Policy on Personal Data
The document is subordinate to RFSL Ungdom’s Policy for information security and privacy
Policy for communication with personal data in RFSL Ungdom
For the individual’s security, internal order and compliance with the law, RFSL Ungdom has the following policy for communication and personal data.
This policy is a governing document under the “Information Security and Privacy Policy” and it provides guidance on the “Communication and Personal Data Policy in RFSL”.
The policy for communication and personal data in RFSL applies to all the organization’s representatives who use the platforms the organization provides for communication and writing but also for writing on paper and other media.
All services are in, and must be used according to, RFSL Ungdom Register List or according to the register list used by each department; however, only as long as the department’s list does not imply lower requirements than RFSL’s Ungdom Register List.
Our basic principles
When handling personal data, we highlight here the basic principles that apply when handling personal data about the mention of persons.
Transparent, legal, and fair
The first basic principle is entirely about handling personal data in a fair and transparent way. At rfslungdom.se there is more information about how we handle personal data, share that information via a link in emails, etc.
Purpose limitation
We only use the most necessary information and we only use it for what we have said we will use it for. We do not collect data without first informing about this, with a clear reference to the purpose for which personal data is collected.
Task/data-minimization
The necessary personal data that we save must be relevant and limited to what is considered necessary in this context.
Correctness
We only save correct information, if they are not correct we try to update them in dialogue with the person whose information it is, or they should be deleted or anonymized. Mentioned persons have the right to request corrections of wrong data. We intend to make such corrections expeditiously.
Storage limitation
We save only the most necessary personal data and we only save them for as long as we need to fulfill the obligations we have towards the mentioned persons and other stakeholders.
Integrity and confidentiality
We handle other people’s personal data in the way we want others to handle ours. We do not risk unauthorized persons gaining access to our stored personal data and we take responsibility if personal data ends up incorrectly. We have a consistent security mindset throughout our IT environment and take care of personal data well.
Rules for written text
For RFSL Ungdom´s members and for other people mentioned in the RFSL Ungdom’s system, it is important that the following writing rules are followed. Everyone who has an assignment in RFSL Ungdom or who in any way writes current text in systems provided by RFSL Ungdom or on behalf of RFSL Ungdom has to follow these writing rules when using them. Current text can be found, for example, in member registers, text messages, e-mail, internet, apps, social media, but handwritten notes are also included.
Members and other persons mentioned must always be described in a correct and objective manner. We all act in the name of RFSL Ungdom. We therefore have a responsibility for how personal data is handled and how text is formulated.
Note! Each of the members or persons mentioned has the right to request to know at any time what is written about them in our registers. All information, even that which has been written in free text fields, must then be copied and handed over to the person in a secure manner and without it infringing on anyone else’s integrity.
The following applies:
- Write only relevant facts and do it from an objective point of view without personal reflections.
- Do not write things that you yourself would find offensive if the listing applied to you.
- Only write information that can be perceived as sensitive if it is in the person’s interest to do so and ask the person if any sensitive writing is okay, then also write that the person has received the question and approved the documentation.
- Information about the violation of the law may never be registered, not even with consent
- Do not record information about a named third party unless it is absolutely necessary for the individual’s case.
- Sensitive personal data may only be registered with express consent. It is possible to obtain consent orally during a conversation, but only note the sensitive information if necessary. Ask for example “Then I note that you have broken the leg, is that ok? You can read more about how we handle your personal information on our website ”.
It is important to always provide relevant information about how we handle personal data to those affected. Therefore, we must always refer to the information on the website both in email and in telephone calls, regardless of whether you have registered sensitive personal data or not.
Rules for e-mail
The risk of personal data being spread or stored incorrectly increases if it is in an e-mail, so we avoid it as much as possible. It is suggested that Google Chat, which is part of RFSL Ungdom’s G-Suite, be used instead. If email is used, the following applies:
- The subject line of an email from RFSL Ungdom must be as neutral as possible and must not expose the recipient to the risk of personal data being spread.
- Emails with personal information must be cleared when we no longer need them for the current case. Exceptions apply to emails that must be stored in order for us to fulfill our mission towards the person.
- Emails of a private nature are stored in a folder marked “private”. RFSL Ungdoms mail may never be used for accounts, email lists or anything else of a private nature.
All users are responsible for clearing emails, calendar entries, contact information, and so on. Emails older than 26 months are only saved if there is a clear purpose, e.g. that it is an ongoing agreement or matter.
Rules for email lists, so-called groups
Groups are administered only from the federal office and the owner of the group is responsible for minimizing the number of participants in the group and that personal data for outsiders is not exposed in the group. Groups should, as far as possible, only communicate via the group page and not via mailings to the user’s own email, in order to minimize the spread and enable the deletion of personal data. It is suggested that Google Chat be used instead.
Rules for calendar bookings
We avoid calendar bookings with personal information because these can be distributed to others who have permission to see your calendar or the booked resource.