Data Protection & Handling Policy – v1.1
Created by Maher Abaza [24.01.2019]
Updated to v1.1 by Maher Abaza [27.01.2019]
Since the European General Data Protection Regulation has come to effect in May of 2018, VATSIM has to comply with it seeing that a large portion of the users is Europe-based. VATSIM Middle East Division represented on the web with its service VATAME HQ System also has to comply, hence this policy.
Refer to the VATSIM Data Protection & Handling Policy for details.
The purpose of this policy can be outlined in the following points:
- To comply with the European General Data Protection Regulations.
- To protect the organization of VATSIM as a whole.
- To protect the users of the network (whether staff, pilots or controllers), specifically in VATME.
- To present with transparency the data gathered and handled by the HQ System and VATME Staff.
The European GDPR makes VATSIM as a whole and VATME specifically committed to the users to give the following rights:
- The right to be informed – you get to know what information we are processing about you and why.
- The right of access – you can know and access the personal data we are processing about you.
- The right to rectification – if we store data that is inaccurate, you have the right to correct it.
- The right to erasure – in certain circumstances, you have the right to "be forgotten".
- The right to portability – you can obtain and reuse your personal data for your own purposes on other services.
- The right to object – you can tell us that you do not want your data to be processed.
Since VATAME HQ System uses the VATSIM SSO service, it automatically has access to the following user data:
- The member’s full name
- Their country of residence
- Their age (but not their birthdate)
- Their history of connections to the network, including their IP address and additional security information to protect the integrity of the network
- The simulated Air Traffic Control and/or Pilot Rating they have obtained via training with the VATSIM network
- Positions of responsibility held within the network, including the level of access
- Their history of any breaches of the VATSIM User Agreement, Code of Regulations and Code of Conduct, to which all members agree to be bound by upon joining
Overall responsibility for ensuring data protection and overall compliance with the relevant standards and legislation rests collectively with the VATSIM Board of Governors.
There is no appointed Data Protection Officer within VATSIM as the organisation does not regularly process data on a large scale, due to the nature of the data that is collected and controlled, and the circumstances in which it is collected.
Several members of the Board of Governors have specific responsibilities to oversee others accessing personal data collected by VATSIM:
- VP Regions – Regional and Divisional Staff
- VP Membership – Membership Staff
- VP Conflict Resolution – Conflict Resolution Staff
- VP Supervisors – The VATSIM Supervisory teams
- VP Network Systems – Control of stored data
- VP Web Services – Remote access to, and control of stored data
Other members of the Board of Governors may from time to time be tasked with specific responsibilities pertaining to the control and storage of data.
All staff are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work within VATSIM as detailed in this policy. VATSIM expect the highest standard of the probity of all staff at all levels. No access to data is to take place unless there is a valid network-related reason for such access.
VATSIM has a zero-tolerance policy towards inappropriate access to data stored within the CERT system. Any such access will result in the individual concerned being prohibited from having further CERT access for a minimum period of 10 years. This may also preclude the member concerned from holding positions of responsibility within the network.
VATSIM's Security policy applies to all servers belonging to or donated to the VATSIM network, including, but not limited to Network FSD Servers, Data Servers, Statistic Servers, or Web Servers.
VATSIM operates on a segmented security approach, where only the access required with approval by the VATSIM Board of Governors to complete a required job function is granted.
VATSIM employs access monitoring systems to ensure that access is not being abused and can be traced back to a specific individual.
VATSIM employs standard SSL encryption to safeguard data. VATSIM also implements additional change-audit scripts and monitors to provide visibility into server and network activity.
IP Address and Key based security settings are used to only allow server access to authorized servers.
Passwords are stored as hashed encrypted data wherever possible. As a general principle passwords are not to be stored as plain text.
VATAME HQ System does not have access to VATSIM CERT data, hence not storing any data.
VATAME HQ System does not store any password data from the VATSIM servers. It only grants access to those who sign in using the VATSIM SSO.
In order to ensure business continuity, VATSIM retains data backups of relevant systems to ensure a speedy recovery of impacted systems while maintaining data integrity and security.
Access to these backups is granted only to authorized individuals.
The main specific risks to the security of data are:
- Phishing attacks to gain network access or CERT access,
- Access by means of trojan or keylogging programmes on member’s systems, and
- Access by upset staff members who have been granted access is also a risk
Mitigation of the first two risks is by encouraging members who have a higher level of access to ensure they adhere to good security practices on their personal systems. The last risk is mitigated by access logging and reverting changes made by those who misuse access.
VATSIM data is deemed to be accurate across all systems. However, due to the nature of Network Operations, some human-led mistakes may occur.
A VATSIM Member may request an update of his/her retained information by making a request in writing to the Vice President of Membership.
The final authority to update such information shall be at the sole discretion of the VATSIM Board of Governors.
VATAME HQ system users may open a new support ticket directed to the VATSIM Africa & Middle East Region staff to request an update of their information.
Data is stored in standard relational databases. Access is via a custom-built web-based interface.
VATSIM data is retained indefinitely unless removal is requested from a VATSIM member, as outlined in this policy.
VATSIM does not archive any data at this point in time, as data is currently retained indefinitely.
VATSIM is committed to ensuring all members are aware of what data is collected and why we do so.
- As outlined in the statement of legitimate interests, data is collected for the purpose of ensuring the provision of, and smooth operation of the VATSIM network so that members can jointly enjoy the simulated aviation environment it provides.
- Data may be transferred to other organisations affiliated with or associated with, the network to provide services to enhance and extend the simulated aviation environment.
Details on how to exercise rights in relation to the data held are detailed in the relevant sections of this policy.
