GDPR
Organisation consents
To comply with GDPR, organisations must have explicit consent from potential volunteers to process and store their details. Therefore new applicants must complete all consent questions when applying for a new opportunity. They can change these at any time from the applicant's portal.
Existing users can update their consents from My details page under the Password & privacy tab.
Parental consent
If an applicant is under the organisation's minor age setting, the parents can set their child's consent preferences when filling out parental consent.
Parents can always update the child's consent preferences using the same link emailed to them.
Expired, invalid and new consents
If an organisation adds a new consent that is compulsory, all users must update their consent preferences before using the Assemble web application.
If the user's consents expire, e.g. permission has an expiry period of six months, and the user gave their consent six months ago, then the consent must be updated.
The system will send a notification to the user 30 days before consent preferences are due to expire.
If a user is underthe minor age, the email will also be sent to their parent/guardian.
If a user was under the minor age and then becomes an adult, the system will also send an email notification to remind that the consents are expiring and must be updated.
Subject access request
If you have permission you can request a SAR for another user you have access to from the details page. The system will send an email with a passworded zip folder that contains all the user tabular data as an excel file and any files/attachments in the appropriate folders.
What happens with volunteers' data
Volunteers:
Volunteers can access the "My data" page by clicking on their profile picture on the top right.
"My data" is a page that summarises how users' data is used and stored. It also has links to their organisation's terms and other useful links.
In addition there's a link on the leaving form which gives the user information about what happens with their data when they leave the organisation.
Applicants:
- Click on the help section on the applicants portal
- Select the "withdrawn application" option
- Then hover over "What happens to my data if I leave...?"
Anonymisation
Anonymisation is the process of removing any information that may be allow them to be identified either directly or indirectly. This process will happen automatically within Assemble at different times and for different reasons. Anonymised records cannot be recovered.
Request anonymisation
An inactive user's record can be anonymised if they ask for their data to be removed from the system. The required permission is linked to the Superuser one and is normally reserved for the organisation's Assemble administrator(s). The option to 'Request anonymisation' will be available on an inactive record under the Other... dropdown. This will happen by the next day.
Automatic anonymisation
Each organisation sets the automatic anonymisation timescales according to their own data retention policy. Below are the default timescales that apply if the organisation does not set their own.
- Application form data, where the applicant has been cleared, will be anonymised six months after they are cleared to start eg application questions, reference details etc. Data that is automatically transferred to the user record will remain with the application eg custom fields, contact details etc.
- Applications that are closed (applicant not selected or application withdrawn) will be anonymised one month after the date they are marked as closed
- Inactive users will be anonymised 84 months (7 years) after their record became inactive ie 7 years after they leave their last volunteering role with your organisation
- Export contents are deleted after three hours
- Records of imports are anonymised after seven days if the data was successfully added to the relevant fields in Assemble, 30 days if not.