Fwd: Re: [Board] GPDR

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: Re: [Board] GPDR

Cameron Shorter

OGC folk,

You are mentioned in this OSGeo Board email discussion, and if you have a spare moment to weigh in, then your comments would be warmly welcomed.

Cheers, Cameron



-------- Forwarded Message --------
Subject: Re: [Board] GPDR
Date: Tue, 17 Jul 2018 20:55:45 +0200
From: Arnulf Christl (aka Seven) [hidden email]
To: [hidden email]


Thanks for the input Ben. It would be great, if you could help with the wording of OSGeo's privacy statement.

From here on only ugly fine print...:

Am 2018-07-17 um 19:46 schrieb Steven Feldman:
I think they are compliant - you actively sign up to the lists that you want to subscribe and you have an option to unsubscribe or delete your account completely.

Yes. We do not really have to do anything at all, except:

We will need to check whether deleting an account removes the email address etc. My view fwiw is that we have no obligation to purge archived emails

Right. The only thing promoted by the new GDPR we do not and cannot comply to is to enable "forgetting". It is not applicable in our context because "the data no longer being relevant to original purposes for processing" does not apply because it is always relevant for the original purpose. One of the principal goals of OSGeo is to make processes and decisions transparent and protect projects from patent infringement claims and similar (where there is a ton of money and profits! Oh, add a few more !!! ).

In case there is an ugly row about something and somebody says something nasty and wants to withdraw this from the archives it can happen. It has been done before. And in our community (so far) it does not require legal steps and I'd totally promote that we keep it that way.

but I think that should be made clear in our privacy policy - which we need to write!

Exactly.

In order to have code provenance, prior art and the like transparent it is absolutely required to have all discussions and processes and decisions on a topic transparent and archived. This includes the personal data (email address and name as given by the individual or known by the community) of the corresponding individual providing input to a discussion. No privacy here, legal requirements override personal data rights. Which we may have to make clear in our subscription process and write down in our privacy statement. Sort of along the lines of: "if you join you give up your right to be forgotten because what we do really is relevant from a legal aspect".

In case someone from OGC is listening in - they know about this stuff and we would be well advised to copy - erm - fork some of their legalese.

Do you fancy getting involved to help get this done?

Haha, good try but actually no. Because it is spam wrapped in a pita. But yes, someone will have to do it.

The good news is: Nobody will want to sue OSGeo because it is totally not sexy to sue not-for-profits plus there is no profit, hence the name, right? :-) Trouble is, eventually Nobody may come round.

So my take is: Keep it cool but get it done.  


Thanks,
Arnulf

PS:
In case this is still open by then end of October (busy in other realms until then) I am happy to connect with the OGC and also help with some "resistance is futile, we will assimilate you" wording.

Cheers,
Seven


______
Steven


On 16 Jul 2018, at 10:39, Ben Caradoc-Davies <[hidden email]> wrote:

What about email archives? They are not self-service.

Do we have an obligation to purge archived emails or correct names or email addresses in archives on requests?

Do we have an obligation to report all personal information held by OSGeo on request? Should OSGeo have a procedure for handling such requests?

Kind regards,
Ben.

On 16/07/18 18:00, Jody Garnett wrote:
Advice would be very much appreciated.
My own preference is to be clear that OSGeo is largely self-serve, and if
we document steps to sign up for something we also document the steps to
un-sign up for something.
I think OSGeo has one mail chimp account used by marketing and geoforall -
but it am not sure how heavily it is used?
--
Jody Garnett
On Sat, 14 Jul 2018 at 10:16, stevenfeldman <[hidden email]> wrote:
Jody

I think the Board needs to take a more proactive approach to GDPR. This is
quite significant legislation and we should ensure that we have taken
"reasonable steps" to audit our personal data holdings and ensure we have
compliant processes.

The UK Information Commissioner's Office has a good intro to GDPR at

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
and a simple checklist tool at

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
(each EU country will have similar info but this is in English)

MailChimp has good tools for getting mail-list approval and providing
unsubscribe options. Do we have an OSGeo account or is usage less formal
across the regions?

I'm sure several of our EU members have already worked through GDPR with
their organisations and could provide advice

Cheers

Steven



--
Sent from: http://osgeo-org.1560.x6.nabble.com/OSGeo-Board-f3713809.html
_______________________________________________
Board mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/board
_______________________________________________
Board mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/board

--
Ben Caradoc-Davies <[hidden email]>
Director
Transient Software Limited <https://transient.nz/>
New Zealand



_______________________________________________
Board mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/board

-- 
http://arnulf.us
drwxrw-r--

_______________________________________________
Standards mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/standards

Attached Message Part (138 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Board] Fwd: Re: GPDR

jody.garnett
Thanks Scott,

So this appears to be the main OGC document: http://www.opengeospatial.org/ogc/policies/privacy

This goes a bit beyond what we do at OSGeo, as OGC has a more complicated relationship with members and customers.
--
Jody Garnett


On Wed, 18 Jul 2018 at 08:27, Scott Simmons <[hidden email]> wrote:
Dear OSGeo interested parties,

Feel free to borrow any GDPR content you find on OGC public resources (as you can do from other organizations as well). OGC and OSGeo do operate a little differently, so our GDPR actions may not be completely applicable to OSGeo and OGC most certainly is not an expert on GPDR topics.

