data_retention.yaml 16.9 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# Data rentention policy
# ----------------------

# About this document
# ~~~~~~~~~~~~~~~~~~~

# This is CCiW's official policy on how long we keep personal data in our
# database, and which data can be deleted at the request of the "data subject"
# (the person the data is about).

# The format of this document is unusual because this document is both a human-
# readable document and a machine-readable file that is automatically read and
# applied by our software that handles data rentention. Lines beginning with a
# '#' like this one are 'comments' that are skipped by the software that reads
# it. The remainder is definitions and instructions that are interpreted and
# applied by the software.

# This format has some disadvantages - it is slightly unusual and harder to
# understand at first - but it also has a lot of advantages:

Luke Plant's avatar
Luke Plant committed
21
# - This actually is the data retention policy. Many organisations' "data
22
23
24
#   retention policy" is in fact what their policy is supposed to be, and what
#   actually happens could be completely different.

25
# - There is no possibility of the CCiW committee updating a policy document but
26
27
28
#   failing to communicate that to the web developers, because there is only a
#   single policy document.

Luke Plant's avatar
Luke Plant committed
29
30
31
32
# - This document is automatically checked for validity and completeness. If we
#   add a new table or column in the database, but don't add a retention policy
#   for it here, our automated checks will spot this and force us to define a
#   policy.
33
34
35
36
37
38
39

# Changes to this document:

#   Where there are implications for the privacy/retention of personal data,
#   changes must only be done with the permission of the CCiW committee, and in
#   conformance with GDPR and other data protection laws.

Luke Plant's avatar
Luke Plant committed
40
41
42
43
44
45
46
47
# --- Deletion mechanisms ---
#
# There are different ways we could delete data from a database.
#
# - blanking out details, e.g. replace text with `[deleted]`. This enables us to
#   keep some details in a row, while removing others, and is usually the
#   preferred method.
#
48
49
50
# - removing entire rows of data. This generally makes it harder to keep
#   statistics (totals, averages e.g.) about what happened, and we usually
#   prefer not to do this, but where we have no need of the stats it's fine.
Luke Plant's avatar
Luke Plant committed
51
52
53
54
#
# - other more complicated methods, discussed as needed.
#

55
56
57
58
59
60
61
# --- Structure and contents ---
#
# We have the following groups of data:
#
# - Camper and officer data to keep forever
# - Deletable camper and parent booking data
# - Deletable officer data
Luke Plant's avatar
typo    
Luke Plant committed
62
# - Temporary data
63
64
65
66
# - Non-personal data

# For each group, we start by defining the rules that will be applied, then by
# listing the tables and columns it applies to.
Luke Plant's avatar
Luke Plant committed
67
68
69
70
#
# All groups have an implicit rule: data which is still in use should not be
# deleted. (For example, the address of a person who still owes us money). Rules
# for determining which data is in use is not defined in this document.
71

72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# -------------------------------

- group: Camper and officer data to keep forever

  # The CCiW committee have decided that there is some data that we will keep
  # forever. The main purposes for this are:

  # - future legal defence needs for criminal or civil cases
  #
  # - being able to cooperate fully and helpfully with any criminal investigations
  #   into allegations of abuse or neglect that happened on camp
  #
  # - being able to defend the good reputation of CCiW

  # For these reasons, we need our records to have:

  # - complete lists of campers on each camp (with enough names to be able to
  #   identify campers)
  #
  # - complete lists of officers on each camp
  #
  # - information about what medical information parents supplied (needed e.g. for
  #   accusations of medical negligence)
  #
  # - most officer application form data and all reference data
  #
  # - records showing our due diligence regarding DBS checks etc.

