This site only provides personal web hosting for the owner and email forwarding
and file hosting services for non-profit organisations of which the owner is a
member. As such the only personal data held are e-mail addresses, usernames, amateur radio callsigns
and passwords of members of these organisations as end users or as delegated
administrators for file hosting or e-mail lists.
It is believed that this falls within the letter and spirit of the Data
Protection Act exemption documented at:
As of 20th September 2011 a data protection act registration
was sought (reference zug284) on a voluntary basis
at the owner's expense to ensure that the owner and the organisations that use
this service are protected. This was granted with reference Z2865639 on 26th
September 2011 and has been renewed annually. The registration is in the
"General Business" category and is covers significantly more than is actually
done by moffatig.com or any of the organisations that use this service.
A copy of the registration can be viewed by entering the registration number at
Access by data subjects to their data
Data subjects may request access to their data on the system from the
owner by sending a stamped, self addressed envelope or an e-mail to
There will be no charge for the first request in each calendar year.
Subsequent requests will be charged at the maximum rate permitted by
authentication and session state and authorised users will be informed
of this as part of the password entry prompt.
This site does not track user's activity on other sites or analyse
user behaviour in any way (although the right to review access logs
for security audit or application support is reserved by the site
Other persons with access to the data
- The site owner
- The web hosting provider (Aceshells Ltd. in the UK) and
the backup provider (rsync.net) in Switzerland have access
to any data stored in this server as a consequence of the
virtual server and the daily backups respectively being
hosted on their hardware.
- The administrators of the various websites and mailing lists
have access to the data within their own websites and the e-mail
addresses and message history of their own lists.
- The site owner will make available to the police or other
UK public authorities as is required by UK law in case of
a criminal investigation.
Statement of Principles
The data protection act registration requires the data controller to
confirm compliance with a number of requirements which are:
- Adopting an information security policy? (i.e. providing clear management direction on responsibilities and procedures in order to safeguard personal data)
- Please see security.html
- Taking steps to control physical security? (for example, locking doors of the office or building where computer equipment is held)
- The moffatig.com servers are hosted by aceshells.co.uk in managed data
centres. Please see: http://aceshells.com/bargain-virtual-dedicated-servers.php for more detail. Both servers are in managed data centres with controlled access.
- Putting in place controls on access to information? (for example, introduction of password protection on files containing personal data and encryption)
- All access to the server at operating system level is secured by passwords and encrypted protocols are used for access wherever possible. Access is limited to trusted IP addresses to the greatest extent possible. All application access (other than web content and incoming e-mail) is controlled by passwords and IP address restrictions.
- Establishing a business continuity plan? (for example, holding a backup file in the event of personal data being lost through flood, fire or other catastrophe)
- The owner maintains two virtual servers at different locations in the UK and the active server is backed up to a virtual disk hosted by rsync.net in Switzerland daily and before major configuration changes. the backups from one server can be restored onto the other with less than one man-day of effort.
- Training your staff on security systems and procedures? (for example, are staff aware of their responsibilities, are they aware that personal data should only be accessed for business purposes?)
- The owner has received extensive data protection training in the course of
his employment. The delegated administrators of the various lists have been
advised to consider their responsibilities as data controllers of their own
members' information and the relevance of the exemption for non-profit bodies.
No delegated administrator has access to anyone else's data or to the operating
- Detecting and investigating breaches of security when they occur? (for example, producing audit trails that log access to personal data and can be attributed to a particular person)
- All access to the server at operating system level, to upload files, and
to administer web applications is authenticated and logged including a user
name and IP address. All logs are replicated off the machine to a remote file
store. All e-mails sent through the list server are logged and archived. The
message archives are only available to system administrators. A host level
intrusion detection system with real time alerts sent to the owner and archived
remote from the system has been installed.
Last Updated 14th January 2014
Copyright © moffatig.com