Data Protection

This site only provides personal web hosting for the owner and email forwarding and file hosting services for non-profit organisations of which the owner is a member. As such the only personal data held are e-mail addresses, usernames, amateur radio callsigns and passwords of members of these organisations as end users or as delegated administrators for file hosting or e-mail lists.

It is believed that this falls within the letter and spirit of the Data Protection Act exemption documented at:

http://www.ico.gov.uk/for_organisations/data_protection/notification/~/media/documents/library/Data_Protection/Practical_application/GPN_NOT_FOR_PROFIT_V1.ashx

As of 20th September 2011 a data protection act registration is being sought (reference zug284) on a voluntary basis at the owner's expense to ensure that I and the organisations that use this service are protected.

Access by data subjects to their data

Data subjects may request access to their data on the system from the owner by sending a stamped, self addressed envelope or an e-mail to

.
There will be no charge for the first request in each calendar year. Subsequent requests will be charged at the maximum rate permitted by English law.

Cookies

The public parts of this web site do not use cookies.

Password protected areas of this website may use cookies to store authentication and session state and authorised users will be informed of this as part of the password entry prompt.

This site does not track user's activity on other sites or analyse user behaviour in any way (although the right to review access logs for security audit or application support is reserved by the site owner).

Other persons with access to the data

The site owner
The web hosting provider (Aceshells Ltd. in the UK) and the backup provider (rsync.net) in Switzerland have access to any data stored in this server as a consequence of the virtual server and the daily backups respectively being hosted on their hardware.
The administrators of the various websites and mailing lists have access to the data within their own websites and the e-mail addresses and message history of their own lists.
The site owner will make available to the police or other UK public authorities as is required by UK law in case of a criminal investigation.

Statement of Principles

The data protection act registration requires the data controller to confirm compliance with a number of requirements which are:

Adopting an information security policy? (i.e. providing clear management direction on responsibilities and procedures in order to safeguard personal data): Please see security.html
Taking steps to control physical security? (for example, locking doors of the office or building where computer equipment is held): The moffatig.com servers are hosted by aceshells.co.uk in managed data centres. Please see: http://aceshells.com/bargain-virtual-dedicated-servers.php for more detail. Both servers are in managed data centres with controlled access.
Putting in place controls on access to information? (for example, introduction of password protection on files containing personal data and encryption): All access to the server at operating system level is secured by passwords and encrypted protocols are used for access wherever possible. Access is limited to trusted IP addresses to the greatest extent possible. All application access (other than web content and incoming e-mail) is controlled by passwords and IP address restrictions.
Establishing a business continuity plan? (for example, holding a backup file in the event of personal data being lost through flood, fire or other catastrophe): The owner maintains two virtual servers at different locations in the UK and the active server is backed up to a virtual disk hosted by rsync.net in Switzerland daily and before major configuration changes. the backups from one server can be restored onto the other with less than one man-day of effort.
Training your staff on security systems and procedures? (for example, are staff aware of their responsibilities, are they aware that personal data should only be accessed for business purposes?): The owner has received extensive data protection training in the course of his employment. The delegated administrators of the various lists have been advised to consider their responsibilities as data controllers of their own members' information and the relevance of the exemption for non-profit bodies. No delegated administrator has access to anyone else's data or to the operating system.
Detecting and investigating breaches of security when they occur? (for example, producing audit trails that log access to personal data and can be attributed to a particular person): All access to the server at operating system level, to upload files, and to administer web applications is authenticated and logged including a user name and IP address. All logs are replicated off the machine to a remote file store. All e-mails sent through the list server are logged and archived. The message archives are only available to system administrators. A host level intrusion detection system with real time alerts sent to the owner and archived remote from the system has been installed.