Support

If you don't have the time or inclination to install and run your own server, then we can do it for you. Two support levels are available. Level 1 covers initial installation and setup, while Level 2 covers full hands-off annual maintenance. Whether or not you enter into a support contract, you will still have GDPR obligations in your capacity as the data controller for your club. These are briefly covered below. You should note, in particular, the recommendation in item 4 for the location of your club server.

Please note that these support contracts do not cover the creation of a WordPress website, or support for these third-party programs, unless there's an issue with the installation itself:

  1. WordPress: this is tested with a plain 2023 theme, and has a plugin installed to use bcrypt passwords, but is otherwise unmodified. Whoever is responsible for your WordPress site has full ssh access to the WordPress installation
  2. DokuWiki: the installation is again tested, but unmodified
  3. Roundcube: this is extensively tested with Sieve filters and multiple mailboxes, and for mailbox consistency with Thunderbird. If you encounter issues with additional plugins, you should consult the online help, or the user community (see the Roundcube website for details)

Please also note that:

  1. There are no member limit restrictions; it's your server, and you can do whatever you want with it.
  2. We can't provide support for your Stripe account, or Stripe dashboard operations. This is a complex area, which is best handled by your club treasurer.
  3. The 0623 image size is fixed at 20 GB. This limits your server to about 10 GB of mail storage. This restriction is likely to be removed in an update; this will allow you to use the full storage available from your VPS provider. The external mail reference manual (SwimAdminExternalMail.pdf) includes instructions for removing unwanted mail from the server.
  4. The installation includes Maia EDA's cryptographic Public Key in the root account (in /root/.ssh/authorized_keys). This allows us to carry out automated updates on your system, to handle bug fixes and add new functionality, and to carry out system restores. You can remove this file if this concerns you, but it is required for Level 2 support. You should note that if you remove this file, and you lose your own root password, then your options for system recovery may be limited. Whether or not we can reset your root password will depend on whether your VPS provider allows the VPS to be booted into rescue mode.
  5. VAT is not chargeable on these Support Plans; the price you see is the price you pay.
  6. When entering into a Level 2 support contract you, as the Data Controller for your club, are asking us to process personal data on your behalf. This is also the case for a Level 1 contract, if we load the initial member data for you. This imposes statutory requirements under Article 28 of the UK GDPR, which are covered in the written support contract, which you will need to sign.
  7. As a not-for-profit club that deals only in its own member data, you are exempt from ICO registration, and you are not required to inform the ICO that you are exempt. However, this does not affect your responsibilities under the Data Protection Act 2018, which are described below.
  8. We cannot guarantee site uptime; this is the responsiblity of your VPS provider. The provider is likely to guarantee at least 99.9% uptime (in other words, less than 44 minutes of downtime a year).
  9. We cannot be held liable for third-party datacentre failures which result in the loss of your site. However, if you have a Level 2 contract, we will transfer your site to another datacentre, as described below.
Level 1 Support

Level 1 covers site installation, at a one-off cost of £280.00. If you decide to move to a Level 2 contract within the first 3 months this will be deducted from the Level 2 price. Level 1 includes:

  • Server installation and, if requested, initial import of club members. The import imposes GDPR requirements which require an additional contractual agreement
  • All first-year site costs apart from domain name registration
  • We can, if you'd prefer, sort out the domain name purchase as well, at cost (please first make sure that the name is available). This is likely to be somewhere in the region of £20 for a two-year contract. If you purchase the name yourself, you will need to supply us with your login details at the name registrar, to allow us to change the name servers
  • The domain name, DNS account, and VPS account will be transferred to you on completion of installation.
Level 2 Support

Level 2 is available at an annual cost of £620.00. This can be cancelled at the end of the support period, in which case the VPS and DNS accounts will be transferred to you, and you will become responsible for continued maintenance. If you don't yet have a site, this price includes the Level 1 installation and, additionally:

  • All site costs apart from domain name renewals (we will renew the domain, but additionally invoice you at cost)
  • Automatic updates with bug fixes and new functionality
  • Nightly backups, with 15 restore points (last 7 days, then previous 3 weeks, then previous 5 months)
  • Up to one complete system restore per year, to a point in time up to 6 months ago. Additional restores are priced at £50. Note that a system restore will result in some downtime; we will endeavour to complete a restore within two working days
  • In the event of a datacentre failure which (a) results in the loss of your site, and (b) has a duration of at least 36 hours, we will transfer your site to another datacentre at no cost
  • This support level does not explicitly cover general technical queries and assistance, unless the assistance pertains to a software failure. However, we will endeavour to reply to general assistance requests submitted by email in a timely manner.

Data Protection Act 2018

The UK DPA 2018 is the UK legislation which covers data protection. It references EU Regulation 2016/679, which is the 'GDPR'. With minor changes, this is referred to as the 'UK GDPR'.

Swim England has published general data protection advice for swimming clubs here. However, this is simply a general overview, and does not cover your responsibilities under the Act. At the time of writing, the further guidance linked to on the Sport and Recreation Alliance website has been unavailable for some months.

Your club stores the personal data of your members, and you therefore have specific responsibilities concerning the use and handling of that data. It doesn't matter how or where the data is recorded. If, for example, you want to send an email to a member, the Act doesn't distinguish between the manual process of looking up an address on a card index or a spreadsheet and then sending an email, or automating the whole process on a computer (which might be your laptop, or a server on the other side of the world). In a general sense, the use of SwimAdmin therefore imposes no more responsibilities on you than you currently have.

