Merge pull request #497 from gratipay/seek-consent

write a doc on seeking consent
gratipay · Feb 10, 2016 · 2058cf4 · 2058cf4
2 parents 00864da + 94703fb
commit 2058cf4
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 1 deletion.
diff --git a/www/howto/seek-consent.spt b/www/howto/seek-consent.spt
@@ -0,0 +1,42 @@
+nav_title = 'Seek Consent'
+[---]
+[---] text/html
+
+Consent&mdash;not acting on another without their permission&mdash;is one of
+Gratipay's [core values](/big-picture/brand/). In our context, the action in
+question is usually the public sharing of personal information. We have to be
+especially mindful of this because our company operates almost entirely on the
+public Internet.
+
+The medical profession has developed helpful [best
+practices](http://www.health.wa.gov.au/mhareview/resources/documents/UK_DoH_Consent_older.pdf):
+
+> Seeking consent is part of a respectful relationship [...] and
+should usually be seen as a *process*, not a one-off event. When you are
+seeking a person's consent[,] you should make sure that they have the time
+and support they need to make their decision. People who have given consent
+[...] are entitled to change their minds and withdraw their consent at any
+point[.] Similarly, they can change their minds and consent to [something]
+which they have earlier refused. It is important to let the person know this,
+so that they feel able to tell you if they change their mind.
+
+
+## From Users
+
+When providing customer [support](/howto/support-users) in private
+[channels](/appendices/channels) (e.g., email via Freshdesk), seek consent
+before cross-posting personally identifying information in public channels
+(e.g., a GitHub repo).
+
+
+## From Third Parties
+
+When establishing relationships with third parties such as vendors, business
+partners, journalists, and the like, include language such as the following in
+your first private communications with them:
+
+> P.S. So you're aware, Gratipay makes decisions publicly on the Internet, so
+I'll need to at least summarize our conversation for the Gratipay community
+on this public ticket: [link].
+
+Be sure to do this for in-person conversations as well, not just email.
diff --git a/www/howto/support-users.spt b/www/howto/support-users.spt
@@ -19,7 +19,7 @@ We use [Freshdesk](http://gratipay.freshdesk.com/) for managing support queries.
 ## Protecting User Privacy
 
 1. Before answering questions or performing actions related to an account, verify the user's identity by asking for, "the first eight digits of the API key on your [Gratipay settings page](https://gratipay.com/about/me/settings/)." We generally don't trust even verified email addresses as identity confirmation (because of the risk of spoofing).
-1. Never share personally identifying information about a user on GitHub or anywhere else without their explicit consent.
+1. Never share personally identifying information about a user on GitHub or anywhere else without their explicit [consent](/howto/seek-consent).
 1. Copying anonymized, generic comments into a public GitHub ticket is okay, and so is a simple "+1" with a link to Freshdesk.