notice

Data notice: 30 April 2017

This data notice explains changes to the way we store data on Mailchimp, following an issue we identified.

Published

By Civil Service LGBT+ Network

When you register for our newsletter, we ask you for some personal information, including your name, email address, and whether you are LGBT+.

We store this information using MailChimp. After you submit the registration form this data is sent to MailChimp, and we use it to contact you about our work.

When we send emails to you through MailChimp, there is a link on the bottom of each email that allows you to “Update your preferences”. This link takes you to a page where you can update your name, email address and other personal information. The link is unique to you.

In March 2018, we discovered that if the email was forwarded to someone else, the recipient of that email could use the same link to access your personal information. This is how the MailChimp is designed to work, but we had not identified the specific concerns this might cause our members previously.

Once we discovered this issue, we took immediate steps to prevent the same issue occurring again:

  1. All ‘sensitive personal data’ such as your sexual orientation and gender identity was immediately deleted from our mailing list. This means that if someone now clicks one of the “Update your preferences” links in an email you have forwarded to them, they will not be able to access this information. They will still be able to access your name and part of your email address.
  2. We immediately made changes to our registration forms to ensure that we no longer collected some of this information in the first place, to ensure the same issue cannot occur again.

We have changed our default newsletter templates to ensure that the “Update your preferences” link no longer links directly to your personal data. We have developed a more secure way for you to update your data.

We have also updated our registration processes to comply with the General Data Protection Regulation (“GDPR”); and this new process has been tested to avoid future issues such as these.

We have no reason to believe that this issue has enabled widespread access to your personal data — and the steps we have taken will mean it is no longer possible for this to happen — but please remember to only share our newsletters with people you trust.