  # As per exceptions allowed in GDPR for these purposes, this policy overrides
  # "right to erasure" of data subjects.
  #
  # However, CCiW will consider prioritising "right to erasure" even for this data
  # if there are special considerations.

  rules:
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
    keep: forever
    deletable on request from data subject: no

  tables:
    - name: bookings.BookingAccount  # This table stores info about the person making the booking
      columns:
      - name  # full name of the person

    - name: bookings.Booking  # This table stores the rest of the booking information
      columns:
      - first_name  # of the camper
      - last_name
      - sex

      - camp

Luke Plant's avatar
Luke Plant committed
123
      # Medical/dietary/health information:
124
125
126
127
128
129
130
131
132
133
      - dietary_requirements
      - medical_card_number
      - last_tetanus_injection_date
      - allergies
      - regular_medication_required
      - illnesses
      - can_swim_25m
      - learning_difficulties
      - serious_illness

Luke Plant's avatar
Luke Plant committed
134
135
136
137
138
      # Agreements
      - agreement
      - publicity_photos_agreement
      - custom_agreements_checked

139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
    - name: accounts.User  # These users are officers/leaders/other CCiW volunteers
      columns:
      - username
      - first_name
      - last_name

    - name: officers.Invitation  # This stores the link between officers and camps i.e. the officer list
      columns: all

    - name: officers.Application  # Data entered by officer on application form
      columns:
      - full_name
      - christian_experience
      - youth_experience
      - youth_work_declined
      - youth_work_declined_details
      - relevant_illness
      - illness_details
      - dietary_requirements
      - crime_declaration
      - crime_details
      - court_declaration
      - court_details
      - concern_declaration
      - concern_details
      - allegation_declaration
      - dbs_number
      - dbs_check_consent
      - finished

    - name: officers.Qualification  # Qualification list that is part of application form
      columns: all

    - name: officers.Referee  # Referee data entered on the application form
      columns:
      - referee_number
      - name
      - capacity_known
      - address
      - tel
      - mobile
      - email

    - name: officers.Reference  # Actual reference entered by referee
      columns: all

    - name: officers.DBSCheck
      columns:
      - dbs_number
      - check_type
      - completed
      - requested_by
      - other_organisation
      - applicant_accepted
      - registered_with_dbs_update


196
197
198
# -------------------------------

- group: Deletable camper and parent booking data
199

200
201
202
203
204
205
206
  # It is useful for campers/parents if we keep booking data for several years,
  # since this will massively speed up the process of them filling in booking
  # forms in subsequent years. But we will delete earlier if requested. We also
  # check that information is not needed for business reasons (e.g. chasing
  # payment) before deleting.

  rules:
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
    keep: 5 years
    deletable on request from data subject: yes

  tables:
    - name: bookings.BookingAccount
      columns:
      - email
      - address_line1
      - address_line2
      - address_city
      - address_county
      - address_country
      - address_post_code
      - phone_number
      - share_phone_number
      - email_communication
      - subscribe_to_mailings
      - subscribe_to_newsletter

    - name: bookings.Booking
      columns:
      - date_of_birth
      - address_line1
      - address_line2
      - address_city
      - address_county
      - address_country
      - address_post_code
      - phone_number
      - email
      - church
      - contact_name
      - contact_line1
      - contact_line2
      - contact_city
      - contact_county
      - contact_country
      - contact_post_code
      - contact_phone_number
      - gp_name
      - gp_line1
      - gp_line2
      - gp_city
      - gp_county
      - gp_country
      - gp_post_code
      - gp_phone_number

      deletion methods:
        # It is useful for our statistics and records to know the approx age of
        # campers on camp. So we here configure a custom deletion method that
Luke Plant's avatar
Luke Plant committed
258
        # chooses a date of birth that will preserve the calculated "age on
259
        # camp", but anonymise.
Luke Plant's avatar
Luke Plant committed
260
        date_of_birth: preserve age on camp
261
262

    - name: ipn.PayPalIPN
Luke Plant's avatar
Luke Plant committed
263
      # This contains all the data PayPal sends to us about a payment,
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
      # some of which are address details that we can remove
      columns:
      # Many of these names are badly chosen (by PayPal)
      - payer_business_name
      - payer_email
      - address_country
      - address_city
      - address_country_code
      - address_name
      - address_state
      - address_status
      - address_street
      - address_zip
      - contact_phone


280
281
282
283
284
285
- group: Deletable camper and parent booking data - supporting information

  # A second set of camper-related information is "Supporting information". This
  # is almost always documents that relate to a camper's application for custom
  # discounts. We keep this for 3 years, because it relates to finances and as a
  # charity we should keep these records for 3 years.
286

