Virtual Region Convention
Data Protection Policy
Virtual Region Convention of OvereatersAnonymous is committed to protecting the rights and freedoms of all individuals in relation to the processing of their personal data and provides the DataProtection policy for everyone to follow.
- Governing Law and Jurisdiction
- Scope of this policy
- Definitions
- Processing
- Personal data
- Sensitive personal data
- GDPR data protection principles
- Data Protection Responsibilities
- Prohibited activities
- Implications of breaching this policy
- Version
Scope of this policy
The Virtual Region Convention (VRC) needs to collect and keep certain types of information about the people with whom it deals. This includes designated VR Board members, the VRC Chair or Co-Chairs, CommitteeChair and members, Subcommittee Chairs and members and other OA members. TheVRC needs to process this information for a variety of reasons, such as to record who has attended meetings, distribute notifications and share contact details for members who provide translations and service.
The Virtual Region uses reasonable efforts to comply with the General Data Protection Regulation (GDPR), which is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area, when processing this kind of information. To this end, a VR policy has been developed which sets out the obligations of designatedVR Board members, the VRC Chair [or where there are VRC Co-Chairs, the Co-Chair designated as the person responsible for the protection of privacy and of personal data], Committee Chair and members, Subcommittee Chairs and members and other OA members.
This policy and the principles of the GDPR apply to all personal information handled by the VRC, both that are held in paper files and electronically. So long as the processing of the data is carried out for VRC purposes, this policy also applies regardless of where data is held,(for example, it covers data held on shared cloud storage service providers such as Dropbox folders and on mobile devices such as mobile phones or laptops)and regardless of who owns the PC/device on which it is stored.
To comply with the law, personal information is to be collected and used fairly, stored safely and not disclosed unlawfully.
Governing and Law and Jurisdiction
The Virtual Region is organized and incorporated as a not for profit entity under the laws of the State of New Mexico, the United States of America.
This Policy and all other policies of the Virtual Region, and any dispute or claim arising out of or in connection with this and other Virtual Region policies or their subject matter, shall be governed by and construed exclusively in accordance with the laws of the State of New Mexico, United States of America.
The Virtual Region, all Board members (who act as directors of the Virtual Region) and any other persons designated by the Board in terms of the Bylaws of the Virtual Region to undertake various service for the Virtual Region, agree that the courts of NewMexico, United States of America, shall have exclusive jurisdiction to adjudicate on and/or settle any dispute or claim arising out of or in connection with this and other VR policies, or their subject matter.
Definitions
Processing
'Processing' data is widely defined and includes every plausible form of action that could be taken in relation to the data such as obtaining, recording, keeping, or using it in anyway; sharing or disclosing it; erasing and destroying it.
Personal data
Data which relates to a living individual who can be identified from that data or from that data and other information which may be in the possession of the person who has access to the data.
Sensitive Personal data
Sensitive personal data is personal data consisting of information relating to any of the following 9 categories:
- race or ethnic origin of the data subject
- their political opinions
- their religious beliefs or other beliefs of a similar nature
- whether they are a member of a trade union
- their genetic or biometric data
- their physical or mental health or condition
- their sexual life
- any commission or alleged commission by them of any offence
- any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
VRC will rarely have access to sensitive personal date, save for the fact that any member of OA has, by reason of declaring their membership, shared information about their physical or mental health or condition or spiritual beliefs, or that any member of OA who is a speaker at the VRC shares information, of their own volition, which amounts to sensitive personal data.
Particular care should be taken in collection and in processing sensitive personal data.
GDPR data protection principles
Anyone using personal data is to take reasonable efforts to comply with the six Data Protection Principles set out in
Article 5 of the GDPR. These Principles define how personal data can be legally processed. In summary these stat that personal data is to be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
- collected for specified explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
- accurate and kept up to date (‘accuracy’).
- kept for no longer than is necessary (‘storage limitation’).
- processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Consent to share information outside EU
The Virtual Region covers all geographical areas, extending beyond the EU to include all countries and territories. This means that VRC Officers, trustees, OA members, and Committee and SubcommitteeChairs and Co-Chairs, and members who are based outside the EU may receive personal data via VRC. Some of these countries where members are based may have data protection policies akin to the GDPR and others may not. In these latter circumstances the GDPR requires specific consent to be obtained from data subjects in order to permit their personal data to be processed. Such consent will be sought.
