© Association for Information Systems Inc., 2008-09
This document declares the Undertakings by the Association for
Information Systems Inc. (AIS) in relation to its handling of Your
Data, as those terms are defined in the Definitions section below.
The terms 'undertake' and 'undertaking' are used in order to make
clear that AIS's commitments give rise to legal obligations. These
Undertakings are additional to the formal legal requirements that AIS
is subject to in various jurisdictions throughout the world.
The term 'Your Data' refers to identified personal data about you
that may arise from multiple roles that you may play, and multiple
relationships that you may have with AIS, including as site-visitor,
member, officer, candidate for office, employee or contractor, and
through associations with AIS publications, including as author,
editor, reviewer and website contributor.
Data Collection
AIS undertakes to collect Your Data by means that are:
- fair;
- legal; and
- transparent.
If you visit AIS's website, your web-browser
automatically discloses, and AIS's web-server automatically logs, the
following information: the date and time, the IP address from which you
issued the request, the type of browser and operating system you are
using, the URL of any page that referred you to the page, the URL you
requested, and whether your request was successful. This data may or
may not be sufficient to identify you.
Any additional data that you provide, e.g. in a web-form, may also be logged. This data may or may not be sufficient to identify you.
Any additional data that your web-browser automatically provides
may also be logged. This will be the case, for example, if your browser
has previously been requested to store data on your computer in 'cookies'
and submits them each time you request a web-page within a particular
domain (in particular, aisnet.org). This data may or may not be
sufficient to identify you.
AIS uses cookies when a visitor arrives on the
web-site, and when a user logs on to sections of the AIS website that
require their username and password, such as the Directory and the
Digital Library. Most of the cookie-data is encrypted, and contains no
sensitive data such as passwords. All cookies are set for session-only,
and hence browsers should delete them at the next opportunity, such as
the next quit and re-start.
If you disclose personal data to AIS in conjunction with an identifier such as your name or your credit-card details,
AIS will collect Your Data. Moreover, any data that becomes available
to AIS through any of the means described in the preceding paragraphs
may be able to be associated with that identifier, and hence become
Your Data.
AIS undertakes to collect Your Data from you and not from other parties.
Where AIS collects Your Data from sources other than you, it undertakes:
- to do so only by legal means;
- to do so only with your Consent (as defined in the Definitions section below); and
- to declare to you what sources it uses, and under what circumstances.
AIS undertakes to declare the purpose of collection of Your Data in a manner that is clear and meaningful. These declarations are to be found in the Definition of Your Data below, and in relevant data collection forms.
Data Security
AIS undertakes to store Your Data in a manner that
ensures security against unauthorised access, alteration or deletion,
at a level commensurate with its sensitivity.
AIS undertakes to transmit Your Data in a manner
that ensures security against unauthorised access, alteration or
deletion, at a level commensurate with its sensitivity.
AIS undertakes to apply protections for Your Data at a level consistent with the OECD Guidelines on Privacy and on Security, even though Your Data may be stored in or transmitted to a Jurisdiction whose legal requirements are lower than that.
AIS undertakes to implement appropriate measures to ensure security of Your Data against inappropriate behaviour by AIS's staff-members, contractors and officers. These include:
- training for staff in relation to privacy;
- access control, to limit access to Your Data to those staff, contractors and officers who have legitimate reasons to access it;
- logs of changes to data;
- reminders
to staff and contractors from time to time about the importance of data
privacy, and the consequences of inappropriate behaviour;
- declaration of appropriately strong sanctions that are to be applied in the event of inappropriate behaviour;
- clear communication of policies and sanctions to staff; and
- processes to investigate and to impose sanctions.
Data Use
Use refers to the application of Your Data by any part of AIS, or
any AIS staff-member, contractor or officer, in the course of their
work.
AIS undertakes to use Your Data only under the following circumstances:
- for purposes for which we have your Consent,
including purposes that are initially or subsequently agreed between
you and AIS, purposes directly implied by the agreed purposes, and at
your request;
- for such additional purposes as are required by law
in a relevant Jurisdiction. In these circumstances, AIS will take any
reasonable steps available to it to communicate to you that the use has
occurred, unless it is precluded from doing so by law; and
- for such additional purposes as are authorised by law
in a relevant Jurisdiction (in particular to protect AIS's interests,
e.g. if it believes on reasonable grounds that you have failed to
fulfil your Undertakings to AIS).
AIS undertakes to use Your Data only if it has demonstrable relevance
to the particular use to which it is being put, and to use only such of
Your Data as is necessary in the particular circumstances.
AIS undertakes to use Your Data in such a manner as to take into account the possibility that it is not of sufficient quality for the purpose, e.g. because it is inaccurate, out-of-date, incomplete, or out-of-context.
Data Disclosure
Disclosure refers to making Your Data available to any party other
than AIS and you. The term disclosure may include many different
conditions of data transfer, including selling, renting, trading,
sharing and giving.