287
  rules:
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
    keep: 3 years
    deletable on request from data subject: no

  tables:
    - name: bookings.SupportingInformation
      columns:
      - from_name
      - from_email
      - from_telephone
      - notes

    - name: bookings.SupportingInformationDocument
      columns:
      - filename
      - mimetype
      - size
      - content


307
# -------------------------------
308

309
- group: Deleteable officer data
310

311
312
313
314
315
  # It is usually most useful for us to keep officer data indefinitely, because
  # this avoids officers needing to re-enter data. However, with exceptions noted
  # above, we can observe "right to erasure" for some officer data:

  rules:
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
    keep: forever  # by default, i.e. indefinitely
    deletable on request from data subject: yes

  tables:
    - name: accounts.User
      columns:
      - password
      - contact_phone_number

    - name: officers.Application
      columns:
      - birth_date
      - birth_place
      - address_firstline
      - address_town
      - address_county
      - address_postcode
      - address_country
      - address_tel
      - address_mobile
      - address_email


339
340
341
342
343
344
# -------------------------------

- group: Temporary data

  # Various pieces of data that we don't need forever, and could contain personal
  # data.
345

346
  rules:
347
348
349
350
351
352
    keep: 1 year
    deletable on request from data subject: no  # It is not directly linked to any data subject

  tables:
    # Outgoing emails:
    - name: mailer.Message
Luke Plant's avatar
Luke Plant committed
353
      delete row: yes  # Delete entire rows, rather than just blanking out details.
354
    - name: mailer.MessageLog
Luke Plant's avatar
Luke Plant committed
355
      delete row: yes
356
357
    # Incoming mails from "contact us" page:
    - name: contact_us.Message
Luke Plant's avatar
Luke Plant committed
358
      delete row: yes
359

360
# -------------------------------
361

362
- group: Non-personal data
363

364
  # This includes:
365

366
367
368
369
  # - data related to bookings and officers that is not entered by the user themselves,
  #   nor is personal in nature, but is internal book-keeping data (first section)
  #
  # - many other tables of data for various business purposes
Luke Plant's avatar
Comment    
Luke Plant committed
370

371
372
373
374
  # The purpose of listing this is so that we have an exhaustive list of all
  # tables/columns. If any new tables or columns are added to the system, but a
  # policy is not defined in this file, an automatic check will stop deployment
  # until the policy is defined.
Luke Plant's avatar
Comment    
Luke Plant committed
375

376
  rules:
377
378
379
380
381
382
383
384
    keep: forever
    deletable on request from data subject: no

  tables:
    # -- Related to personal data, but data that is managed internally --
    - name: bookings.BookingAccount
      columns:
      - total_received
385
      - created_at
386
387
388
389
390
391
392
393
394
395
396
397
398
      - first_login
      - last_login
      - last_payment_reminder

    - name: bookings.Booking
      columns:
      - south_wales_transport
      - price_type
      - early_bird_discount
      - booked_at
      - amount_due
      - shelved
      - state
399
      - created_at
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
      - booking_expires
      - created_online

    - name: accounts.User
      columns:
      - last_login
      - email
      - is_staff
      - is_active
      - date_joined
      - is_superuser
      - bad_password
      - password_validators_used

    # This table contains information displayed publicly on the website relating
    # to leaders/chaplains on camps.
    - name: cciwmain.Person
      columns:
      - name
      - info
      - users

    - name: officers.Application
      columns:
      - date_saved

426
427
428
429
430
431
432
433
434
435
    - name: bookings.SupportingInformation
      columns:
      - created_at
      - date_received

    - name: bookings.SupportingInformationDocument
      columns:
      - created_at


436
437
438
439
440
441
442
443
444
445
446
447
448
    # -- Entirely non-personal data --

