[Board] GPDR

Tue Jul 17 11:55:45 PDT 2018

Thanks for the input Ben. It would be great, if you could help with the 
wording of OSGeo's privacy statement.

 From here on only ugly fine print...:

Am 2018-07-17 um 19:46 schrieb Steven Feldman:
> I think they are compliant - you actively sign up to the lists that 
> you want to subscribe and you have an option to unsubscribe or delete 
> your account completely.

Yes. We do not really have to do anything at all, except:

> We will need to check whether deleting an account removes the email 
> address etc. My view fwiw is that we have no obligation to purge 
> archived emails

Right. The only thing promoted by the new GDPR we do not and cannot 
comply to is to enable "forgetting". It is not applicable in our context 
because "the data no longer being relevant to original purposes for 
processing" does not apply because it is always relevant for the 
original purpose. One of the principal goals of OSGeo is to make 
processes and decisions transparent and protect projects from patent 
infringement claims and similar (where there is a ton of money and 
profits! Oh, add a few more !!! ).

In case there is an ugly row about something and somebody says something 
nasty and wants to withdraw this from the archives it can happen. It has 
been done before. And in our community (so far) it does not require 
legal steps and I'd totally promote that we keep it that way.

> but I think that should be made clear in our privacy policy - which we 
> need to write!

Exactly.

In order to have code provenance, prior art and the like transparent it 
is absolutely required to have all discussions and processes and 
decisions on a topic transparent and archived. This includes the 
personal data (email address and name as given by the individual or 
known by the community) of the corresponding individual providing input 
to a discussion. No privacy here, legal requirements override personal 
data rights. Which we may have to make clear in our subscription process 
and write down in our privacy statement. Sort of along the lines of: "if 
you join you give up your right to be forgotten because what we do 
really is relevant from a legal aspect".

In case someone from OGC is listening in - they know about this stuff 
and we would be well advised to copy - erm - fork some of their legalese.

> Do you fancy getting involved to help get this done?

Haha, good try but actually no. Because it is spam wrapped in a pita. 
But yes, someone will have to do it.

The good news is: Nobody will want to sue OSGeo because it is totally 
not sexy to sue not-for-profits plus there is no profit, hence the name, 
right? :-) Trouble is, eventually Nobody may come round.

So my take is: Keep it cool but get it done.

Thanks,
Arnulf

PS:
In case this is still open by then end of October (busy in other realms 
until then) I am happy to connect with the OGC and also help with some 
"resistance is futile, we will assimilate you" wording.

Cheers,
Seven

> ______
> Steven
>
>
>> On 16 Jul 2018, at 10:39, Ben Caradoc-Davies <ben at transient.nz 
>> <mailto:ben at transient.nz>> wrote:
>>
>> What about email archives? They are not self-service.
>>
>> Do we have an obligation to purge archived emails or correct names or 
>> email addresses in archives on requests?
>>
>> Do we have an obligation to report all personal information held by 
>> OSGeo on request? Should OSGeo have a procedure for handling such 
>> requests?
>>
>> Kind regards,
>> Ben.
>>
>> On 16/07/18 18:00, Jody Garnett wrote:
>>> Advice would be very much appreciated.
>>> My own preference is to be clear that OSGeo is largely self-serve, 
>>> and if
>>> we document steps to sign up for something we also document the steps to
>>> un-sign up for something.
>>> I think OSGeo has one mail chimp account used by marketing and 
>>> geoforall -
>>> but it am not sure how heavily it is used?
>>> --
>>> Jody Garnett
>>> On Sat, 14 Jul 2018 at 10:16, stevenfeldman <shfeldman at gmail.com 
>>> <mailto:shfeldman at gmail.com>> wrote:
>>>> Jody
>>>>
>>>> I think the Board needs to take a more proactive approach to GDPR. 
>>>> This is
>>>> quite significant legislation and we should ensure that we have taken
>>>> "reasonable steps" to audit our personal data holdings and ensure 
>>>> we have
>>>> compliant processes.
>>>>
>>>> The UK Information Commissioner's Office has a good intro to GDPR at
>>>>
>>>> https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
>>>> and a simple checklist tool at
>>>>
>>>> https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
>>>> (each EU country will have similar info but this is in English)
>>>>
>>>> MailChimp has good tools for getting mail-list approval and providing
>>>> unsubscribe options. Do we have an OSGeo account or is usage less 
>>>> formal
>>>> across the regions?
>>>>
>>>> I'm sure several of our EU members have already worked through GDPR 
>>>> with
>>>> their organisations and could provide advice
>>>>
>>>> Cheers
>>>>
>>>> Steven
>>>>
>>>>
>>>>
>>>> --
>>>> Sent from: 
>>>> http://osgeo-org.1560.x6.nabble.com/OSGeo-Board-f3713809.html
>>>> _______________________________________________
>>>> Board mailing list
>>>> Board at lists.osgeo.org
>>>> https://lists.osgeo.org/mailman/listinfo/board
>>> _______________________________________________
>>> Board mailing list
>>> Board at lists.osgeo.org <mailto:Board at lists.osgeo.org>
>>> https://lists.osgeo.org/mailman/listinfo/board
>>
>> -- 
>> Ben Caradoc-Davies <ben at transient.nz <mailto:ben at transient.nz>>
>> Director
>> Transient Software Limited <https://transient.nz/>
>> New Zealand
>
>
>
> _______________________________________________
> Board mailing list
> Board at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/board

-- 
http://arnulf.us
drwxrw-r--

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/board/attachments/20180717/c8029387/attachment.htm>