1. Purpose and Scope
As part of their responsibilities, IEEE volunteers and staff acting on behalf of IEEE (referred to as “IEEE Data Users”) may have the opportunity to collect, access, use and/or process personal data of individuals who interact with IEEE.
Examples of personal data can include name, contact details, date of birth and pictures. This data includes, but is not limited to, existing or new data sources and data obtained via websites, applications, behavioral monitoring, and databases related to IEEE members, non-members, customers, product purchasers, and various other parties stored on local devices, cloud services, or applications provided by IEEE or entities other than IEEE (referred to as “IEEE Data”). This IEEE Data can be used to gain valuable business insights, make key business decisions on behalf of IEEE and advance the mission of IEEE.
This Policy defines the processes, rules and procedures that IEEE Data Users must follow when collecting, accessing, using (including sharing, publishing, and emailing) managing, and processing IEEE Data and addresses the following topics:
- Data Collection, Access, and Use
- Data Processing and Handling
- Data Management
- Data Requests and Incidents
- Referenced policies
All IEEE Data Users are required to comply with this IEEE Data Access and Use Policy.
2. Data Collection, Access, and Use
IEEE Data is for access and use only by IEEE Data Users. IEEE Data shall not be furnished to outside entities or be used for any purpose other than for approved IEEE business. Access to IEEE Data shall be limited to those IEEE Data Users who need access to perform their responsibilities on behalf of IEEE. IEEE Data collected and/or managed by IEEE Data Users belongs to IEEE.
When collecting IEEE Data, the following information must be presented to individuals whose personal data is being collected (referred to as “Data Subjects”):
- Statement of the purpose for which the data is being collected;
- Where applicable, a link to agree to specific terms and conditions associated with the stated purpose; and
- If necessary, a link to agree to receive additional information outside of the purpose stated.
Agreement to items 2-4 above, must be obtained prior to collecting and processing personal data. Only data required for the purpose shall be collected. Any agreement captured that is not directly communicated to the IEEE Consent Management System* must be provided to IEEE.
IEEE Data that is collected shall be used for the purpose stated at collection, and shall be processed for that purpose only, unless:
a. Agreed to otherwise by the Data Subject;
b. Processing the data is necessary for legitimate business purposes; or
c. There are legal requirements for the use and processing of the data.
Before contacting an individual who has not previously expressed an interest or had a prior engagement, an IEEE Data User will validate their list against the IEEE Consent Management System to ensure agreement has been obtained. More information and step by step instructions can be found on the List Validation page.
IEEE Data Users may continue to contact individuals about previously stated interests or prior engagements.
IEEE Data Users publishing or sharing data shall classify the IEEE Data according to the IEEE Information Disclosure Policy and affix the appropriate notice to the IEEE Data, as well as any reports related to personal data.
It is the responsibility of the IEEE Data User to keep informed of IEEE policies governing mailings, the use of labels and email addresses, regulations governing electioneering for IEEE offices, IEEE Privacy and Security policies and Email Terms and Conditions. Additional information is found in Section 14.1 of IEEE Policies, which is available from the IEEE Governing Documents website.
3. Data Processing and Handling
IEEE is responsible for the actions of IEEE Data Users with respect to the processing of IEEE Data. This includes IEEE Data collected and maintained by IEEE Data Users. IEEE Data Users shall process IEEE data as outlined in this document. Any third party processing of IEEE Data shall be subject to an agreement outlining the third party’s responsibility to comply with IEEE data privacy policies and applicable data privacy regulations. IEEE template agreements shall be used whenever possible and, if applicable, executed through the appropriate IEEE contracts process.
Whenever possible, remove personally identifiable data and use aggregated data prior to processing. If data is to be publicly presented, all personal data must be removed or hidden.
IEEE Data Users shall confer with IEEE staff at IEEEData@ieee.org to determine whether uses other than for the purpose stated at collection are permitted.
4. Data Management
IEEE Data will be stored in an IEEE database or application or downloaded to a volunteer’s GoogleApps@ieee account.
IEEE Data Users must take precaution to make sure IEEE Data is stored and handled securely and is not accessible to unauthorized individuals. IEEE Data that has been previously stored on a personal device and is no longer needed must be deleted.
IEEE Data held by IEEE Data Users must be validated against the IEEE Consent Management System within three (3) days before each use. Targeted email communications can be sent only to the validated list. Securely stored IEEE Data that has been replicated to an approved third party campaign tool must be purged within 30 days.
For guidance on specific tools and list validation procedures, refer to http://sites.ieee.org/gdpr/.
When the necessity to hold and/or use the IEEE Data has concluded (e.g., end of a volunteer term of service, termination of a contract, IEEE Data is no longer required for a project, written request from IEEE) the IEEE Data User shall either delete or return the IEEE Data in accordance with the IEEE Policies, Section 12.8 IEEE Records Management Policy Statement. Volunteers other than Officers and Directors are encouraged to provide documents significant to the business of IEEE to the appropriate staff person on an ongoing and contemporaneous basis.
5. Data Requests and Incidents
If an IEEE Data User receives a data subject request (e.g., right of access or right to be forgotten) from an individual (e.g. a member, conference attendee) the IEEE Data User shall direct the individual to complete our Data Privacy Request form or to send an email request to firstname.lastname@example.org with "Data Privacy Request" in the subject line. At the direction of the IEEE Data Protection Officer, an IEEE Data User shall comply with requests to update or remove data that may be in their possession and confirm such actions have been taken in a timely manner.
If an IEEE Data User becomes aware of or suspects a data incident may have occurred (e.g., breach, loss of data, loss of equipment containing IEEE data) the IEEE Data Users shall contact email@example.com immediately. The Data User should include as much detail as possible in their report. The assistance of the IEEE Data User in addressing the matter may be necessary.
Compliance with this Policy is mandatory. Violations may result in loss of access to IEEE tools and potential disciplinary action.
Violations of data privacy regulations may result in judgments against or significant fines to IEEE. In some instances, IEEE Data Users could also be held personally responsible.