Privacy Policy

Introduction

Amnesty International’s Security Lab is committed to ensuring the privacy of all our users. We have long campaigned for the right to privacy and against government unlawful surveillance and intrusion. This policy represents our commitment as an organisation to your right to privacy, giving you a clear explanation about how we use your information and your rights over that information. The same principles also apply when we collect personal data from you through other channels (e-mail, phone calls or messages, etc.). 

This policy applies to all online systems offered by Amnesty International’s Security Lab. The Security Lab is part of Amnesty International Limited, the main operating company of the Amnesty International’s International Secretariat, registered as a company limited by guarantee in England and Wales (number 01606776). 

Amnesty International Limited is the registered data controller to which the policy refers. Our full details can be found at the end of this policy and please feel free to contact us with any questions related to it. 

What types of information do we collect and how? 

The type and amount of information we receive and store depends on how you use our website. You can access most of the pages on our website without telling us who you are and without revealing any personal information, other than your IP address. 

Our web servers use cookies and collect logs during user visits to our website, which provide valuable information for improving them in the future. For more information see the separate Cookies page

We also collect personal information, which is information that relates to an identified or identifiable individual. Personal information could be as simple as a name or a number, or could include other identifiers or personal information about you such as an IP address or a cookie identifier, or other factors. 

We may collect personal information, which may include your IP address, in the following ways: 

  • When you visit the website and device information is automatically collected, such as your IP address; 
  • When you contact us through email or our public mailbox at [email protected]
  • When you fill in the Digital Forensics Support Form
  • When you share forensic records with the Security Lab for analysis; 
  • When you apply for an opportunity with us, such as the Digital Forensics Fellowship. 

If you choose to provide it, we can collect the following types of personal information from you: 

  • Name; 
  • Age; 
  • Occupation; 
  • Nationality; 
  • Country of location; 
  • Email address; 
  • Phone number; 
  • “Special category data”1 or sensitive personal data, including gender, ethnicity, sexual orientation, political opinions, religious or philosophical beliefs, disability and criminal convictions; 
  • Forensic data from your devices which may include system log files and, in some instances, personal communication data including SMS messages and browsing history. 

How do we use the information collected? 

We use your personal information collected via our websites for the following purposes: 

  • To communicate with you; 
  • To manage and process inquiries and other interactions with you; 
  • To provide you with personalised service and support; 
  • To provide you with information about new digital threats and ways to protect yourself; 
  • To prepare aggregate analysis about the scale of digital attacks, their outcomes and geographical distribution; 
  • To share your data with other Amnesty International organisations or with trusted third parties (further details below); 
  • To improve our websites; 
  • To fulfil any legal obligations. 

Legal basis of processing

Data protection law requires us to have a legal justification to process your personal information. We use the following depending on the type of data and the type of processing: 

Consent

We require your consent to communicate with you, for example sending you information on new digital threats, responding to your Digital Forensics Support Form submission, or responding to an application you’ve made with us. If you provide us with sensitive personal information (including details of your race, ethnicity, gender) we will only process that information with your consent. 

Legitimate interest 

We sometimes share your personal information with other parts of the Amnesty International global movement or trusted third parties (see below). This is done to provide you with personalised support and coordinate efforts across civil society. 

Legal obligation

We will process your personal information to fulfill any legal obligations placed upon us and if lawfully required to do so by a legal authority or a court of law. 

Necessity

For example, where you are applying for an opportunity with us, processing certain information is necessary for employment purposes. 

Security

We take appropriate security measures to ensure that we keep your information secure, accurate and up to date. However, the transmission of information over the internet is never completely secure, so while we do our best to protect personal information, we cannot guarantee the security of information transmitted to us. 

Third-party Websites 

On our website we sometimes have links to third-party websites or applications, or embedded content from third party websites (which will be explained / noted on the relevant pages). This policy does not apply to such pages or applications hosted or operated by other organisations. This may include the websites or applications of Amnesty International sections or related organisations or third-party sites. These other websites may have their own privacy policies which apply to them. 

Sharing of your personal information 

We will only share your personal information in the following circumstances: 

Sharing with other parts of the Amnesty International global movement 

Amnesty International’s Security Lab is one part of Amnesty International’s global movement. Our movement is made up of over 60 membership organisations working to end human rights violations globally. Some of these bodies are formally constituted and others not. We may share your information with these entities who may then use your personal information in connection with their activities. For example, if you have submitted a forensic request to us, we may share your name and organisation with the relevant Amnesty International regional office or national section to help vet and process your case. To the extent that sharing your information in this way requires us to transfer your personal information outside of the EU, we have contractual arrangements in place to ensure that your data is shared and processed by the recipient organisation to an EU standard. 
 