AIS undertakes to disclose Your Data only under the following circumstances:
- for purposes for which we have your Consent,
including purposes that are initially or subsequently agreed between
you and AIS, purposes directly implied by the agreed purposes, and at
your request;
- for such additional purposes as are required by law,
such as a provision of a statute, or a court order such as a search
warrant or subpoena. In these circumstances, AIS will take any
reasonable steps available to it to communicate to you that the
disclosure has occurred, unless it is precluded from doing so by law;
- for such additional purposes as are permitted by law
(e.g. the reporting of suspected breach of the criminal law to a law
enforcement agency; and in an emergency, where AIS believes on
reasonable grounds that the disclosure of Your Data will materially
assist in the protection of the life or health of some person),
provided that AIS will apply due diligence to ensure that the exercise
of the permission is justifiable.
Where Your Data is disclosed to an outsourced service-provider
(e.g. to a company that processes credit-card transactions), AIS
undertakes to make reasonable endeavours to exercise control over
compliance by its service-provider with the terms of this Privacy
Policy Statement.
AIS undertakes to disclose Your Data only if it has demonstrable relevance
to the particular use to which it is being put, and to disclose only
such of Your Data as is necessary in the particular circumstances.
AIS undertakes to disclose Your Data in such a manner as to take into account the possibility that it is not of sufficient quality for the purpose, e.g. because it is inaccurate, out-of-date, incomplete, or out-of-context.
Data Retention and Destruction
Subject to the qualifications immediately below, AIS undertakes:
- to retain Your Data only as long as AIS reasonably believes it is consistent with its purpose; and
- to destroy
Your Data when AIS reasonably believes its purpose has expired, and to
do so in such a manner that Your Data is not subsequently capable of
being recovered.
This Undertaking is qualified as follows:
- when Your Data falls due for destruction, it may be retained for a period beyond its expiry of purpose, until the next regular deletion cycle;
- Your Data may be retained in AIS's logs, backups and audit trails
within short-term retention cycles that are devised to protect the
company's operations. In such cases, Your Data will be destroyed in
accordance with those cycles;
- in some circumstances, Your Data may be retained in an archive.
An archive may be internal-only and accessible only by staff,
contractors and officers; or it may be publicly available, as is the
case with data relating to previous AIS officers;
- Your Data may be retained beyond the expiry of its purpose if that is required by law,
such as a provision of a statute, or a court order such as a search
warrant or subpoena, or a warning by a law enforcement agency that
delivery of a court order is imminent. In these circumstances, AIS:
- will take any reasonable steps available to it
to communicate to you that Your Data is being retained, unless it is
precluded from doing so by law; and
- will only retain Your Data while that provision is current, and will then destroy Your Data;
- Your Data may be retained beyond the expiry of its purpose if such retention is authorised by law
(in particular to protect AIS's interests, e.g. if it believes on
reasonable grounds that you have failed to fulfil your Undertakings to
AIS or may have committed a breach of the criminal law). In these
circumstances, AIS will only retain Your Data while that situation is
current, and will then destroy Your Data.
Access by You to Your Personal Data
AIS undertakes to provide you with access to Your
Data, subject to only such conditions and processes as are reasonable
in the circumstances. In particular, AIS undertakes to enable access:
- conveniently;
- without unreasonable delay; and
- without cost to you.
AIS undertakes to establish and operate identity authentication protections for access to Your Data
that are appropriate to its sensitivity, but practical. This may
involve some inconvenience; for example, relatively straightforward
procedures may be involved in order to provide you with access through
a channel that you have previously provided to AIS (such as a
particular email-address), but more onerous procedures may have to be
imposed if you wish to use some other channel.
If you request it, AIS undertakes to take reasonable steps in relation to the amendment, supplementation or deletion of Your Data.
In providing these undertakings, AIS is working on the assumptions that:
- you will not to seek access, amendment, supplementation or deletion for frivolous purposes, or unreasonably frequently;
- you
accept that deletion of some categories of data may result in AIS no
longer being able to provide particular services to you.
Information about Data-Handling Practices
AIS undertakes to make information available to you about the manner in which AIS handles your data:
- in general terms, in a readily accessible manner, by means of this Privacy Policy Statement published on the AIS website; and
- in more specific terms, on request.
Where Your Data is disclosed to an outsourced service-provider,
AIS undertakes to make information available to you, on request, about
the manner in which AIS's outsourced service-provider handlesYour Data.
AIS undertakes to ensure that the information provided about data-handling practices is meaningful, and addresses your concerns.
In providing these undertakings, AIS is working on the assumptions that:
- you will not seek such information for frivolous purposes, or unreasonably frequently; and
- you
accept that the disclosure of excessive detail may harm the security of
Your Data and AIS's business processes, and may harm AIS's operational
activities.
Handling of Enquiries, General Concerns and Complaints
In providing these undertakings, AIS is working on the assumption
that, if you have enquiries, general concerns, or complaints about any
aspect of this Privacy Policy Statement, or about AIS's behaviour in
relation to its Undertakings, you will communicate them in the first instance:
- to AIS only;
- in sufficient detail;
- through a channel made available by AIS for that purpose;
AIS undertakes:
- to provide one or more channels for communications to AIS,
which are convenient to users. To find these channels, please go to the AIS Contacts Page;
- to promptly provide acknowledgement
of the receipt of communications, including a copy of the
communication, the date and time it was registered, and an indication
of how to follow up the matter with AIS if a formal response is slow in
arriving;
- to promptly provide a response to the communication, in an appropriate and meaningful manner.
