Other questions you’ll need to focus on, but are of less importance.
Pilotech fokus on the first six questions. Pilotech has Data Protection Agreements (DPA) with all customers and sub vendors.
What are we collecting? There are two categories of personal data.
- The first is just your standard stuff, anything that can be used to identify an individual:
- Email Address
- IP Address (No)
- Phone Number
- Social Security Number (No)
- ID numbers (only internal id numbers)
- Role in emergency organization
- Log data of activities
- Then there is something called special categories of personal information, that pertains to:
- Racial or ethnic origins (No)
- Health information (No)
- Political Opinions (No)
- Religious Beliefs (No)
- Union Activity (No)
- Sexual or Gender Identity (No)
This second category requires special legal bases to process. Additionally, if you possess any personal data on children under the age of 16 you will need parental consent. None of these in category 2 are applicable in InCaseIT. We collect none of these data elements.
Where are we storing the data? The GDPR requires you to document where you’re storing the personal data of EU citizens. For the sake of this audit, “where” refers to both a geographic location as well as what kind of mechanism you’re using to store it—whether that’s in emails, documents, databases, backups, email lists, etc.
All storage of customer data is stored in the InCaseIT database system. The exact location is at the cloud servers of AddPro AB in Malmö Sweden. A replica is stored at City Cloud AB in Karlskrona, Sweden. These information elements are stored in a MySQL database.
What safeguards are in place protecting the data Pilotech store on behalf of our customers? To access the data you must enter a userID and apply a one-time password. Sent to the user on a stored email address and SMS phone number. The password is not stored in the system. The individual access to parts of your site are based upon permissions set by the customer itself (admin users).
InCaseIT are collecting this data over a secured HTTPS connection? All data transportation is encrypted. Messages are protected with encryption but in the end the messaging is no more secure than normal email and SMS.
Pilotech has regular audits by cyber security experts to evaluate our handling of data on behalf of our customers. These reports are available at Pilotech HQ upon request.
How long do we keep the data? The maximum amount of time an organization should store data for is ill-defined. The EU simply says to retain data “no longer than necessary.” The GDPR wants you to dispose of personal data once its served its purpose, but without providing any timelines it can be difficult to figure out what an appropriate length of time to keep personal data is. Part of the reason for this is that different organizations have different needs, and a blanket approach wouldn’t fit very well. Pilotech practices the policy that our customers should decide what is appropriate for itself. Normally InCaseIT is a slave of the customer's HR/AD system. But the different customers may have different needs for documentation of crisis training. Since InCaseIT only stores basic personal information as mobile numbers, email etc. and no Passport numbers, no bank accounts, Social security numbers etc. there is no need for Pilotech to remind the customers of deletion of unnecessary personal information. Pilotech has itself no use of these information elements.
Extra evaluation issues:
- The value of the information is of limited interest, both now and in the future
- The costs and risks of continuing to store the data are low.
- It is easy to keep it maintained and accurate through a synchronisation.
- Only the customer is using the data. Only exception is that Pilotech may use the contact information to inform the users of new releases and product updates.
- InCaseIT are not collecting data that are unnecessary for the crisis management operation for the customers.
Deletion of personal data
By request from the customer, Pilotech have established procedures to permanently delete the personal information requested.
If a customer terminates a contract, Pilotech will remove the customer's personal data and access to the stored information. Upon request, the customer can get a copy of the data in an agreed format.