SFDPP – Data Protection Policy – Rev. 202303-09.v2 (PDF 153KB)
This policy is for all active, renewing and new members of STARFLEET: The International Star Trek Fan Association, Inc. (hereafter referred to simply as “STARFLEET”); it applies to the processing and storage of your personal data by STARFLEET. Your data is retained in the STARFLEET Members’ Database (database), in the STARFLEET Academy database and in other STARFLEET site databases and file systems with reasonable use and control to your data as outlined in this document.
Use of your data during your application to join STARFLEET
As a new applicant to STARFLEET, you consent to the processing, retention and sharing of your personal data (see Data Index below) for the purpose of applying for membership and providing required, and perhaps optional, data to allow STARFLEET the ability to send membership materials or other communications, as necessary.
Use of your data as an active or renewing member of STARFLEET
As an active or renewing member of STARFLEET, your data will be retained and shared by officers of the organization for the reasonable purpose of managing your membership. Officers can include, but are not limited to, the President (CO) or Vice-President (XO) of your local chapter, the Regional Coordinator (RC) of your Region and certain members of his/her/their staff, and the Executive Committee members. Reasonable purposes can be but are not limited to:
- Processing your membership renewal application;
- Evaluating your performance in STARFLEET for awards or rank;
- Recording your progress in STARFLEET;
- Receiving communication from STARFLEET;
- Processing payments (new members, renewals, payments for Quartermaster purchases, etc.);
- Documentation of monthly chapter activity (MSR, RSR, etc.);
- Operational management of chapters;
- Access to the STARFLEET Academy.
Your personal data is retained in perpetuity by STARFLEET while your membership remains active. When your membership has expired, in the absence of an immediate request for deletion, your data will be retained in the database for five (5) years for the sole purpose of ease of reinstatement should you choose to return. As an expired member, you are not included in communications, are removed from email lists and groups, and are protected from unauthorized use.
You can withdraw your consent and request erasure of your data at any time by notifying Membership Processing, or any member of the Executive Committee, and submitting a ticket to the STARFLEET Helpdesk. Note that this means a full termination of your membership with STARFLEET.
Your personal data used for STARFLEET’s Member Database and other sites (STARFLEET Academy, the SFI.org website, etc.) is stored in STARFLEET’s databases supporting each of those sites which, at this time, are wholly located in the United States.
The STARFLEET Member Database collects and retains the data listed below for each member; this list includes all data kept per member and not just personal/private data. Note that data is defined and marked as “Required,” “Optional,” or “Internal.”
Required data: data which is required for your membership to be processed and remain active
Optional data: data that is collected and used only for optional purposes. Optional data is not required to be provided for the normal processing and handling of your membership
Internal data: data which is kept by the database but is not provided by the member.
Note that this list is the data kept by the Membership database. The STARFLEET Academy and various other sites collect just a few of these same data items.
- Required Data:
- SCC number (provided upon completion of membership processing)
- Full name (member provided)
- Physical address for physical mailings, as needed – includes street address, city, state, zip, country (member provided)
- Valid, functional Email address (voting members only, does not include
minors – member provided)
- Date of birth (voting members only, does not include minors – member provided)
- Username (initially generated by database, can be changed)
- Password (initially generated by database, can be changed)
- Invoice and financial transaction with an approved payment processor (generated for membership payments made online)
- Internal Data:
- Join date (provided upon completion of membership processing)
- Membership type (generated when paying for membership)
- Region (determined by chapter affiliation)
- Member Awards and Academy Classes taken (populated upon award or class completion)
- Rank (merit or position based)
- Database permissions (initially generated by database, permission packages dependent on job functions)
- Last login date/time in database (generated by database)
- Real time login in database (generated by database, shown in list format)
- Membership payment dates (internal – generated upon payment of a membership)
- Internet Protocol (IP) address (provided by access to database)
- Optional Data:
- Phone number
- Species (role play only, selected by member)
Date of Birth Required
Your Date of Birth (DoB) data is required to validate voting member status, as well as any assigned, appointed or elected roles within STARFLEET. Minors are not voting members, so the DoB can be omitted, until they are 18.
Family Memberships and Data
STARFLEET offers family memberships that allow a primary member to add family members to their membership. When doing so, the only data required for these added members are their name and email. Other data is optional. The address is set to the same as the primary members by default.
Minor’s Private Data
For the purposes of this data policy, a minor is defined as any member under the age of 18 . A minor is normally added as a member into an adult’s membership as a family member. As described above, a minor’s personal data is also collected and is also subject to the same retention period as previously described. Should a primary member or parent not wish to have a minor’s data held by STARFLEET, the member must remove or request removal of this data from the database. As described previously, this will serve to remove the target minor from active embership in STARFLEET.