In providing these undertakings, AIS is working on the assumption that you will not pursue AIS through any Regulator or the media:
- until and unless AIS has had a reasonable opportunity to respond to the initial communication; and
- while AIS and you are conducting a meaningful dialogue about the matter.
Enforcement
AIS declares that the Undertakings expressed in this Privacy Policy Statement are intended to create legal obligations, and that those obligations are intended to be enforceable
under appropriate laws in appropriate Jurisdictions. These may include
laws relating to data protection, privacy, fair trading, unfair
competition, the corporations law, and the criminal law.
In providing these undertakings, AIS is working on the assumptions that:
- you will not unreasonably seek enforcement until you have initiated the complaints-handling process and AIS has had the opportunity to redress the wrong; and
- you will seek enforcement only in a Jurisdiction
that is relevant to the transactions that have taken place between you
and AIS, in particular the Jurisdiction in which you live or in which
you performed the relevant acts, and the Jurisdiction in which AIS is
domiciled or performed the relevant acts.
If you wish to discover the relevant laws in any particular Jurisdiction, AIS draws your attention to the following resources:
Changes to These Privacy Undertakings
AIS undertakes:
- not to change this Privacy Policy Statement in a manner that materially reduces the protections for Your Data;
- to
subject proposals for material changes to this Privacy Policy
Statement, or for more specific terms relating to particular services,
to a process comparable with that used when making changes to the AIS
By-Laws, and including consultation with members and/or with one or
more appropriate representative and advocacy organisations;
- where new versions of this Privacy Policy Statement are promulgated, to ensure that:
- the previous versions and their dates of applicability remain accessible; and
- the differences between successive versions are visible;
- to
take all possible steps to prevent any organisation that may take over
or absorb AIS or any of its relevant assets from materially changing
the terms applicable to Your Data in a manner that reduces the
protections for Your Data.
Definitions
AIS means the Association for Information Systems
Inc., incorporated in Illinois USA as a non-profit organization, and
which can be contacted here.
Your Data means data that is capable of being
associated with you, whether or not it includes an explicit identifier
such as your name or customer number. In particular, it encompasses all
data that AIS is capable of correlating with you, using such means as
server-logs and cookie-contents.
Your Data does not refer to data that cannot or can no longer
be associated with you. This includes aggregated data that does not and
cannot identify the individuals whose data are included in the
aggregation.
AIS handles personal data for the following purposes:
- membership data. All data-items are
supplied by the member, and can be viewed through the membership
renewal web-forms. Credit-card details are retained only as long as
they are needed to complete the payment transaction, with only partial
details held long-term, in a log-file. Access to membership data is
protected by password, and is permitted only by the member and relevant
AIS staff, contractors and officers;
- officer data. The data-items are limited to name, affiliation and contact-points, as provided by the officer;
- candidate data. The data is limited to that provided by candidates for AIS offices, and is deleted after the election process is complete;
- site-visitor.
The data is limited to that provided by visitors and/or disclosed by
the visitor's client-software in the normal course of operation of
services such as the Web;
- website contributor data. The data is limited to that provided by contributors of AIS resource-pages;
- author data.
The data is limited to that provided by authors to AIS publications
such as JAIS, CAIS, RELCASI, sprouts, ICIS and AMCIS, and to
AIS-affiliated journals and conferences contained in the AIS Electronic Library;
- editor and reviewer data.
The data is limited to that provided to AIS publications by editors and
reviewers and stored in the relevant manuscript management tool; and
access is limited to people performing relevant functions;
- employee and contractor data.
The data-items are limited to that relevant to the relationship.
Disclosures are limited to name, position description and
contact-point, as displayed in the AIS staff directory.
Consent means your concurrence with an action to be
taken by AIS. Consent may be express or implied, but in either case
must be informed and freely-given.
Jurisdiction means the sphere of authority within
which relevant legal powers may be exercised, in particular within
which a particular court has authority. AIS is incorporated in Illinois
USA. Its primary operations are in Georgia USA. Its officers and agents
are in many locations around the world, and hence AIS may under various
circumstances be subject to laws in a wide variety of jurisdictions.
Undertaking means an enforceable obligation that
arises from a statement made, or an assurance or commitment given. In
each case where this Privacy Policy Statement says that "AIS
undertakes" to do something, that statement gives rise to an
Undertaking.
This document is a licensed adaptation of the Privacy Statement Template
published by Xamax Consultancy Pty Ltd. The Template has been adapted
to the extent necessary to customise it to the context in which AIS
operates.
This document was drafted in
October-November 2008, and amended in May 2009, by a Task Group
established by David Avison, AIS President, comprising Robert Davison,
City University of Hong Kong (Chair), Cynthia Beath, University of
Texas at Austin, and Roger Clarke, Xamax Consultancy Pty Ltd and the
Australian National University, and reviewed by the Executive Director.
|