Clarify what information is collected about individuals as part of CoC incident handling

[tobie]

Our CoC Policy requires records of all information and communication about a CoC incidents be kept.

In #1523, we're explicitly tying this record keeping requirement to our privacy policy (it was implicit before then).

Although the privacy policy does mention that the foundation "may also collect information relating to your participation in technical, governance or other Project-related meetings" and mentions governance as a legitimate interest for information collection, it doesn't mention CoC incident-handling directly.

Should the privacy policy be amended to mention CoC incident-handling directly or is the current language broad enough to address record keeping?

Is there specific information that should not be kept in incident records in order to meet privacy regulation requirements (notably GDPR)?

[joyeecheung]

I think it would be helpful and consistent if the privacy policy can be more explicit about personal information collected in the CoC process. For example it goes into great length about Event registration like this:

When you register for one of our events (e.g., conferences and summits) to participate as an attendee, a
speaker or a sponsor, we collect personal information that includes name, company, contact information,
and other information. We may also collect other optional personal information such as likes, interests,
dietary restriction, size preferences for conference attire gifts and other background information. In
addition, if you provide it, we may collect (1) personal information about disabilities, medical conditions
and allergies in order to provide appropriate accommodations for attendees, and (2) personal information
about your citizenship, date of birth, and passport details if you request assistance from us with obtaining
a visa letter to travel to one of our events.

It would be somewhat odd that it avoids going into details about CoC which is more likely to involve data in the special category of GDPR article 9 that needs special care when collected.

Another part of the privacy policy that caught my eye was this:

Except as specifically indicated within a Site, we do not knowingly collect or solicit personal information
from anyone under the age of sixteen (16), or knowingly allow such persons to register. If we become
aware that we have collected personal information from a child under the relevant age without parental
consent, we take steps to delete that information. Where we specifically indicate that we collect personal
information from children under 16, we will obtain the parent or guardian’s consent and provide adequate
notice.

I have seen quite a few contributors who appeared to still have school duties at day over the years. While I never pried into their exact age, they could be under 16 at the time they started contributing on GitHub, and could be involved in CoC incidents.

[rginn]

We’re meeting with the Linux Foundation Data Protection Officer this week to discuss these issues. I’ll share an update after.