Data Protection Officer
The duties of a Data Protection Officer (DPO) are a collateral duty assigned to the sitting Chief of Information Services by the Admiralty Board. As such, the DPO is an agent of the corporation, charged with developing, issuing, and updating the STARFLEET Data Protection Policy (SFDPP) and all plans involved with data protection and compliance. The DPO will inform the Executive Committee and Admiralty Board of any changes to the SFDPP. The DPO will head all data loss or breach investigations. The Inspector General, STARFLEET, will assist the DPO, as needed, and/or run concurrent investigations in the case of an internal breach. ‘Personal data breach’ is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. The DPO shall maintain a team consisting of the Chief of Membership Services, the Chief of Education Services, the Representative of European GDPR member states (appointed by the DPO), and any others as required to advise and assist in execution of all duties and responsibilities to include, but not limited to, all data breach/loss incident investigations.
Third Party Data Processors or Access
Elections and Third Party Data Access
Every three years, STARFLEET holds an election that allows the members to vote on the next Commander, STARFLEET (President) and Vice Commander, STARFLEET (Vice President) for the ensuing term. A list of all active, voting members’ names and addresses are sent to a third party vendor who creates and mails the ballots, receives and processes them and returns the results to the STARFLEET election officials. This vendor is evaluated and selected for each election by the Inspector General’s office and the information on the vendor is made available to the
membership at that time.
STARFLEET uses various payment processing services for membership dues, quartermaster sales, etc. STARFLEET ensures all payment processors have a compliant data protection policy, infrastructure, and are bound to not share STARFLEET data as part of the contract.
Other Third Party Data Processors/ Access
STARFLEET will not sell your private data to any person or entity. Nor will STARFLEET give your private data to any person or entity outside of STARFLEET without a legitimate business purpose of the organization. Information may be provided to an approved third party by an authorized member of STARFLEET Staff while performing their appointed duties, pursuant to this document, the Membership Handbook, or the Corporate Bylaws. STARFLEET will ensure all Third Party data processors have a compliant data protection policy, infrastructure, and are bound to not share STARFLEET data as part of the contract. In all cases, only the minimal information needed for the Third Party Processor will be given, and only for specific, legitimate purposes of STARFLEET for which they are being engaged.
Access to your Data
Some members of STARFLEET are granted elevated access rights to member information to carry out their job responsibilities. Those members are expressly prohibited from using, retaining for personal use or providing any other party or entity with member information for purposes other than their specific job requires. Any member with elevated access rights to member information who are found to have misused member information will be subject to disciplinary measures as deemed necessary and appropriate pursuant to this document, STARFLEET by-laws and other applicable documentation, including the Membership Handbook and the Inspector General manual. The matter may also be referred to the appropriate civil or criminal authorities.
Loss or Breach Event
Should a breach be reported, the Commander, STARFLEET or the Chief of Information Services shall, within 24 hours of confirmation of a Personal data breach, notify the Admiralty Board. Initial notification can be brief and simply state that a breach has occurred, been confirmed, and provide known details. Details can be withheld/redacted if reporting those details could be reasonably assumed to impede the investigation, further expose member data, or is so advised by legal advisors or law enforcement.
At a minimum this notification must include:
- Nature of the breach (accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise processed)
- Initial determination of an internal or external attack
- Time the incident was found/reported
- Time the incident was confirmed
- What response actions have already been done
- What further actions will be taken
- When further details might be available
After such confirmation and notification, the CIS/DPO will continue incident response and investigation. Should SFI need to coordinate with third parties, including vendors, data processors, legal advisors, or law enforcement, a single point of contact will be provided. SFI will report all crimes to the appropriate authorities if the investigation reveals any criminal activity.
In the event of an external breach of information, STARFLEET will, as deemed necessary and appropriate, contact our third-party vendors to determine the nature and severity of the breach and may choose to contact the appropriate authorities to resolve the incident. The Commander, STARFLEET shall request that the CIS temporarily suspend applicable vendor access to electronic records and/or require physical records be returned to the Commander, pending the outcome of the
investigation. Any member may be contacted to advise the DPO of the matter as deemed necessary and appropriate by the Commander, STARFLEET, CIS, or their representative.
In the event of an internal breach of information, STARFLEET will, as deemed necessary and appropriate, conduct an internal investigation, headed by the DPO. The Commander, STARFLEET shall request that the CIS temporarily suspend member access to electronic records and/or require physical records to be returned to the Commander, STARFLEET pending the outcome of the investigation. This applies to all allegedly involved members. If a member is proven, via server log files, or other conclusive evidence, to have breached STARFLEET data systems or assets, or obtained unauthorized access or unauthorized member information, or excess access or information outside of the scope of any assigned STARFLEET duty, their membership will be immediately suspended. When the investigation has concluded, if it is deemed a crime was committed and legal authorities are contacted regarding the misuse/attack, their membership will be immediately terminated in perpetuity. A full report of the incident will be provided to the Admiralty Board upon completion of the investigation.
SFDPP – Rev. 202303-09.v2