stakeholder map DPAP - Githubissues

Feedback from Kit below. This now needs to be incorporated into the DPAP materials and emails/online notices.

1) Internal planning map Legal basis legitimate interests and your LIA covers this. 2) Public facing map It looks like you are intending to operate this on a consent basis. We need to ensure that the consent is fully informed (privacy notice – see below) and an affirmative opt-in rather than an opt-out. You’ll need to obtain recordable evidence of the stakeholder opting in - email reply, button in an email etc. You’ll probably be envisaging making a communication to your network for both 1) and 2) on the following lines, please tweak my wording where required to make sure it’s accurate:

The TRIC-DT network stakeholder map The Turing is constructing a stakeholder map to visualise and plan around the TRIC-DT network. As a contributor to the Turing's programme, you will be included on the internal map to manage and analyse resources in the project. The data will include your name, professional photo image (if provided), affiliation and connections with other stakeholders.
For our programme planning purposes, we will maintain internal records covering assessments of influence, engagement levels and relationship strategy.

We would like to maintain a public facing version of the map to support the public profile of the project which includes only your name, professional image, affiliation and connections with other stakeholders. Your details will only be displayed online if you authorise us to, and we will remove it on your instruction.

Please confirm ‘I am happy for my name and affiliation to be presented on the public facing map’ (by clicking this button / by reply to this email). ‘I am happy for my professional image to be used (please send to us or provide a link)’ You can remove your inclusion on the map whenever you want to.

The Turing will use the Kumu tool to create the map. Kumu will store the data but only for Turing purposes and according to the Turing's instructions. For the Turing's general privacy notice, please see the following link: https://www.turing.ac.uk/privacy-policy

Software Review From a data protection perspective, the tool is acceptable. Kumu is US based but the EU-US data transfers are covered by their adherence to the EU-US Data Privacy framework https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000CbxCAAS&status=Active

We might want to ask them for their data processing agreement We offer a data processing addendum (DPA) for our customers who are working with data from people in the EU that is regulated by GDPR and does not fall under one of the specific processing exemptions. Our DPA offers contractual terms that satisfy GDPR requirements and reflect our data privacy and security commitments to our customers. Please email privacy@kumu.io to request our DPA. https://kumu.io/gdpr

Are you looking at a Pro package? Onsite storage? https://kumu.io/pricing - UPDATE: Yes, kumu have provided a free pro account.

This will be one for IT Security (Zarif Mohammed) to take a look at. https://kumu.io/security

The decision to purchase / install won’t be a data protection one, but a governance one. I do not think there is a high risk with this data, which is professional focussed and in many ways recreates what might already be derived from LinkedIn or institutional / project websites.

Kumu have generously provided us with research student discount! This supports three private projects for 12 months (until 20/12/2024)

[ ] Kumu DPA for review

alan-turing-institute / tric-dt

stakeholder map DPAP #44

Summary Sentence

What needs to be done?

Who can help?

Update after the issue was opened

The Turing will use the Kumu tool to create the map. Kumu will store the data but only for Turing purposes and according to the Turing's instructions. For the Turing's general privacy notice, please see the following link: https://www.turing.ac.uk/privacy-policy