However, the use of a computer to record and 'process' your member data does, in fact, impose certain additional responsibilities on you. The list below attempts to describe these responsibilities, and other aspects of data protection, and how they are specifically addressed by SwimAdmin. This should not be considered to be legal guidance.

1) Cookies

The GDPR states that 'online identifiers', including cookies, may be used to create a 'trace' which can be used to identify a natural person. The software must therefore inform users of the existence of cookies, and allow them to opt out of cookie usage.

If a user logs out of SwimAdmin (or simply closes their browser window), they would, in normal circumstances, have to log in again when next visting the site. However, a cookie on the user's computer can instead be used to log the user in automatically. This type of cookie is sometimes referred to as an authentication cookie and, as such, is specifically exempted.

SwimAdmin uses a single authentication cookie. When the user logs in they are given the option to use this cookie, with an explanation. This selection tickbox defaults to 'On', because of the exemption, and because this is a member-only website whose members are already identified natural persons.

No other cookies are used. Most websites use some form of analytics and advertising cookies, but these have no value in the context of a member-only site.

2) Data sharing

Data sharing is covered by a statutory code of practice, which is made under section 121 of the UK DPA 2018. There are two specific cases in which you will be sharing personal data:

  1. Any authorised club official can view personal member data in the SwimAdmin database
  2. If a support contract is in place, Maia EDA can also view personal member data, by virtue of either uploading the member data to a new server, or being in possession of a cryptographic private key which allows access to that server

However, neither of these activities qualifies as 'data sharing' for the purposes of the code of practice; they are both specifically excluded. The first is simply an example of sharing data within an organisation (the authorised officials of your club), while the second is covered by the transfer of data from a Data Controller to a Data Processor.

You do, however, have a responsibility to ensure that only authorised officials have access to this data, and that the access is password protected. SwimAdmin fulfils both these criteria. Each club official on your database has a set of flags which can be set from the Administration front-end. To enable access to private data, you should set the 'View confidential data' flag. This flag will also be automatically set if you set the 'Edit official and member tables' flag.

3) Loss of personal data

Swim England states, on their data protection guidance page, that "committee members should be discouraged from creating their own contact lists/spreadsheets. Best practice is to keep information central to the clubs online management system."

This advice of course also applies to any other club officials, including coaches. However, this is not simply 'best practice': email addresses are personal data, and the members involved are unlikely to have given consent to have their private details shared among arbitrary officials (and possibly other members). The practice of creating ad-hoc contact lists clearly breaches both safeguarding and data protection guidelines. A related issue occurs when club officials use their own public email addresses to contact children, bypassing both safeguarding policies and traceability requirements.

SwimAdmin handles this issue by creating new private email addresses for all officials and members. These can be used only for internal club emails (the mail server does not allow unknown or unauthorised senders to contact these addresses). The system automatically creates mailing lists for your squads, and club officials must be given specific permissions to allow them to contact members or squads.

SwimAdmin also includes SMS messaging functionality. Member phone numbers are handled automatically during messaging, and are never made visible to the sender.

4) The location of your club data

If the computer containing your private member data is not physically located in the UK, then you must consider whether:

  1. The transfer of data to and from that computer is an 'international data transfer' for the purposes of GDPR, and
  2. Whether the state which your computer is located in has sufficient data protection laws to allow your to fulfil your GDPR obligations.

The ICO guidelines on international data transfers can be found here. As the ICO states, "People risk losing the protection of the UK data protection laws if their personal data is transferred outside the UK". However, it is clear that if the transfer is simply within your own organisation, it does not technically qualify as a transfer of personal data for the purposes of the Act.

The situation is not quite so clear-cut, however. A computer based outside the UK is not subject to UK law. If your data is on that computer, it is also not subject to UK law. Both the UK and the EU therefore publish 'adequacy lists' of countries which they consider to be adequate for the purposes of the UK and EU GDPR reglations, respectively. The UK's list can be found here (you can ignore the 'priority destinations' list), while the EU's list can be found here. We strongly recommend storing your data on a computer which is either in the UK or on the UK adequacy list. Note, in particular, that this does not include the US. For simplicity and transparency, we suggest using a datacentre which is located in either the UK or the EU.

5) Communication with your server

Your SwimAdmin server is locked down, and automatically carries out security updates. Only club officials and members have a login, and can view anything beyond the front page. All communication with your server is encrypted using SSL/TLS technology. An SSL certificate is obtained from Let's Encrypt, and is regularly renewed. This certificate is required to access:

  1. Any pages that you view on a browser, including any use of Roundcube for sending or receiving emails
  2. Any communication between a local email client (such as Thunderbird) and the server

However, this does not mean that end-to-end email communication is encrypted, because your email will have to pass through other mail servers on the internet. When sending sensitive member data you should therefore use a mail client which allows message encryption (such as Thunderbird), or send encrypted data files.

6) Financial data

No financial data is stored on, or available to, your server. When your members make online payments, they communicate directly with Stripe, using iframe technology. The appearance of entering card details on a SwimAdmin webpage is, in effect, simply an illusion for payment convenience.

7) User passwords

There is no user password file on the server, and so user passwords cannot be lost or leaked. Passwords are recorded in a hashed and salted form, in exactly the same way as Linux user passwords.