Decisions/Data Protection Policy amendment May 2013

From Wikimedia UK
Jump to navigation Jump to search
Comment This decision was closed as 'Aye'.

Proposal

To amend the Data Protection Policy as follows:

  1. Under Data Recording and Storage
    Insert at the end of the section:
    "Your Personal Data relating to any interactions with Wikimedia UK will be held on a computer within the European Economic Area, as required by our Data Protection Act registration.[1] Data you have explicitly caused to be placed on an internet-visible computer yourself, thereby giving your consent, such as comments or edits on this website or contributions to an email list, may be held on computers worldwide."
  2. Under Access to data
    Change:
    "All those making a subject access request will be asked to identify any other individuals who may also hold information about them, so that this data can be retrieved."
    To:
    "All those making a subject access request will be asked to identify any other individuals who may also hold information about them on behalf of Wikimedia UK, so that this data can be retrieved."
  3. Add a 'References' section at the end of the document, reading as follows:
  1. You can view our registration via the Information Commissioner's Office website. Our Data Protection Act Registration Number is Z3098483.

Discussion

This change (in a slightly different form) was requested by Katherine Bavage in her report to the Board for the 11 May board meeting, but was not covered at that meeting due to lack of time. Since this is a routine update, it is being proposed on-wiki instead. It is linked to the creation of the Website Privacy Policy.

This decision is currently being drafted - trustees, please don't vote yet. The intention is for voting to be open for a period of a week, or until all trustees have voted, whichever comes first. This should allow time for all trustees to see this page, express their viewpoints, and cast their votes. Mike Peel (talk) 07:34, 17 May 2013 (UTC)

Trustee voting on this decision is now open, and will run for 1 week (until 21.00 BST on 25 May 2013), or until all trustees have voted, whichever comes first. If there isn't a majority of board members supporting this decision after a week, then either the timespan will be increased or the decision will be deferred and considered at a board meeting. Thanks. Mike Peel (talk) 19:56, 18 May 2013 (UTC)
As far as I am aware, Wikimedia UK bears no responsibility for administering email lists that "may be held on computers worldwide". I would imagine that if the UK charity wants to run a public email list, we would avoid doing this. Could there be some more explanation of why this change is needed? -- (talk) 20:06, 18 May 2013 (UTC)
I'll point Katherine towards your question (as she originally proposed this amendment). However, as an example here, I would point out that my laptop holds many emails sent to WMUK-run mailing lists, and that I take my laptop with me when I travel outside the EU - WMUK shouldn't be responsible for the consequential (temporary) export of emails to WMUK-run lists outside of the EEA. Thanks. Mike Peel (talk) 20:29, 18 May 2013 (UTC)
Also note that WMUK hosts publicly-visible mailing lists such as the education committee list, which can be accessed and mirrored globally. Thanks. Mike Peel (talk) 08:16, 19 May 2013 (UTC)
These seem like faux comparisons to me, I strongly doubt the intention of the act was to consider laptops as international servers, or to make Charities legally responsible for others who may make copies of data legitimately made public in the UK. I see no reason for this change at the current time, apart from enabling the Charity to do things in the future that I would be incredibly unhappy to see happen, with regard to potential misuse of user, volunteer and donor data. -- (talk) 08:54, 19 May 2013 (UTC)
Morning! These amends were suggested by a volunteer in response to the public consultation/re-drafting of the Website Privacy Policy. I'll alerted said volunteer to come along and chat here, and will also ask Deskana and see if they can come and comment. Fae, this might be me but I'm confused about what you object to and whether it stems from misunderstanding because it actually explicitly re-confirms our commitment to operate as we have been, and within the bounds of EU privacy law, not enabling us to do anything different - if there is an interpretation/impact I'm not seeing please spell it out for me? :) Katherine Bavage (WMUK) (talk) 09:08, 20 May 2013 (UTC)

Katherine invited me to comment here, as I am a user interested in privacy related-matters and currently volunteer for the WMF on the Ombudsman Commission. I must point out however that although I have some familiarity with the Data Protection Act, I am not a lawyer and therefore this is not expert advice I am giving out.

I think in terms of a firm statement, the proposed addition is somewhat lacking in specificity. "may be held on computers worldwide" appears to imply that WMUK owns the computers that are doing this holding around the world. However, as Mike Peel pointed out above, that is not really the intent of the change, and it's more of a clause to clarify that people might copy this publicly accessible information and that WMUK cannot guarantee that they won't move it around. If the goal here is to clearly state where that data is held, then I see no reason why the language could not be made a bit more specific to cover the circumstances pointed out by Mike.

With regards to the potential misuse of data, I am not clear what Fae means. The proposed addition does not change how data can be used, it simply alters (or, more accurately, clarifies) where data is stored. I can't speak for potential further additions to the policy, but this addition does not seem to open up any potential for misuse of data if the policy is adhered to correctly.

Let me know if I can be of any further assistance.

--Deskana (talk) (email) 14:37, 20 May 2013 (UTC)

Thanks so much Deskana for your thoughts - appreciate it. As for this - I don't know whether there is an appetite to clarify the proposed amendment further? If there is I could amend further and we could re-proprose? Katherine Bavage (WMUK) (talk) 10:26, 21 May 2013 (UTC)

Vote

Aye

  1. Mike Peel (talk) 19:57, 18 May 2013 (UTC)
  2. The Land (talk) 08:45, 19 May 2013 (UTC)
  3. Saad Choudri (talk) 12:30, 20 May 2013 (UTC)
  4. It's not perfect yet, but this amendment seems to be an improvement. --RexxS (talk) 18:55, 24 May 2013 (UTC)

Nay

  1. This change appears to enable the Charity to use data in ways that there are currently no plans for it to do, and for which current users and members never gave permission for. (talk) 08:55, 19 May 2013 (UTC)

Abstain