All staff within VATSIM are responsible for members data at all times. The various departments most closely associated with members data are the VATSIM Supervisors and Administrators, the Conflict Resolution staff, the Membership staff, and the staff of Regions and Divisions.
Where staff require to use data for statistical and management purposes aggregated pseudonymised data should be used where possible.
Requests for personal data under the Right of Access are the responsibility of VP Membership and their team. Such requests are required to be complied with within one month of the request being received. If circumstances prevent this from occurring, an extension of a further two months may be instituted by VATSIM, providing that the member making the request is informed of this fact before the expiration of the original one-month deadline.
The right of access requests must be in writing (this includes via electronic mail to the address specified on the VATSIM.net website).
If the staff at a lower level receive anything that might reasonably be construed to be a request for access they have a responsibility to pass this to the Membership Manager responsible for their Region, Division, or lower subunit without delay, or refer this to the VATSIM Membership Department.
Furthermore, if right of access requests are made to vACC/Division staff within VATAME Region with a specific target of , users are able to access their own data by going to list item Members > Membership > My Data or by clicking the link here.
As mentioned in Section 4.3 VATAME HQ System does NOT hold nor have access to VATSIM CERT data. The data users can access are mostly public (i.e CID, Name, ATC Rating...) and some private data from VATSIM SSO (i.e email...).
Where the person managing the access procedure does not know the individual personally there should be provision for checking their identity before handing over any information.
VATSIM will not charge any fee for providing data for requests under the Right of Access.
The VP Membership is responsible for handling requests under the Right of Access provisions.
Requests will be made via the Membership Department Ticket system, who will then proof read the data and send it to the member making the request.
Because of the sensitive nature of who makes a comment on a CERT record, as well as ensuring there is no retaliation or harassment against VATSIM Staff, and to protect the privacy of staff members, names of those staff who have made entries in CERT records, along with any security measures adopted by VATSIM, are redacted before sending it to the member.
Accurate data is in the best interests of both the network and the membership. The VP Membership is responsible for the management of such requests.
The right of rectification requests should in the first instance be made via the self-help system on the membership dashboard section of the VATSIM.net website by the member. If a member is unable to rectify their data via this system, they should raise a ticket using the same system.
If the staff at a lower level receive anything that might reasonably be construed to be a request for rectification they have a responsibility to direct the member to the membership dashboard.
Where there is a dispute between a member and VATSIM over the accuracy of data, the VP Membership shall be empowered to make any final decision on whether to alter data or not. This decision should be communicated to the member making the request within one calendar month of the request having been made.
VATSIM will not charge any fee for requests under the Right of Rectification.
VATSIM asserts that it has a legitimate interest in collecting and storing the personal data outlined above. The reasons for this claim are:
- VATSIM is a voluntary community promoting flight simulations and virtual air traffic control, and all members seeking to join have an obvious interest in such activities.
- The data collected is the minimum required to allow for the smooth and optimal running of the network, solely for the enjoyment of its members.
- That the data is necessary to allow for the expected interactions between simulated pilots and air traffic controllers on the network to take place.
- That the data is necessary to allow for VATSIM staff to properly manage the network, both in a day to day operations, and in circumstances where a member(s) may act in a manner contrary to the VATSIM User Agreement, Code of Regulations and/or Code of Conduct.
- That as all members have a shared interest in these aims that the collection of such data should be reasonably expected by all members.
VATSIM accepts membership from any individual over the age of 13 years. Members under the age of 16 years require the consent of a parent or guardian in order for their personal data to be stored. Members under the age of 16 will be asked to provide such written permission. Members found to have falsified such permission will have their account suspended until they can prove to the membership department they have attained the age of 16 years.
No person under the age of 13 years shall be permitted to join the network. Any member found to have joined under the age of 13 years shall have their membership suspended until they have attained the age of 13 years and provided parental or guardian consent or have attained the age of 16 years.
Notwithstanding VATSIM’s claim of legitimate interest, members may at their discretion object to this claim and/or request that VATSIM cease processing of a member’s personal data. These two rights are known as the Right to Object, and the Right to Restrict Processing.
Members must be aware that if they choose to exercise either of these rights VATSIM is obliged to lock their accounts in order to comply with their wishes and they will be unable to connect to the network or to any service that relies on the VATSIM Single Sign On (SSO) system.
While a notification of an objection to VATSIM’s claim of legitimate interest, or a request to suspend processing may be made at any time, such claims may not be made retrospectively.
Requests for deletion of personal data under the Right of Erasure are the responsibility of VP Membership and their team. Such requests are required to be complied with within one calendar month of the request being received.
If circumstances prevent this from occurring, an extension of a further two months may be instituted by VATSIM, providing that the member making the request is informed of this fact before the expiration of the original one-month deadline.
The right of erasure requests should be in writing (this includes via electronic mail to the address specified on the VATSIM.net website).
On receipt of a verbal request for erasure staff concerned should immediately ask the member making the request to confirm the request in writing.
If the staff at a lower level receive anything that might reasonably be construed to be a request for erasure they have a responsibility to pass this to the Membership Manager responsible for their Region, Division, or lower subunit without delay.
If VATAME HQ System users wish to erase their data from it, a request is made as specified above to the concerned parties. Then a support ticket should be opened on VATAME HQ System by a Board of Governors member or a VATSIM Membership Team member, directed to the Division staff concerned for the erasure request to be verified. This shall be processed within a week of receiving the support ticket on VATAME HQ System.
Where the person managing the erasure procedure does not know the individual personally there should be provision for checking their identity before deleting any information.
VATSIM will not charge any fee for deleting data under the Right of Erasure.
VATSIM shall evaluate all requests for erasure. VATSIM reserves the right to retain any data that it believes is in its legitimate interest to do so, or that is required to establish, exercise, or defend any legal claims.
End of Document