This page explains the issues relating to NomadIT holding your data on behalf of current clients (ASA, CESS, CHAM, EAJS, EASA, EASST, ECAS, RAI, SIEF & WCAA) and previous clients (APA, EASAS, EurASEAA, IUAES, SLAS, TAG) and other academic organisations/conferences. Information on membership/conferences is held centrally in a secure online database, providing greater data security, cheaper more efficient administration, and the potential for enhanced membership facilities - such as searchable online directories, live editing of personal entries, & editing of panel/paper abstracts.
NomadIT is working to ensure privacy compliance by embedding the principles of GDPR (transparency, purpose limitation, data minimisation, accuracy, storage limitation, confidentiality and accountability) in its approach to your data. We are implementing obligatory opt-in explanation/tickboxes across all our data gathering forms. You can read more below.
The NomadIT system holds individual and organisation contact information, membership subscriptions, conference registrations, academic background/interests, panel/paper abstracts, and a record of payments made. The only 'private' data held is a contact's mobile phone number. This number will not be made publicly available, and is only held in order to facilitate contact by SMS during/en route to conferences - a function which has proved useful in past events. We are currently working on removing data on gender, physical addresses (except where required for journal mailings), and phone numbers from our dataset and forms. The only sensitive data held is the date of birth.
The system requests your date of birth, to facilitate recognition. If the combination of name and DoB is recognised by the system when completing an online form, it will bring up your existing contact information. This recognition system saves time on repeat visits (memberships/conferences); allows correlation between membership and registration; prevents double subscription/registration; while facilitating online editing of membership records, papers, etc. The DoB is not made public, nor considered in any decision-making/admin processes. A recognition system relying on name only would be prone to error and would allow others to access your contact details easily. Our aim is to avoid your having to use a more 'normal' set of credentials (username and password) which all recent experience suggests increase the security risk to other more important data held in other systems, due to the common practice of reusing such credentials on multiple systems. The hacking of large corporations on a regular basis over the past decades has shown how this is a major problem with conventional approaches to security. The DoB alone is insufficient to onward hack other more important online/financial accounts.
We however recognise that some consider date of birth to be 'security-sensitive'. You are not obliged to supply your real DoB - as long as you use the same DoB each time, it doesn't matter. Using your real DoB has the advantage of being easy to remember.
The data collected will only be used for the purpose for which it is provided. This is deemed to be for invoicing/receipting of subscriptions/registration fees; and for mailings/email, relating either directly to the organisation/conference itself, or occasionally to news deemed of potential interest to the membership/conference (such as jobs, upcoming conferences, book releases, academic publishing promotions). The data will not be disclosed to any third parties. Data will not be shared between different NomadIT clients, unless there is a relevant agreement (for example when running a bilateral conference), and NomadIT are instructed to do so by the agreeing parties.
Data subjects may request a copy of the personal information held about them,
by emailing the organisation/conference concerned (or info(at)nomadit.co.uk), putting 'Subject Access
Request' in the subject line.
Data subjects may request that their personal information be removed from our system, by emailing the organisation/conference concerned (or info(at)nomadit.co.uk), putting 'Subject Date Removal Request' in the subject line.
If Data subjects have any concerns about their data security they may write about these to info(at)nomadit.co.uk.
In the last few years we moved to gathering Funding application data via Google Forms. This data is stored securely within the NomadIT Google suite (Drive). The information is held for up to two years after the conclusion of a conference, in order that we can answer questions regarding due process within funding allocation, from sponsors/funders/executive committees/applicants. After that it is deleted, and all that remains stored in conference accounts is a list of names, affiiliations, and email addresses of those funded and the amounts received.
We also use Google forms to gather Student volunteer data for conferences - this data is deleted two years after a conference is concluded.
We store conference account spreadsheets on Drive, and these files contain ledgers of payments received, funding allocated, and a full list of delegates. This data is required for accounting purposes and is not removed after a time. However the delegate data held is limited to name, institutional affiliation, country and email.
NomadIT backs up its main database and all websites and retains backup data for up to three years, after which those backups are destroyed.
The data controller is the organisation/conference with whom the
membership/conference registration is made: NomadIT works on the
organisation's/conference's behalf. As non-profit organisations the
organisations/conferences are not obliged to notify the Information Commissioner
of their holding data, although they are obliged to follow the GDPR and the Data Protection
Act of 1998. The essence of that Act is detailed below.
If you have any complaints/enquiries, please email the relevant organisation/conference directly (see their specific websites for contact info); alternatively you can contact info(at)nomadit.co.uk if you wish to discuss issues relating to Data protection.
The Data Protection Act 1998 sets out eight rules that data controllers must follow for protecting personal information. Personal data must be:
If a data controller's processing of personal information does not comply with the principles, the Information Commissioner can take enforcement action against that data controller.