Note: comments in [square brackets] are not part of the policy and are only to clarify it and the intentions of its writers.
Article 1. The eslcc recognises that some of their projects, in particular those related with the school, may involve access to or use of personal information.
Article 2. The eslcc recognises the sensitivity of this information and the damage that could be done if it were to be made public or otherwise used in an irresponsible manner.
Article 3. Therefore, to have a consistent framework for use of this information, the eslcc has drawn up this policy.
Article 4. "Personal information" is information that can uniquely be linked to a given person, either alone or in combination with other information. [This definition is intentionally very broad, as the scope of information is also broad.]
Article 5. "Information class" is the type of data contained in the personal information (eg. full names, dates of birth, phone numbers, address, etc.). The information may contain multiple classes.
Article 6. "Stakeholders" are entities that give the eslcc access to personal information.
Article 7. "External resources" are resources, computer or otherwise, where personal information is stored.
Article 8. Personal information shall not be used at all except when absolutely necessary.
Article 9. For each application involving the use of personal information, the eslcc shall appoint a data controller. They shall have the responsibility of controlling access to the information according to this policy. They shall be the point of contact with all questions regarding access and use of the information. As this is a high-trust position, its appointment shall not be taken lightly.
Article 10. The data controller shall be the first to take possession of the information, and they shall be the last to destroy it when it is no longer necessary.
Article 11. When personal information has to be used, the people with access to it shall be limited to only those with an absolute need to have access. These people must have read, understood, and agreed to this policy. The list of people with authorisation to access information shall be controlled by the data controller. Only when they have agreed to the policy will the data controller issue them with a copy of the information and/or access to any external resources.
Article 12. The data controller shall control access to external resources in the same manner as they control access to copies of the information.
Article 13. The data controller shall ensure that these people use the data only within the scope of the project it is associated with, and only in a responsible manner. Should this point be violated, the data controller shall have the right to revoke their access to the information in accordance with Article 16.
Article 14. The information must be stored securely while in use. The security measures surrounding must be of sufficient strength, depending on the class of the information stored. Whether or not a security measure is sufficient shall be determined by the data controller.
Article 15. At the conclusion of a project, when the information is no longer necessary, the data controller shall revoke the access of everyone with access to it, in accordance with Article 16. When this process is complete, the data controller shall destroy their copy and notify all stakeholders that all copies have been destroyed.
Article 16. The data controller shall have the right to revoke anyone's access to the information if they violate this policy or if they no longer have a need to have access to the information. If someone's access to the information is revoked by the data controller, they must immediately destroy all copies of the information in their possesion, and the data controller must revoke their access to external resources where the information is stored. Failure to follow this point may result in expulsion from the eslcc, as well as other measures by both the eslcc and any stakeholders.
Article 17. Should the security or privacy of the personal information be breached, the data controller must notify all stakeholders immediately, and discuss with them the steps to be taken. This can include, but is not limited to, temporarily disabling all applications that facilitated or were otherwise involved in the breach, re-auditing the need to know of everyone with access to the information, and notifying all persons whose information was breached. No matter what steps are taken, the data controller must be able to in good faith reassure both the stakeholders and the persons whose data was involved that it will be secure in the future. The privacy of the people must be ensured by any means necessary.