Data Protection Responsibilities
Designated Board members of the VR have the responsibility of carrying out and/or overseeing the work of VRC, as directed by the Chair, or where applicable the Co-Chairs of the Convention, and in accordance with the VirtualRegion Bylaws and the Policy and Procedure Manual. This will involve the processing of personal data. Other OA members may carry out service which will require them to process personal data, and may also have access to and may process personal data when attending the VRC, or participating in the work of VRC.
All Virtual Region Convention Service fellows are to:
- Be mindful of thefact that individuals have the right to see their ‘personal data’ if they askto see it. They should not therefore record comments or other data aboutindividuals which they would not be comfortable in the individual seeing,either in emails or elsewhere.
- Immediately reportthe matter to the VRC Chair [ or where there are VRC Co-Chairs, to the Co-Chairdesignated as the person responsible for the protection of privacy and ofpersonal data], if they find any lost or discarded data which they believecontains personal data, (for example, may include a memory stick).
- Immediatelyreport the matter to the VRC Chair [ or where there are VRC Co-Chairs, to theCo-Chair designated as the person responsible for the protection of privacy andof personal data], if they become aware that personal data has beenaccidentally lost or stolen, inadvertently disclosed (for example, if theirlaptop is stolen or their phone is lost and it has personal data stored on it)or if they are notified by their email provider of any data breach related tothe personal data in their emails.
- Hold the contentsof any personal data which comes into their possession securely.
- Use reasonableefforts to ensure that any personal data they record or provide to VRC (forexample, their contact details as a meeting or group or service board representative)is accurate.
- Notify the VRC Chair[ or where there are VRC Co-Chairs, to the Co-Chair designated as the person responsiblefor the protection of privacy and of personal data], promptly of any changes totheir personal data (for example, change of address or email address, or end ofservice position).
- Only ever obtainor use personal data relating to third parties for approved OA purposes.
The VRC Chair [ or where there are VRC Co-Chairs, the VRCCo-Chair designated as the person responsible for the protection of privacy and of personal data] is to use reasonable efforts to:
Ensure that they only ever process personal data in accordance with the GDPRand in particular follow the six Principles it contains. The key requirements are:
- Fair processing –for example, use reasonable efforts to ensure that the individual consents to theirdata being used and knows what it will be used for, and to ensure that it is notsubsequently used for something else,
- Data Security – usereasonable efforts to ensure any personal data which is held is always kept anddisposed of securely, (taking into account any cyber security considerations). Theinformation security policy should be followed.
- Non-disclosure – usereasonable efforts to ensure personal data is not disclosed to any unauthorisedthird party.
Familiarize themselves with this guidance and other data protection policies int he policy document and take reasonable efforts to follow them at all times.
Be mindful of the scope of Data Protection. This includes that fact that ‘personal data’ is widely defined, (and so will cover for example comments made about an individual in an email to someone else), and the fact that it covers data held on remote devices(such as tablets and on mobile phones) regardless of who owns the actual device and where the device is stored.
Seek advice whenever a new or novel form of processing personal data is contemplated or if any data protection related concerns ever arise.
Prohibited activities
The following activities are strictly prohibited:
- using data obtainedfor one purpose for another supplemental purpose (for example, using contact detailsprovided for meeting attendance purposes for marketing purposes); and
- disclosing personaldata to a third person outside of VR and its service work, without the consent ofthe data subject, save where this is specified or is required by law, in which lattercase the data subject will be informed prior to disclosure, unless this is prohibited,or proves impossible (e.g. where contact details are not available or are not working).
Implications of breaching this policy
The designated VR Board members, the VRC Chairor Co-Chairs where applicable, Committee Chair and members, Subcommittee Chairs and members and other OA members giving service for the VRC will take reasonable efforts to comply with this data protection policy.
Any breach of this policy will be considered to be a serious matter, and may result in an officer or fellow being removed from their service position.
Also, OA is a 12-step fellowship, and so any unauthorized disclosure of personal data would also stand outside our 12th tradition of anonymity. This may be very damaging to fellows, and also undermines the fellowship and so limits our ability to carry the message of recovery.
Version
This 2nd version of the “Data ProtectionPolicy” was updated on behalf of the VRC Chair on 10 January 2021.
Any questions about this policy or any queries concerning data protection matters should be raised with the Chair of the VRC or, where there are Co-Chairs of the VRC, to the Co-Chair designated as the person responsible for the protection of privacy and of personal data, at
privacy@oavirtualconvention.org.