    # Our tables
    - name: accounts.Role
      columns: all
    - name: bookings.Price
      columns: all
    - name: bookings.Payment
      columns: all
    - name: bookings.ManualPayment
      columns: all
    - name: bookings.RefundPayment
      columns: all
449
450
    - name: bookings.WriteOffDebt
      columns: all
451
452
    - name: bookings.AccountTransferPayment
      columns: all
Luke Plant's avatar
Luke Plant committed
453
454
    - name: bookings.CustomAgreement
      columns: all
455
456
    - name: bookings.SupportingInformationType
      columns: all
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
    - name: cciwmain.Site
      columns: all
    - name: cciwmain.CampName
      columns: all
    - name: cciwmain.Camp
      columns: all
    - name: sitecontent.MenuLink
      columns: all
    - name: sitecontent.HtmlChunk
      columns: all
    - name: officers.QualificationType
      columns: all
    - name: officers.ReferenceAction
      columns: all
    - name: officers.DBSActionLog
      columns: all
    - name: ipn.PayPalIPN
      columns:
      # Column names here are often confusing, this is due
      # to choices by PayPal, not us :-(
477
      - business  # email address of the person being paid i.e. us
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
      - charset
      - custom  # contains custom data that links to BookingAccount
      - notify_version
      - parent_txn_id
      - receiver_email
      - receiver_id
      - residence_country
      - test_ipn
      - txn_id
      - txn_type
      - verify_sign
      - first_name
      - last_name
      - payer_id
      - auth_amount
      - auth_exp
      - auth_id
      - auth_status
      - exchange_rate
      - invoice
      - item_name
      - item_number
      - mc_currency
      - mc_fee
      - mc_gross
      - mc_handling
      - mc_shipping
      - memo
      - num_cart_items
      - option_name1
      - option_name2
      - option_selection1
      - option_selection2
      - payer_status
      - payment_date
      - payment_gross
      - payment_status
      - payment_type
      - pending_reason
      - protection_eligibility
      - quantity
      - reason_code
      - remaining_settle
      - settle_amount
      - settle_currency
      - shipping
      - shipping_method
      - tax
      - transaction_entity
      - auction_buyer_id
      - auction_closing_date
      - auction_multi_item
      - for_auction
      - amount
      - amount_per_cycle
      - initial_payment_amount
      - next_payment_date
      - outstanding_balance
      - payment_cycle
      - period_type
      - product_name
      - product_type
      - profile_status
      - recurring_payment_id
      - rp_invoice_id
      - time_created
      - amount1
      - amount2
      - amount3
      - mc_amount1
      - mc_amount2
      - mc_amount3
      - password
      - period1
      - period2
      - period3
      - reattempt
      - recur_times
      - recurring
      - retry_at
      - subscr_date
      - subscr_effective
      - subscr_id
      - username
      - mp_id
      - case_creation_date
      - case_id
      - case_type
      - receipt_id
      - currency_code
      - handling_amount
      - transaction_subject
      - ipaddress
      - flag
      - flag_code
      - flag_info
      - query
      - response
      - created_at
      - updated_at
      - from_view
    # Core django tables
    - name: admin.LogEntry
      columns: all
    - name: auth.Permission
      columns: all
    - name: auth.Group
      columns: all
    - name: contenttypes.ContentType
      columns: all
    - name: sessions.Session
      columns: all
    - name: sites.Site
      columns: all
    # Wiki related tables
    - name: thumbnail.KVStore
      columns: all
    - name: wiki.Article
      columns: all
    - name: wiki.ArticleForObject
      columns: all
    - name: wiki.ArticleRevision
      columns: all
    - name: wiki.ArticlePlugin
      columns: all
    - name: wiki.ReusablePlugin
      columns: all
    - name: wiki.SimplePlugin
      columns: all
    - name: wiki.RevisionPlugin
      columns: all
    - name: wiki.RevisionPluginRevision
      columns: all
    - name: wiki.URLPath
      columns: all
    - name: wiki_attachments.Attachment
      columns: all
    - name: wiki_attachments.AttachmentRevision
      columns: all
    - name: wiki_notifications.ArticleSubscription
      columns: all
    - name: wiki_images.Image
      columns: all
    - name: wiki_images.ImageRevision
      columns: all
    - name: django_nyt.NotificationType
      columns: all
    - name: django_nyt.Settings
      columns: all
    - name: django_nyt.Subscription
      columns: all
    - name: django_nyt.Notification
      columns: all
    # Outgoing emails
    - name: mailer.DontSendEntry
      columns: all
    # Other
    - name: captcha.CaptchaStore
      columns: all