Best Regards,
Scott

Scott Simmons
Executive Director, Standards Program
Open Geospatial Consortium (OGC)
tel +1 970 682 1922
mob +1 970 214 9467

The OGC: Making Location Count…

On Jul 17, 2018, at 1:36 PM, Cameron Shorter <[hidden email]> wrote:

OGC folk,

You are mentioned in this OSGeo Board email discussion, and if you have a spare moment to weigh in, then your comments would be warmly welcomed.

Cheers, Cameron



-------- Forwarded Message --------
Subject:Re: [Board] GPDR
Date:Tue, 17 Jul 2018 20:55:45 +0200
From:Arnulf Christl (aka Seven) [hidden email]
To:[hidden email]


Thanks for the input Ben. It would be great, if you could help with the wording of OSGeo's privacy statement. 

From here on only ugly fine print...: 

Am 2018-07-17 um 19:46 schrieb Steven Feldman:
I think they are compliant - you actively sign up to the lists that you want to subscribe and you have an option to unsubscribe or delete your account completely. 

Yes. We do not really have to do anything at all, except: 

We will need to check whether deleting an account removes the email address etc. My view fwiw is that we have no obligation to purge archived emails

Right. The only thing promoted by the new GDPR we do not and cannot comply to is to enable "forgetting". It is not applicable in our context because "the data no longer being relevant to original purposes for processing" does not apply because it is always relevant for the original purpose. One of the principal goals of OSGeo is to make processes and decisions transparent and protect projects from patent infringement claims and similar (where there is a ton of money and profits! Oh, add a few more !!! ). 

In case there is an ugly row about something and somebody says something nasty and wants to withdraw this from the archives it can happen. It has been done before. And in our community (so far) it does not require legal steps and I'd totally promote that we keep it that way. 

but I think that should be made clear in our privacy policy - which we need to write!

Exactly. 

In order to have code provenance, prior art and the like transparent it is absolutely required to have all discussions and processes and decisions on a topic transparent and archived. This includes the personal data (email address and name as given by the individual or known by the community) of the corresponding individual providing input to a discussion. No privacy here, legal requirements override personal data rights. Which we may have to make clear in our subscription process and write down in our privacy statement. Sort of along the lines of: "if you join you give up your right to be forgotten because what we do really is relevant from a legal aspect". 

In case someone from OGC is listening in - they know about this stuff and we would be well advised to copy - erm - fork some of their legalese. 

Do you fancy getting involved to help get this done?

Haha, good try but actually no. Because it is spam wrapped in a pita. But yes, someone will have to do it. 

The good news is: Nobody will want to sue OSGeo because it is totally not sexy to sue not-for-profits plus there is no profit, hence the name, right? :-) Trouble is, eventually Nobody may come round. 

So my take is: Keep it cool but get it done.   


Thanks, 
Arnulf

PS:
In case this is still open by then end of October (busy in other realms until then) I am happy to connect with the OGC and also help with some "resistance is futile, we will assimilate you" wording. 

Cheers, 
Seven 


______
Steven


On 16 Jul 2018, at 10:39, Ben Caradoc-Davies <[hidden email]> wrote:

What about email archives? They are not self-service.

Do we have an obligation to purge archived emails or correct names or email addresses in archives on requests?

Do we have an obligation to report all personal information held by OSGeo on request? Should OSGeo have a procedure for handling such requests?

Kind regards,
Ben.

On 16/07/18 18:00, Jody Garnett wrote:
Advice would be very much appreciated.
My own preference is to be clear that OSGeo is largely self-serve, and if
we document steps to sign up for something we also document the steps to
un-sign up for something.
I think OSGeo has one mail chimp account used by marketing and geoforall -
but it am not sure how heavily it is used?
--
Jody Garnett
On Sat, 14 Jul 2018 at 10:16, stevenfeldman <[hidden email]> wrote:
Jody

I think the Board needs to take a more proactive approach to GDPR. This is
quite significant legislation and we should ensure that we have taken
"reasonable steps" to audit our personal data holdings and ensure we have
compliant processes.

The UK Information Commissioner's Office has a good intro to GDPR at

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
and a simple checklist tool at

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
(each EU country will have similar info but this is in English)

MailChimp has good tools for getting mail-list approval and providing
unsubscribe options. Do we have an OSGeo account or is usage less formal
across the regions?

I'm sure several of our EU members have already worked through GDPR with
their organisations and could provide advice

Cheers

Steven



--
Sent from: http://osgeo-org.1560.x6.nabble.com/OSGeo-Board-f3713809.html
_______________________________________________
Board mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/board
_______________________________________________
Board mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/board

-- 
Ben Caradoc-Davies <[hidden email]>
Director
Transient Software Limited <https://transient.nz/>
New Zealand



_______________________________________________
Board mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/board

-- 
http://arnulf.us
drwxrw-r--
<Attached Message Part.txt>_______________________________________________
Standards mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/standards

_______________________________________________
Board mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/board

_______________________________________________
Standards mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/standards