-
Notifications
You must be signed in to change notification settings - Fork 192
CoC record keeping must abide by privacy policy #1523
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
tobie
wants to merge
5
commits into
main
Choose a base branch
from
tobie-coc-incident-records
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
68e3f80
Clarify that the record keeping requirements of the CoC Policy must a…
tobie 1d8e503
Minimize changes
tobie 2a448cb
Clarify that record keeping must include information (not just comms)
tobie 4e0f3d6
Add CoC Team as a resource for projects self-handling CoC reports
tobie a40fd72
Add addressing questions raised by projects to CoC Team responsibilities
tobie File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From what I can tell the wording changes don't really address the questions in #1522 - the privacy policy doesn't say anything specific about CoC handling, and it tries very hard to limit data collection when it goes anywhere near GDPR Article 9 (see
Event AdministrationandAnalytics), so it still leaves the judgement to the moderators. If I was a moderator I still would not be able to draw from the privacy any conclusion if I ran into "sensitive political opinion shared during the handling of a CoC incident about nationality discrimination", and I needed to decide whether sharing a full export of chat history about it would lead to a violation of the policy.I think the primary difference I can tell from what this document says and what GDPR says is that GDPR 5 says:
but this document uses:
The privacy policy is very vague about how much information is retained, and it seems to be intentionally avoiding words like "all"/"every" which may counter GDPR 5. I think borrowing the wording from GDPR and use "adequate, relevant and necessary" instead of "all" would probably help moderators feel less compelled to go beyond what the GDPR or the privacy policy safegaurd them to do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the idea here is that it is not for the CPC to decide what should be in the privacy policy but for the Board/ED, with this policy just referencing it. I like your below suggestion to provide a contact point in case of doubt here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also think it would be useful to clarify whether the privacy policy needs to be more specific about CoC incident record keeping of if the language it contains is enough. Tracking here: #1528.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reading the GDPR I noticed that there might have been another thing missing from the policy - GDPR 12 and 13 requires the controller to be transparent about the data collection in several different aspects https://gdpr.eu/article-13-personal-data-collected/ - I think in practice this means when collecting the personal data, the moderator needs to inform those who might be sharing personal data that the data collected would be subject to this privacy policy. AFAICT that's probably rarely done at the moment - or not that many people know about the privacy policy in the first place. What happens more commonly AFAIK is that moderators would redact whatever inappropriate to share and get consent from people sharing the information before they forward it to someone else.