Privacy

This page explains the issues relating to NomadIT holding your data on behalf of current clients (ASA, CESS, DSA, EAJS, EASA, EASST, ECAS, RAI, SIEF & WCAA) and previous clients (AfricaKnows, APA, CHAM, EASAS, EurASEAA, IUAES, SLAS, SPA, TAG, WOCAL) and other academic organisations/conferences. Information on membership/conferences is held centrally in a secure online database, providing greater data security, cheaper more efficient administration, and the potential for enhanced membership/conference facilities - such as searchable online directories, live editing of personal entries, a fully-feature abstract management and registration system.

GDPR

NomadIT complies with the requirements and principles of GDPR (transparency, purpose limitation, data minimisation, accuracy, storage limitation, confidentiality and accountability) in its approach to your data. NomadIT is registered with the Information Commissioner's Office (ICO) in the UK.

Data held and its sensitivity

The NomadIT system holds individual and organisation contact information, membership subscriptions, conference registrations, academic background/interests, panel/paper abstracts, and a record of payments made.  The only 'private' data held is a contact's mobile phone number which is not made publicly available, and is held in order to facilitate contact by SMS during/en route to conferences - a function which has proved useful in past events. We are currently working on removing physical address data (except where required for journal mailings) from our dataset and forms. The only sensitive data held is the date of birth, and this only in records created before 2020.

Date of birth (DoB)

Prior to changes made in 2020, our system requested a date of birth to facilitate login. The DoB did not have to be the real DoB, nor was it made public, nor considered in any decision-making/admin processes.  We have since updated our login to use a more conventional email and password pair, so DoB is no longer gathered, and as older accounts are upgraded, it is being removed.

Purpose of holding data

The data collected will only be used for the purpose for which it is provided.   This is deemed to be for invoicing/receipting of subscriptions/registration fees; and for mailings/email, relating either directly to the organisation/conference itself, or occasionally to news deemed of potential interest to the membership/conference (such as jobs, upcoming conferences, book releases, academic publishing promotions).  The data is held on behalf of our clients and is not disclosed to third parties. Personal data is not shared between NomadIT clients, unless there is a relevant agreement (for example when running a bilateral conference), and NomadIT are instructed to do so by the agreeing parties.

Data subjects (access and/or removal)

Data subjects may request a copy of the personal information held about them, by emailing the organisation/conference concerned (or info(at)nomadit.co.uk), putting 'Subject Access Request' in the subject line.
Data subjects may request that their personal information be removed from our system, by emailing the organisation/conference concerned (or info(at)nomadit.co.uk), putting 'Subject Date Removal Request' in the subject line.
If Data subjects have any concerns about their data security they may write about these to info(at)nomadit.co.uk.

Server locations

NomadIT currently uses two servers located in California, an Amazon email server located in Eire, a Google Drive server located in the US; and makes use of other software such as Zoom, Shindig, Whova, Pheedloop most of whom use servers in the US. In all cases we look for compliance with GDPR or the principles of GDPR. We are also migrating our main server use to Germany, and reducing our use of Google Drive.

Data relating to Funding applications for conferences

We usually gather Funding application data via forms - previously Google Forms and now either NextCloud or Budibase forms hosted on our own server. This data is stored securely within NomadIT's Google Workspace (Drive). The information is held for up to two years after the conclusion of a conference, in order that we can answer questions regarding due process within funding allocation, from sponsors/funders/executive committees/applicants. After that it is deleted, and all that remains stored in conference accounts is a list of names, affiiliations, and email addresses of those funded and the amounts received.

Other data on Google Drive

We also use Google forms to gather Student volunteer data for conferences - this data is deleted two years after a conference is concluded.
We store conference account spreadsheets on Drive, and these files contain ledgers of payments received, funding allocated, and a full list of delegates. This data is required for accounting purposes and is not removed after a time. However the delegate data held is limited to name, institutional affiliation, country and email. Again we are working on migrating most of our data to our own NextCloud server in Germany.

Backups

NomadIT backs up its main database and all websites and retains backup data for up to three years, after which those backups are destroyed.

The data controller

NomadIT functions as the data controller on behalf of the organisation/conference with whom the membership/conference registration is made. NomadIT is registered with the Information Commissioner (No. ZA811094), and follows both GDPR and the Data Protection Act of 1998. The essence of that Act is detailed below.
If you have any complaints/enquiries, please email the relevant organisation/conference directly (see their specific websites for contact info); alternatively you can contact info(at)nomadit.co.uk if you wish to discuss issues relating to Data protection.

The eight principles

The Data Protection Act 1998 sets out eight rules that data controllers must follow for protecting personal information. Personal data must be:

• processed fairly and lawfully
• processed only for one or more specified and lawful purpose
• adequate, relevant and not excessive for those purposes
• accurate and kept up to date - data subjects have the right to have inaccurate personal data corrected or destroyed if the personal information is inaccurate to any matter of fact
• kept for no longer than is necessary for the purposes it is being processed
• processed in line with the rights of individuals - this includes the right to be informed of all the information held about them, to prevent processing of their personal information for marketing purposes, and to compensation if they can prove they have been damaged by a data controller's non-compliance with the Act
• secured against accidental loss, destruction or damage and against unauthorised or unlawful processing - this applies to you even if your business uses a third party to process personal information on your behalf
• not transferred to countries outside the European Economic Area - the EU plus Norway, Iceland and Liechtenstein - that do not have adequate protection for individual's personal information, unless a condition from Schedule four of the Act can be met

If a data controller's processing of personal information does not comply with the principles, the Information Commissioner can take enforcement action against that data controller.

NomadIT 2022