Skip to main content

Data Protection and Handling Policy

Introduction

Purpose of this policy

This policy has been put in place to achieve the following aims:

  • To comply with the law, particularly the EU General Data Protection Regulation
  • To ensure good data protection practice.
  • To protect members, staff, and other individuals.
  • To protect the organisation.

Types of data

BAVirtual collects a range of personal data on members at the time of joining. This data includes:

  • The date of application.
  • Full name as registered with VATSIM.
  • Date of birth and, therefore, age.
  • E-mail address.
  • VATSIM network ID. Applicants must be a VATSIM member to join BAVirtual as outlined in the BAVirtual Policy.
  • Country and city of residence.
  • IP address from the location where the application is submitted.

A list of members and their registered names are available to all other members when logged in to BAVMS.

In addition, whilst connected to the BAVirtual server via Merlin, information specific to the simulated aviation operation at that time is collected. The only personal information that is visible is behind password protection and is not publicly visible. Whilst the ACARS system is visible publicly, only membership IDs are stated and no personal details can be seen related to the visible ID unless the member is logged in. Once logged in, member's names and ID are visible on the ACARS system, being linked to details of the flight being conducted by each member.

Policy Statement

BAVirtual has an unequivocal commitment to:

  • Comply with both the law and good practice.
  • Respect individuals' rights including:
  • The right of access.
  • The right of rectification.
  • The right to object.
  • The right to suspend protest.
  • The right of erasure
  • Be open and honest with individuals whose data is held.
  • Provide training and support for staff who handle personal data, so that they can act confidently and consistently.
  • Notify the relevant data protection authorities voluntarily, even if this is not required.

Key risks are detailed in the Specific Risks paragraph below.

Responsibilities

The Board of Directors

Overall responsibility for ensuring data protection and overall compliance with the relevant standards and legislation rests collectively with the BAVirtual Board of Directors.

Data Protection Officer

There is no appointed Data Protection Officer within BAVirtual as the organisation does not regularly process data on a large scale, due to the nature of the data that is collected and controlled, and the circumstances in which it is collected.

Specific Directors with access to personal details

Several members of the Board of Directors have specific responsibilities requiring access to membership details. They also oversee other staff members accessing personal data collected by BAVirtual:

CEO – The CEO, as the leader of the VA, has access to member's details which may be required when carrying out his duties in overseeing the running of the VA.

Director of Membership – in order to process applications to join BAVirtual and manage membership issues for existing members, has full access to all personal details held about existing members and people who apply to join BAVirtual.

Director of Technical Services – oversees all technical aspects of running BAVirtual including managing member's accounts and the permissions of staff members to those accounts. Other members of the Board of Directors may from time to time be tasked with specific responsibilities pertaining to the control and storage of data.

Staff & Volunteers

All staff members are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work within BAVirtual as detailed in this policy. BAVirtual expect the highest standard of probity of all staff at all levels. No access to data is to take place unless there is a valid reason for such access.

Enforcement

BAVirtual has a zero-tolerance policy towards inappropriate access to data stored on our secure server. Any such access will result in the individual concerned being prohibited from having further access for a minimum period of 10 years. This may result in the member being excluded from BAVirtual.

Security

Scope

BAVirtual's Security policy applies to all the servers belonging to BAVirtual, including, but not limited to Data Servers, Statistic Servers, or Web Servers.

Setting security levels

BAVirtual operates on a segmented security approach, where only the access required with approval by the BAVirtual Board of Directors to complete a required job function is granted. BAVirtual employs access monitoring systems to ensure that access is not being abused and can be tracked back to a specific individual.

Security measures

BAVirtual employs standard SSL and TLS encryption to safeguard data. BAVirtual also implements additional change-audit scripts and monitors to provide visibility into server and network activity. IP Address and Key based security settings are used to only allow server access to authorized personnel. Passwords are stored as hashed encrypted data wherever possible. As a general principle passwords are not to be stored as plain text.

Business continuity

In order to ensure business continuity, BAVirtual retains data backups of relevant systems to ensure recovery of impacted systems while maintaining data integrity and security. Access to these backups is granted only to authorized individuals.

Specific risks

The main specific risks to the security of data are:

  • Phishing attacks to gain account access;
  • Access by means of Trojan or keylogging programmes on member's systems;
  • Inappropriate or unauthorised access to non-entitled data by staff members who have been granted system access.

Mitigation of the first two risks is by encouraging members who have a higher level of access to ensure they adhere to good security practices on their personal systems. The last risk is mitigated by training, access logging and reverting changes made by those who misuse access.

Data recording and storage

Accuracy

BAVirtual data is deemed to be accurate across all systems. However due to the nature of Network Operations, some human-led mistakes may occur.

Updating

A BAVirtual member may request an update of his/her retained information by making a request in writing to the Director of Membership by raising a Ticket. The final authority to update such information shall be at the sole discretion of the Director of Membership. Tickets may be raised at (https://support.bavirtual.co.uk/)

Storage

Data is stored in standard relational databases. Access is via a custom-built web based interface.

Retention periods

BAVirtual data is retained indefinitely unless removal is requested by a BAVirtual member, as outlined in this policy.

Archiving

BAVirtual does not archive any data.

Transparency

Commitment

BAVirtual is committed to ensuring all members are aware of what data is collected and why we do so. As outlined in the statement of legitimate interests, data is collected for the purpose of ensuring the provision of and smooth operation of BAVirtual as a VA so that members can jointly enjoy the simulated aviation environment it provides. Data will not be shared with third parties unless we are required to do so in law.

Procedures

Details on how to exercise rights in relation to the data held is detailed in the relevant sections of this policy.

