Can I just state… This project is a very small part of the overall bigger picture.
I’m already engaging with two squadrons in my patch regarding staffing issues, and supporting their recruitment of volunteers from the local area.
1 Like
-
In answer to the original question, the GIS industry standard answer would be to use some part of ESRI’s software (ArcGIS or similar, for visualisation) - they do have online tools too (e.g. https://www.arcgis.com/home/webmap/viewer.html?useExisting=1). Similar results could be obtained with, among others, the Google Maps API
-
However, as others have said, you are in very dodgy GDPR territory. Given that SMS does not have an API, this implies that you’d need to store home addresses / postcodes somewhere else. RAFAC staff consent for their data to be stored in SMS - this does not extend to other data storage systems. Unless you obtained explicit consent from every member of staff in your Wing to do this, I would put money on MOD legal / ICO coming down on you pretty harshly if someone made a complaint.
I don’t see the data protection issues if only an approximate location and Sqn is used, without any other personal data. That would show that a staff member from 123 Sqn lives in that area but no indication of who they are. SMS would be used to look up full details or a cross reference list could stored as a document on Bader. SharePoint.
Having read through this thread again, the data I plan to use is postcode and position, ie officer, SNCO, CI.
And as far as a pretty colour for each squadron.
Wait till you hear about Universe. It’s going to blow your mind.
And (as people still peddle this nonsense that consent is the only thing that matters under Data Protection Act 2018) you don’t need consent to store and process data if one of the other gateways exists. I would say this is almost certainly a legitimate use of data provided it is stored securely.
1 Like
We aren’t talking about an official system that is essential to the running of the organisation, this is just some local exec’s pet project.
1 Like
@incubus has hit it on the head - the agreement with RAFAC is only to store on MOD owned / managed servers, not some random Excel spreadsheet that a WSO keeps, regardless of how “secure” they claim it is. Postcode is identifiable information, so is covered by GDPR.
(And sorry, but given my day job of managing datasets in a UK national centre that has just got close to £200m of Government funding for data engineering provision for a 10 year contract, I don’t think that Universe is ‘going to blow my mind’…)
Data protection is not as simple as “it can only be stored on SMS and nowhere else”.
Data can be shared for certain valid reasons. Data can be printed and is then stored in hard copy outside of SMS. Personal data can be anonymised which means that it is no longer covered by the GDPR…
There’s much more to it.
1 Like
And? It’s a valid use of data to assess the staffing needs and abilities of the area. Sounds like a perfectly legitimate use to me
Agree, it is much more complex than this thread has implied, but the safest approach I always advocate is, unless you have received legal advice, don’t do it.
There is a logic to that…
However if we stick too rigidly to the idea of ‘SMS, nowhere else’ then we would unnecessarily cripple our business output. We could never print nominal rolls. Event consent forms wouldn’t be allowed. Home to Duty couldn’t be claimed…
The GDPR brought some new processes to the DPA but it’s also worth remembering that JSP440 has previously required the use of decision making with regards the sharing of information so this is not something new.
Nobody in the RAFAC should have access to information without having completed the required training and whilst it doesn’t make them an expert by any means it does give them the required mindset to think before they share/print/email/&c.
1 Like
The difference with MOD forms are that they state “SENSITIVE WHEN COMPLETED” on them
Thanks all.
I think I’ll just burn this project and spend my time with something else.
The storage outwith MOD accredited systems, and the DP consequences of holding data for other purposes, are 2 separate but sometimes related questions.
The OP needs to speak with “SO1 Policy and Plans” (GH) who is the SME for this stuff.
1 Like
That’s not really relevant though… The words “OFFICIAL - SENSITIVE” (or their omission) on a sheet of paper don’t change the content or the legality of printing it. It’s not a sort of “get out of jail free card” which means that we can take information out of SMS only if we use the magic words.
1 Like
No, I do agree! I should have highlighted additionally that those forms are managed by MOD employeed staff, who have different responsibilities to volunteers (albeit paid ones)
I see what you mean…
Though that only really applies to the format of the form. Once I print a nominal roll for an event or collect in completed consent forms it is still my responsibility to properly protect the information.
The same principle would apply to our man/woman there creating a map of volunteer locations. It’d be their responsibility to protect the data and provided that they do so correctly that’d be fine.
1 Like
I’d have to go and look at the wording, but I think collecting names to help organise an event would come under business need. I’m still not convinced that storing names and postcodes on a separate digital system, not run by the MOD, would be seen in the same light.
I’d say that as far as business need goes it’d be within the scope which makes the issue merely one of storage. In fact my first comment on the thread was to that effect.
The easy answer there is to store it in the Bader system.
We all have a Bader dropbox OneDrive account or it could go into the Wing sharepoint area.
Fixed that for you 
2 Likes