VATSSA Data Protection and Handling Policy


Effective 14 September 2021
Renewed 13 Jun 2022 (with no changes)

VATSSA collects a range of personal data on members, both at the time of joining and while a member is connected to the VATSIM network for the purpose of ensuring the efficient functioning of the network. This data includes:

- The member’s full name
- The simulated Air Traffic Control and/or Pilot Rating they have obtained via training with the VATSIM network
- Positions of responsibility held within the network, including level of access

This information is stored in a secure database. Signin is made through the VATSIM SSO, and so the VATSIM Data Protection Handling Policy also applies.

VATSSA has an complete commitment to:

- Comply with both the law and good practice
- Respect individuals’ rights including:
- - The right of access
- - The right of rectification
- - The right to object
- - The right to suspend protest
- - The right of erasure
- Be open and honest with individuals whose data is held
- Notify the relevant data protection authorities voluntarily, even if this is not required

Overall responsibility for ensuring data protection and overall compliance with the relevant standards and legislation rests with the staff members of the VATSSA, specifically VATSSA Division Director.

All staff are required to read, understand, and accept any policies and procedures that relate to the personal data they may handle in the course of their work within VATSIM as detailed in this policy. VATSSA expect the highest standard of probity of all staff at all levels. No access to data is to take place unless there is a valid network related reason for such access.

VATSSA has a zero-tolerance policy towards inappropriate access to data stored. Any such access will result in the individual concerned being prohibited from having access for a minimum period of 10 years. This may also involve alerting the VATSIM Board of Governors to the access.

VATSSA employs access monitoring systems to ensure that access is not being abused and can be tracked back to a specific individual.

VATSSA employs standard SSL encryption to safeguard data. VATSSA also implements additional change-audit scripts and monitors to provide visibility into server and network activity.

Passwords are not stored by VATSSA. These are held by VATSIM and are not made available to VATSSA through the sign-in process.

In order to ensure continuity, VATSSA retains data backups of relevant systems to ensure a speedy recovery of impacted systems while maintaining data integrity and security.

The main specific risks to the security of data are:
- Phishing attacks to gain network access or CERT access
- Access by means of trojan or keylogging programmes on member’s systems
- Access by upset staff members who have been granted access is also a risk.

Mitigation of the first two risks is by encouraging members who have a higher level of access to ensure they adhere to good security practices on their personal systems. The last risk is mitigated by access logging and reverting changes made by those who misuse access.

A VATSSA member may request an update of his/her retained information by making a request in writing to VATSSA1.

Data is stored in standard databases. Access is via a custom-built web-based interface.

VATSSA data is retained indefinitely unless removal is requested from VATSSA1, as outlined in this policy.

Data may be transferred to other organisations with the VATSIM network to provide services to enhance and extend the simulated aviation environment, or as required by law through a court order.

Requests for personal data under the Right of Access are the responsibility of the Division Director and their team. Such requests are required to be complied with within one month of the request being received. If circumstances prevent this from occurring, an extension of a further two months may be instituted by VATSSA1, providing that the member making the request is informed of this fact before the expiration of the original one-month deadline.

Right of access requests must be in writing. Members are requested to make their written request via the VATSSA Discord Server to VATSSA1 in the form of a private message.

If staff at a lower level receive anything that might reasonably be construed to be a request for access they have a responsibility to pass this to VATSSA1 without delay.

Where the person managing the access procedure does not know the individual personally there should be provision for checking their identity before handing over any information.

VATSSA will not charge any fee for providing data for requests under the Right of Access.

Because of the sensitive nature of who makes a comment on a record, as well as ensuring there is no retaliation or harassment against VATSSA Staff, and to protect the privacy of staff members, names of those staff who have made entries in VATSSA records, along with any security measures adopted by VATSSA, are redacted before sending records to the member.

Where there is a dispute between a member and VATSSA over the accuracy of data, VATGOV4 shall be empowered to make any final decision on whether to alter data or not. This decision should be communicated to the member making the request within one calendar month of the request having been made.

VATSSA asserts that it has a legitimate interest in collecting and storing the personal data outlined above. The reasons for this claim are:
- VATSSA is a voluntary community promoting flight simulation and virtual air traffic control, and all members seeking to join have an obvious interest in such activities.
- The data collected is the minimum required to allow for the smooth and optimal running of the division, solely for the enjoyment of its members.
- That the data is necessary to allow for the expected interactions between simulated air traffic controllers on the network to take place.
- That the data is necessary to allow for VATSSA staff to properly manage the department, both in day to day operations, and in circumstances where a member(s) may act in a manner contrary to the VATSIM User Agreement, Code of Regulations and/or Code of Conduct.
- That as all members have a shared interest in these aims that the collection of such data should be reasonably expected by all members.

Notwithstanding VATSIM’s claim of legitimate interest, members may at their discretion object to this claim and/or request that VATSSA cease processing of a member’s personal data. These two rights are known as the Right to Object, and the Right to Restrict Processing.

Members must be aware that if they choose to exercise either of these rights VATSSA is obliged to remove the user from the division in order to comply with their wishes and they will be unable to opersate within VATSSA.

Requests for deletion of personal data under the Right of Erasure are the responsibility of VATSSA1 and their team. Such requests are required to be complied with within one calendar month of the request being received.

If circumstances prevent this from occurring, an extension of a further two months may be instituted by VATSSA, providing that the member making the request is informed of this fact before the expiration of the original one-month deadline.

Right of erasure requests must be in writing. Members are requested to make their written request via the VATSSA Discord channel to VATSSA1 by private message.

On receipt of a verbal request for erasure staff concerned should immediately ask the member making the request to confirm the request in writing.

If staff at a lower level receive anything that might reasonably be construed to be a request for erasure, they have a responsibility to pass this to VATSSA1 without delay.

Where the person managing the erasure procedure does not know the individual personally there should be provision for checking their identity before deleting any information.

VATSSA will not charge any fee for deleting data under the Right of Erasure.

VATSSA shall evaluate all requests for erasure. VATSSA reserves the right to retain any data that it believes is in it’s legitimate interest to do so, or that is required to establish, exercise, or defend any legal claims.

All staff who have access to any kind of personal data should have their responsibilities outlined during their induction procedures. Formal guidance on data access and use of data is detailed within the website.

If there are opportunities to raise Data Protection issues during staff training, team meetings, supervisions, etc. these shall be undertaken.

Copyright © 2022 VATSSA. All rights reserved.