In the case of recruitment, your personal information is stored in Amnesty International Limited infrastructure. To the extent that sharing your information in this way requires us to transfer your personal information outside of the EU, we have contractual arrangements in place to ensure that your data is shared and processed by the recipient organisation to an EU standard. 

Hosting and processing arrangements 

Our website is hosted by third-party service providers and therefore any personal details you submit through them may be processed by that third-party service provider, such as your IP address or email address.  

The Digital Forensics Support Form is hosted internally by the Security Lab, which means that all collected data is only stored and processed on infrastructure administered and controlled by Amnesty International’s Security Lab. This system complies with this policy. 

We also use other third parties to process your personal details to process all information associated with applications for opportunities and related recruitment processes. 

All third-party services providers are bound by contractual terms that are compliant with data protection law. 

Other sharing

We may also share your personal information with your permission, or if we are legally required to disclose your information in circumstances where this cannot be reasonably resisted. 

In some circumstances your information may be shared with third parties, such as other parts of Amnesty International global movement or trusted civil society partners. Examples include if a trusted partner organisation is also supporting your case, we might get in touch to coordinate efforts. In these circumstances, information would be shared confidentially and exclusively with need-to-know parties. 

Use of cookies

A cookie is a text-only piece of information that a website transfers to your computer’s hard disk so that the website can remember who you are. A cookie will normally contain the name of the Internet domain from which the cookie has come, the “lifetime” of the cookie, and a value, usually a randomly generated unique number. 

If you wish to restrict or block cookies you can set your internet browser to do so – click on the following link for more information: www.aboutcookies.org. 

Please refer to our Cookies Policy for more detailed information on cookies and how Amnesty International’s Security Lab uses them. 

Under 18s 

If you are under 18 years of age, please make sure that you have your parent/guardian’s permission before giving us personal information. 

Retention Period for Data 

We only hold your personal information on our systems for as long as is necessary for the purposes outlined above. We remove personal data from our systems once it is no longer required, in line with our guidelines on how long important information must remain accessible for future use or reference, as well as when and how data can be destroyed when it is no longer needed. 

The length of time each category of data will be retained will vary depending on how long we need to process it for, the reason it was collected and in line with any statutory requirements. After this time the data will either be deleted, or we may retain a secure anonymised record for research and analytical purposes. 

Your rights over your personal information 

The personal data we hold about you is yours. You have the following rights over your information: 

  • To be informed how your data is being processed; 
  • To access your data; 
  • To rectify any data that is inaccurate; 
  • To instruct us to delete your data; 
  • To restrict our processing of your data (which includes contacting you via email) at any time; 
  • To object to your data being stored; 
  • To move your data. 

Recruitment Privacy Statement 

Amnesty International Limited is committed to the responsible handling of personal information collected as part of the recruitment process. 

Information provided by you in connection with your application will only be used by Amnesty internally in relation to recruitment and selection processes and will not be disclosed to a third party without your consent, except as required by law and except to our service provider (see our general statement for more details). 

Sensitive personal information such as gender, age, sexual orientation, religion and faith, caring responsibilities, disability, ethnic origin and region of origin will be anonymised and will be used for cultural diversity and equal opportunities monitoring purposes only. Unsuccessful applications will be retained for a period of three years after the conclusion of the selection process. We will also ask that you confirm that you are happy to process in the form of our declaration, printed below: 

Declaration 

I confirm that the information provided in my application is true and complete. I agree that any deliberate omission, falsification or misrepresentation in the application form will be grounds for rejecting this application or subsequent dismissal if employed by the organisation. Where applicable, I consent that the organisation can seek clarification regarding professional registration details. I consent to Amnesty International processing my personal information on the privacy terms set out above. 

If you wish to exercise any of these rights or have any questions about this policy, you may contact us in the following ways: 

By email: [email protected]

Complaints

If you wish to lodge a complaint about our handling of your personal data, please get in touch with us on the address above with the details of your complaint. We aim to respond to all complaints within 14 working days. 

If you are dissatisfied with how we have handled your complaint you may lodge a complaint with the Information Commissioner’s Office which is the UK regulator in charge of data protection and privacy enforcement: 

Website: https://ico.org.uk/global/contact-us/ 

Telephone: 0303 123 1113 

Last update: March 2024