CoC record keeping must abide by privacy policy #1523
Conversation
…bide by the privacy policy Closes #1522. Signed-off-by: Tobie Langel <[email protected]>
|
cc @joyeecheung |
Signed-off-by: Tobie Langel <[email protected]>
Signed-off-by: Tobie Langel <[email protected]>
| @@ -53,7 +53,7 @@ The number and relevant details of the reported incidents, escalation requests, | |||
|
|
|||
| ## Record keeping | |||
|
|
|||
| A record of all communications related to an incident report, escalation request, or appeal must be kept. | |||
| A record of all information and communications related to an incident report, escalation request, or appeal must be kept, while ensuring that the requirements of OpenJS’s [privacy policy][] are met. | |||
There was a problem hiding this comment.
| A record of all information and communications related to an incident report, escalation request, or appeal must be kept, while ensuring that the requirements of OpenJS’s [privacy policy][] are met. | |
| A record of adequate and necessary information and communications related to an incident report, escalation request, or appeal must be kept, while ensuring that the requirements of OpenJS’s [privacy policy][] are met. |
From what I can tell the wording changes don't really address the questions in #1522 - the privacy policy doesn't say anything specific about CoC handling, and it tries very hard to limit data collection when it goes anywhere near GDPR Article 9 (see Event Administration and Analytics), so it still leaves the judgement to the moderators. If I was a moderator I still would not be able to draw from the privacy any conclusion if I ran into "sensitive political opinion shared during the handling of a CoC incident about nationality discrimination", and I needed to decide whether sharing a full export of chat history about it would lead to a violation of the policy.
I think the primary difference I can tell from what this document says and what GDPR says is that GDPR 5 says:
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
but this document uses:
all information and communications related to...
The privacy policy is very vague about how much information is retained, and it seems to be intentionally avoiding words like "all"/"every" which may counter GDPR 5. I think borrowing the wording from GDPR and use "adequate, relevant and necessary" instead of "all" would probably help moderators feel less compelled to go beyond what the GDPR or the privacy policy safegaurd them to do.
There was a problem hiding this comment.
So the idea here is that it is not for the CPC to decide what should be in the privacy policy but for the Board/ED, with this policy just referencing it. I like your below suggestion to provide a contact point in case of doubt here.
There was a problem hiding this comment.
I also think it would be useful to clarify whether the privacy policy needs to be more specific about CoC incident record keeping of if the language it contains is enough. Tracking here: #1528.
There was a problem hiding this comment.
Reading the GDPR I noticed that there might have been another thing missing from the policy - GDPR 12 and 13 requires the controller to be transparent about the data collection in several different aspects https://gdpr.eu/article-13-personal-data-collected/ - I think in practice this means when collecting the personal data, the moderator needs to inform those who might be sharing personal data that the data collected would be subject to this privacy policy. AFAICT that's probably rarely done at the moment - or not that many people know about the privacy policy in the first place. What happens more commonly AFAIK is that moderators would redact whatever inappropriate to share and get consent from people sharing the information before they forward it to someone else.
Signed-off-by: Tobie Langel <[email protected]>
Signed-off-by: Tobie Langel <[email protected]>
Closes #1522.