Responsibility

All staff within BAVirtual are responsible for members' data at all times. The various departments most closely associated with members' data are the BAVirtual Directors as highlighted above, and their associated staff. Where staff require to use data for statistical and management purposes aggregated pseudonymised data should be used where possible.

Right of Access

Responsibility

Requests for personal data under the Right of Access are the responsibility of the Membership Team. Such requests are required to be complied with within one month of the request being received. If circumstances prevent this from occurring, an extension of a further two months may be instituted by BAVirtual, providing that the member making the request is informed of this fact before the expiration of the original one month deadline.

Procedure for making request

Right of access requests must be in writing, preferably via Ticket (https://support.bavirtual.co.uk/). If a staff member at a lower level receives anything that might reasonably be construed to be a request for access they have a responsibility to pass this to the Director of Membership without delay.

Provision for verifying identity

Where the person managing the access procedure does not know the individual personally there should be provision for checking their identity before handing over any information.

Charging

BAVirtual does not charge any fee for providing data for requests under the Right of Access.

Procedure for granting access

The Director of Membership is responsible for handling requests under the Right of Access provisions. Requests will be made via email to the Membership Department (https://support.bavirtual.co.uk/). The data will then be proofread and sent to the member making the request. Because of the potentially sensitive nature of comments on a members record, as well as ensuring there is no retaliation or harassment against BAVirtual Staff, and to protect the privacy of staff members, names of those staff who have made entries on a members record, along with any security measures adopted by BAVirtual, are redacted before sending it to the member.

Right of Rectification

Responsibility

Accurate data important for BAVirtual and members.

Procedure for making requests

Right of rectification requests should in the first instance be made by ticket at (https://support.bavirtual.co.uk/) by the member making the request. If staff at a lower level receive anything that might reasonably be construed to be a request for rectification they have a responsibility to direct the member to contact the Membership Department.

Disputes

Where there is a dispute between a member and BAVirtual over the accuracy of data, the member shall be empowered to make any final decision on whether to alter data or not. This decision should be communicated to the member making the request within one calendar month of the request having been made.

Charging

BAVirtual does not charge any fee for requests under the Right of Rectification.

Lawful Basis

Underlying principles

BAVirtual asserts that it has a legitimate interest in collecting and storing the personal data outlined above.

The reasons for this claim are:

  • BAVirtual is a voluntary community promoting flight, and all members seeking to join have an obvious interest in such activities.
  • The data collected is the minimum required to allow for the smooth and optimal running of the VA, solely for the enjoyment of its members.
  • That the data is necessary to allow for BAVirtual staff to properly manage the VA, both in day to day operations, and in circumstances where a member(s) may act in a manner contrary to the BAVirtual Policy.
  • That is because all members have a shared interest in these aims that the collection of such data should be reasonably expected by all members.

Members under 16 years

BAVirtual does not accept membership from any individual under 16 years of age. Members found to have falsified their age will have their account closed immediately.

Opting out

Notwithstanding BAVirtual's claim of legitimate interest, members may at their discretion object to this claim and/or request that BAVirtual cease processing of a member's personal data. These two rights are known as the Right to Object, and the Right to Restrict Processing. Members must be aware that if they choose to exercise either of these rights BAVirtual is obliged to close their accounts in order to comply with their wishes and they will no longer be a member of BAVirtual.

Timing of opting out

While a notification of an objection to BAVirtual's claim of legitimate interest, or a request to suspend processing may be made at any time, such claims may not be made retrospectively.

Right of Erasure

Responsibility

Requests for deletion of personal data under the Right of Erasure are the responsibility of the member concerned. Such requests are required to be complied with within one calendar month of the request being received. If circumstances prevent this from occurring, an extension of a further two months may be instituted by BAVirtual, providing that the member making the request is informed of this fact before the expiration of the original one-month deadline.

Procedure for making requests

Right of erasure requests should be in writing, preferably by ticket at (https://support.bavirtual.co.uk/). On receipt of a verbal request for erasure (in Discord, for example), staff concerned should immediately ask the member making the request to confirm the request in writing as above. If staff at a lower level receive anything that might reasonably be construed to be a request for erasure they have a responsibility to pass this to the Director of Membership without delay.

Provision for verifying identity

Where the person managing the erasure procedure does not know the individual personally there should be provision for checking their identity before deleting any information.

Charging

BAVirtual does not charge any fee for deleting data under the Right of Erasure.

Procedure for granting erasure.

BAVirtual shall evaluate all requests for erasure. BAVirtual reserves the right to retain any data that it believes is in its legitimate interest to do so, or that is required to establish, exercise, or defend any legal claims.

Staff training & Acceptance of Responsibilities

Induction

All staff who have access to any kind of personal data should have their responsibilities outlined during their induction procedures.

Continuing training

If there are opportunities to raise Data Protection issues during staff training, team meetings, supervisions, etc. these shall be undertaken.

Procedure for staff signifying acceptance of policy

All staff given access to member's details shall receive training on data access procedures via the documents outlined above. All such members are required to acknowledge that they have received this training, that they understand the requirements of them, and their acknowledgement to be bound by them. Electronic mail is an acceptable (and the preferred) method for this acknowledgement. This acknowledgement will be recorded on the member's records.

Policy review

Responsibility

The responsibility for review of this policy rests with the Board of Directors and will normally be annually.

Procedure

At a minimum this review shall require:

  • Consultation with the full Board of Directors.
  • Specific consultation with all Directors with responsibilities under this policy.
  • Analysis of all audits of data access during the period of validity of the current policy.
  • Analysis of any data breaches during the period of validity of the current policy.

Timing

In order for the required review to be completed by 28 February 2025 such consultation shall commence no later than 28 August 2024.

Revision History

Rev. NoDate EnteredRevision History
1.0N/AOriginal publication.
1.1February 2024Full review.