What we collect, and why we collect it
We work to collect the minimum amount of data that we need from you to do our jobs within the resources we have, and to protect and use that data in an ethical manner. We are expanding the ways we engage with our supporters, by rebuilding our tech services to ensure that we continue to live up to that commitment.
What data about you do we hold?
There are six categories of data that we may have on people who engage with us.
We are not directly able to minimise this data. We do run a Tor service [https://privacyintyqcroe.onion] that would minimise the invasiveness of the collection of this data.
- Data you disclose because you want to receive our news items on our Action Platform. This includes the email address that you provide to us.
- Biographic data about yourself that you have volunteered when signing up to receive news from us and/or participate in a campaign. This voluntary information could include your name and country of residence.
- Data about your individual interests that you have volunteered when signing up to receive news from us. This is also voluntary. This can be sensitive as it could indicate your beliefs or opinions.
- A record of your engagement with our campaigns. If you engage with our campaigns, e.g. sign a joint letter asking internet companies not to help governments to hack you, we will keep a record of this interaction. This can be sensitive as it could indicate your political beliefs or opinions.
- Data relating to financial donations on our Support Platform. If you donate to us, this is data required to process your donation with our payment processor(s). This may include payment data, biographic data (i.e. name, email address, physical address), and data about your tax residency.
Why do we want data on you?
There is some data that we collect just by you engaging with us (category 1 above for instance). The 'purpose' of processing is to provide you with our website service. We protect this data by, as far as possible, by deleting it with regularity. We don't systematically process the raw data to understand individual people or their behaviour -- though we may (or may be required to) for some exceptional reasons, e.g. investigation into a service error (or a security incident).
We do benefit from this data through some processing, by using analytics. The purpose for which we derive analytics is to help us identify how people are using our website and what content they are engaging most with. This helps us report to our board and funders about the usefulness of our content, and ultimately guide our organisational strategy. We do not seek to identify individuals nor specific devices -- instead we obfuscate the last two octects of the IP address for this processing. More information about the analytics service we use can be found here.
The essential data we collect from you on our Action Platform for our Campaigns (category 2 above) is for the purpose of helping us communicate with our community of supporters. You can share data with us to be notified of specific areas of our work, receive newsletters, and you can also sign petitions, join actions launched by us, amongst other campaigning activities. The purpose is to help you engage with our content and on occasion to help you engage in our campaigns. We ask explicitly whether we can specifically contact you with direct appeals for fundraising purposes.
We give you the option to disclose more data to us on our Action Platform (category 3 above). Having your name helps us address you, and it is entirely optional. This is the difference between Dear Sarah and Dear [blank]. Knowing your country helps us know if we have a substantial number of supporters in a particular country. This would, for example, help us to better understand if we should be creating content in other languages. We do not use this data for additional purposes, nor would we without asking. (Some charities have been profiling supporters, without their consent, for wealth screening for instance.)
Knowing what you're interested in helps us channel content to you, again on our Action Platform (category 4 above). It is entirely optional for you to share this data with us. This data helps identify if you are interested in [human rights protection] in [Latin America and the Caribbean] and want to receive [educational resources]; or notifications about our [collaborative work with International Network] on [technology and security] in [Asia]; or are interested in our [investigations and research] into [government surveillance] in [Kenya]. One purpose of collecting and using this data is to contact you directly if we develop content that we think you may be interested in. A second purpose is to helps us understand what aspects of our work resonate with our supporters.
We will track your participation with our campaigns on our Action Platform (category 5 above). While participation is optional, the nature of the campaigning action may require us to retain data on your participation for specific purposes. So if you signed a petition, we may need to keep a record of the fact that you signed so that we can share this with the petition target. So long as the petition is an active campaign or a reporting artefact your data will be kept by us and made available to others. How your data will be treated in a specific campaign will be explained to you when you sign up. Like the analysis of our log data of website visits (under category 1) it is helpful for PI to know how many people from what kinds of countries with what kinds of interests participated in our campaigns, but the detailed data is not shared with other parties without your consent. We may use this data to contact you about the progress of a campaign. We will seek your consent to contact you about other related campaigns.
Finally, the fact that you donate to us is a huge event at PI. We are incredibly grateful for your support. When you donate on our Support Platform you provide our payment processors with data (see below), who then report back to us with that data. Our server may hold on to some of your data for a short period -- though we restrict to a period less than 14 days. We compile reports received from our payment processors, which may include your name, address, and other data you provided the payment processor with. We limit who has access to this data internally at PI, and who we share this data with, but may have to report your details to our auditors and tax agencies for financial reporting purposes.
How we protect your data
The most significant safeguard is that we minimise the data we hold on you. We work hard to minimise situations where we collect excessive data, and we work hard to only collect data in a fair manner, by directly asking you and reducing what data is mandatory. We also avoid using third party services who procure and process excessive amounts of data. We provide you opportunities to change or delete your data. If you ask for your preferences to change or for data to be deleted, we keep a record that we deleted your data, e.g. (in an analogue way) "firstname.lastname@example.org has unsubscribed from our fundraising notifications and removed his country of residence."
With the exception of the financial data of our donors, all the above-mentioned data resides on our servers, that are all hosted by internet providers in the UK and the European Economic Area, and thus have to abide with EU data protection law. We do the utmost we can to protect this data. We maintain control over the data and do not share it with third parties.
We apply security patches to our services as promptly as reasonably possible -- so if a known vulnerability is corrected by the software developers, or an underlying service, we work hard to ensure our system is updated.
Breaches may occur, despite all these measures. We will notify you as soon as possible of breaches that affect your data.
Finally, we believe that your consent to receive news from us has an expiration period: every two years we will ask you again to sign up to receive news about our work, otherwise we will delete your data.
Financial data, and financial services, are very different
If you donate to us, the ways we are able to protect your data are very different. We again work hard to host our own Support service, and reduce the level of persistent data available on our server. But we necessarily have to rely on other parties.
When you donate on our server, we are providing a portal to third party payment processors. They collect your data and process the payment, and interact with your bank or credit card issuer. If you want your donation to be tax friendly, again more data is required. All this data is under the control of payment processors. Your financial data may be shared with others in the process of payment, as well as our auditors, and possibly tax authorities.
Financial processes grab more data on people than we would like. The purposes for their data collection are broad. Because of changes in laws and the desires of the financial sector, the purposes for which they are collecting your data are broadening, quickly. Though we try to choose payment processors who minimise data processing, we are frustrated by the lack of choices and verifiable protections. They may claim they require more data for more purposes for lengthier periods of time than we can control. This is one reason we advocate for changes in financial surveillance laws and practices.