Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

privacy compliance? #1311

Closed
acrymble opened this issue May 23, 2019 · 4 comments · Fixed by #1331
Closed

privacy compliance? #1311

acrymble opened this issue May 23, 2019 · 4 comments · Fixed by #1331
Labels
Technical

Comments

@acrymble
Copy link

I note that since we have started publishing laws have changed on privacy and the internet. In particular in the EU the GDPR regulations require greater care by organizations to keep personal information secure and to delete it upon request. In particular, I'm raising the possibility that our ph_authors.yml file may not be GDPR compliant.

Does anyone have GDPR training that can advise?
@drjwbaker
Copy link
Member

I'm on the Research Ethics Group at Sussex so based on http://www.sussex.ac.uk/ogs/policies/information/dpa/processingdata we are processing (which includes holding) personal data lawfully:

  1. We need the data in ph_authors.yml as part of our function (to inform readers who authors are).
  2. The author has given us the data in ph_authors.yml with their consent (either by giving it to us or adding it themselves).
  3. The data in ph_authors.yml does not contain 'special category data'.
  4. We have no intention of using the data at ph_authors.yml for a purpose other than the purpose it was given to us. E.g. we aren't going to turn that data into a mailing list without authorization of the authors. This impacts Communication: Blogpost/Newsletter for June  #1288 (we can't just scrape that data into a mailing list, especially if any of the contact info is out of date or no longer online, see 5.).
  5. The only ways I can see that we could be in non-compliance would be: i) we hold out of date information that an individual no longer wishes us to process (e.g. former employer, former name); ii) we hold information that has been taken offline for some reasons (e.g. an email address used to harass an individual was online and has now been removed from personal/institutional pages).

@acrymble
Copy link
Author

Thanks for the interpretation @drjwbaker.

@mdlincoln is there any technical reason why we shouldn't try to remove unnecessary data, like email addresses or social media handles for non-team members?

@walshbr walshbr mentioned this issue May 31, 2019
Closed
11 tasks
@mdlincoln
Copy link
Contributor

mdlincoln commented May 31, 2019
edited
Loading

The only time we collect those data are for team members, so we could certainly remove it for former team members.

For former members, the only thing we display is institution, start date, and end date of their membership, so we don't need that extra email/contact info any more. (I'd suggest we probably don't need to display institution on that list since for many it'll almost certainly be out of date.)

@drjwbaker
Copy link
Member

I think we are compliant then. This discussion and the archiving of it as an Issue should serve the purposes of showing that we have done our due diligence.

@acrymble acrymble mentioned this issue May 31, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Technical
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

reduce data in non-team members to essential info programminghistorian/jekyll
3 participants
@acrymble @mdlincoln @drjwbaker