This page explains the issues relating to NomadIT holding your data on behalf of WCEH. Information on membership/conferences is held centrally in a secure online database, providing greater data security, cheaper more efficient administration, and the potential for enhanced membership/conference facilities - such as searchable online directories, live editing of personal entries, a fully-feature abstract management and registration system.
NomadIT complies with the requirements and principles of GDPR (transparency, purpose limitation, data minimisation, accuracy, storage limitation, confidentiality and accountability) in its approach to your data. NomadIT is registered with the Information Commissioner's Office (ICO) in the UK.
The NomadIT system holds individual and organisation contact information, membership subscriptions, conference registrations, academic background/interests, panel/paper abstracts, and a record of payments made. The only 'private' data held is a contact's mobile phone number which is not made publicly available, and is held in order to facilitate contact by SMS during/en route to conferences - a function which has proved useful in past events. We are currently working on removing physical address data (except where required for journal mailings) from our dataset and forms. The only sensitive data held is the date of birth, and this only in records created before 2020.
Prior to changes made in 2020, our system requested a date of birth to facilitate login. The DoB did not have to be the real DoB, nor was it made public, nor considered in any decision-making/admin processes. We have since updated our login to use a more conventional email and password pair, so DoB is no longer gathered, and as older accounts are upgraded, it is being removed.
The data collected will only be used for the purpose for which it is provided. This is deemed to be for invoicing/receipting of subscriptions/registration fees; and for mailings/email, relating either directly to the organisation/conference itself, or occasionally to news deemed of potential interest to the membership/conference (such as jobs, upcoming conferences, book releases, academic publishing promotions). The data is held on behalf of our clients and is not disclosed to third parties. Personal data is not shared between NomadIT clients, unless there is a relevant agreement (for example when running a bilateral conference), and NomadIT are instructed to do so by the agreeing parties.
Data subjects may request a copy of the personal information held about them, by emailing the
organisation/conference concerned (or info(at)nomadit.co.uk), putting 'Subject Access
Request' in the subject line.
Data subjects may request that their personal information be removed from our system, by emailing the organisation/conference concerned (or info(at)nomadit.co.uk), putting 'Subject Date Removal Request' in the subject line.
If Data subjects have any concerns about their data security they may write about these to info(at)nomadit.co.uk.
NomadIT currently uses two servers located in California, an Amazon email server located in Eire, a Google Drive server located in the US; and makes use of other software such as Zoom, Shindig, Whova, Pheedloop most of whom use servers in the US. In all cases we look for compliance with GDPR or the principles of GDPR. We are also migrating our main server use to Germany, and reducing our use of Google Drive.
We usually gather Funding application data via forms - previously Google Forms and now either NextCloud or Budibase forms hosted on our own server. This data is stored securely within NomadIT's Google Workspace (Drive). The information is held for up to two years after the conclusion of a conference, in order that we can answer questions regarding due process within funding allocation, from sponsors/funders/executive committees/applicants. After that it is deleted, and all that remains stored in conference accounts is a list of names, affiiliations, and email addresses of those funded and the amounts received.
We also use Google forms to gather Student volunteer data for conferences - this data is
deleted two years after a conference is concluded.
We store conference account spreadsheets on Drive, and these files contain ledgers of payments received, funding allocated, and a full list of delegates. This data is required for accounting purposes and is not removed after a time. However the delegate data held is limited to name, institutional affiliation, country and email. Again we are working on migrating most of our data to our own NextCloud server in Germany.
NomadIT backs up its main database and all websites and retains backup data for up to three years, after which those backups are destroyed.
NomadIT functions as the data controller on behalf of the organisation/conference with whom
the membership/conference registration is made. NomadIT is registered with the Information
Commissioner (No. ZA811094), and follows both GDPR and the Data Protection Act of 1998. The
essence of that Act is detailed below.
If you have any complaints/enquiries, please email the relevant organisation/conference directly (see their specific websites for contact info); alternatively you can contact info(at)nomadit.co.uk if you wish to discuss issues relating to Data protection.
The Data Protection Act 1998 sets out eight rules that data controllers must follow for protecting personal information. Personal data must be:
If a data controller's processing of personal information does not comply with the principles, the Information Commissioner can take enforcement action against that data controller.
Contact and membership data (but no important financial data) is held within our bespoke online membership databases, which hold details of over 8000 members on behalf of seven associations, and are fully GDPR-compliant.