Privacy Policy of the eVotUM Electronic Voting System

Version: 1.0

Date: 26th of January, 2017

Voting

All the voting processes supported by the eVotUM electronic voting system are governed by the respective electoral rules, subject to the provisions of Law no. 67/98 of the 26th of October - Personal Data Protection Law (that transposed into Portuguese law the Directive 95/46/EC of the European Parliament and of the Council of the 24th of October 1995, on the protection of individuals regarding the processing of personal data and the free movement of such data). University of Minho is attentive to the Regulation (EU) 2016/679 of the European Parliament and of the Council, of the 27th of April 2016, repealing that Directive, and whose time limit for the entry into force was set for the 25th of May 2018.

University of Minho ensures that the computer system and software used for the electronic voting in the eVotUM electronic voting system, are properly ring-fenced, reliable, auditable and transparent, guaranteeing the uniqueness and universality of the votes, as well as their confidentiality, integrity and anonymity, ensuring the authenticity of the voter.

Information Gathered

The electronic voting system uses the information provided by the user when requesting credentials for accessing the electronic services and systems of the University of Minho and collects two types of information: information voluntarily supplied by the user (alternative e-mail address and mobile phone number), and information collected automatically by the portal through the use of cookies.

The data provided voluntarily by the users is used solely and exclusively to provide information in the context of electronic voting. We should note, however, that making this data available by the users is not indispensable for them to use the eVotUM electronic voting system, namely, so they can exercise their right to vote.

The collection and processing of such data has been the object of communication to the National Data Protection Commission (CNPD - https://www.cnpd.pt/), having been authorised by this organisation. The following information was provided in the communication to the CNPD:

• Organisation responsible for the processing of personal data - University of Minho; 
• Purpose of the processing of personal data - electronic voting via the eVotUM network voting system;
• List of personal data processed - name, personal/voter number, e-mail address, photo, telephone number, civil identification number, alternative e-mail address and alternative telephone number;
• Direct data collection - alternative e-mail address and alternative telephone number, via the URL https://evotum.uminho.pt; 
• Indirect data collection - the name, personal/voter number, e-mail address, photo, telephone number and of civil identification number are obtained from the data provided by the voter to the University of Minho;
• Communication of data to third parties - there is no communication of data to third parties;
• Interconnections - there are no treatment interconnections;
• International flows of personal data to third countries - there are no flows to countries outside the EU/EEA (European Union/European Economic Area);
• Maximum period for the storage of personal data - two years after the voter no longer has the ability to act as a voter in elections held at the University of Minho;
• Exercise of the right of access to data - by written communication addressed to the Rector of the University of Minho.
• Physical security measures of the system - security measures of the Datacenter premises that will contain the eVotUM system:
  • The DTSI (Technology and Information Systems Department) has a CCTV system for which it has requested permission for the collection of images (CCTV) in the area surrounding the immediate vicinity of the building, the access corridor to the Datacenter and its interior;
  • The access to the DTSI premises is made with the use of the employee card; the access to the corridor of the Datacenter is made with the use of the employee card; the access to the Datacenter is made by biometric identification (iris recognition).
  • The DTSI premises are protected by an intruder alarm system.
  • The Datacenter is protected by an intruder alarm system composed of impact sensors that protect against any intrusion attempt made directly from the exterior. 
  • Access to the Datacenter by entities external to the DTSI is always accompanied by an element of the Datacenter’s management team.
• Logical security measures of the system - the eVotUM system incorporates the appropriate means and mechanisms to ensure the correct handling of information, particularly in the creation, storage, query, update, transfer and disposal of data, respecting the applicable internal and normative policies and standards for information security, ensuring the following:
  • All applications have user profiles configured with different privileges, ensuring that no user is granted more privileges than necessary;
  • User access to the different applications is based on strong authentication mechanisms, or where this is not possible, the best practices in the use of passwords are adopted;
  • To ensure the confidentiality of traffic, all communications use the TLS protocol;
  • The EVotUM system has mechanisms that support security audits.

In addition, the proper security policies and mechanisms will be taken into account, at the level of the network and operating system, to ensure state of the art safety standards.

Cookies policy

Cookies are small files, with alphanumeric information, stored in the hard disk of the user’s computer by the user’s browser while he browses the Internet. Cookies are required for the eVotUM electronic voting system to distinguish each user and to maintain the state during web browsing.

University of Minho uses cookies to improve the performance and browsing experience of the user. Any browser allows the user to accept, refuse or delete cookies in the settings of the browser itself. If a user chooses to disable cookies, some features of the eVotUM system may no longer function, thus affecting his voting experience or navigation on the eVotUM electronic voting system.

Session cookies are used in the eVotUM electronic voting system portal, which make it possible to record user preferences, such as the language in which the website should be presented, as well as to keep the authenticated users logged in. This type of cookies is automatically deleted when the browser is closed. Persistent cookies, however, (which are not used by the eVotUM electronic voting system), make it possible to store necessary information between sessions, for example, to indicate that the user is aware of the cookie policy. This type of cookies (persistent) remains on the computer until the expiration date or until they are deleted by the user.

Final Considerations

University of Minho reserves the right to amend the rules described in this policy and we encourage you to check this document regularly.

University of Minho is not responsible for the improper use of the information contained in this website.