Everyone involved with Cochrane should have a Cochrane Account. When people activate their Cochrane Account, they consent to us storing and using their data.
Please encourage people who want to get involved in Cochrane's work to create their own Cochrane Account. This has benefits for both Groups and individuals.
- avoid collecting personal data on Group contact forms
- reduce the creation of duplicate accounts
- ensure we track people's contributions to Cochrane across the organisation
Cochrane Account holders can:
- view and edit their own personal details
- choose which newsletters they wish to receive
- access training
- find out more about ways to contribute to Cochrane
Any existing contacts in our contact database (Archie) who have not activated their Cochrane Account, can do so by clicking on the ‘Reset password’ link on any Cochrane Account login page.
If you create a new contact record using the Archie New Person Wizard, this will automatically also create a linked Cochrane Account. Newly-created contacts receive an email informing them that we are storing their data and inviting them to activate their account. If the contact provided their personal details on a Group Contact or Registration form, delete or shred the form once the person’s details are stored in Archie.
The Archie Knowledge Base provides guidance on dealing with deceased contacts, contacts with no valid email address, merging duplicate contacts and contacts who request that their personal information be deleted from our systems.
You should not need to collect data on individuals outside of our core systems. If you do this, you should inform the individual about how you will store and process their data and seek their consent for doing so. You must have a lawful basis for storing personal data - details can be found here.
Cochrane provides central systems to store personal data (such as Archie) and you should use these systems. Our central storage is regularly backed up and is secure (accessible only to those with permissions). Personal data (for example, names and email addresses) should not be stored locally in Group files or on spreadsheets.
To comply with GDPR legislation, you need to:
- keep data secure,
- keep data up to date,
- ensure data held are correct; and
- ensure data held are relevant.
Archie can do this for you. If you use Archie to store personal data, you do not need to worry about your Group’s compliance with GDPR. You also help to ensure all our systems contain up to date information.
If you store personal data on spreadsheets, the burden of updating is greater, and the risk of the information being out of date, inaccurate and insecure is higher. Externally-stored data will also become out of date if a user changes their own contact details in My Account.
GDPR requires that data be kept up to date. With a single database we can control what personal data are stored and be GDPR compliant. Importantly, if a person requests disclosure or deletion of their personal data, this can also be shared or erased from one source. If they are listed in external spreadsheets these also need to be searched and that data erased. The burden of doing this is the primary argument for avoiding spreadsheets.
Storing data safely outside Archie
If you need to keep data on external files or spreadsheets, you should only include minimal personal information. Please avoid storing several types of personally identifying information together, such as lists of names and email addresses. If they are necessary, spreadsheets and local files must be securely stored, with password protection, encryption and written procedures on how they are kept up to date, relevant and correct. Do not print spreadsheets or other files out or send them via email.
You can store mailing lists in a dedicated secure mailing programme such as MailChimp.
If you have any questions about this or need further assistance, please contact the Cochrane Support team: email@example.com.