You are viewing a plain text version of this content. The canonical link for it is here.
Posted to privacy-discuss@apache.org by Christian Grobmeier <gr...@apache.org> on 2019/12/06 12:45:42 UTC
Privacy at Apache
Hello,
this list was created a few weeks ago but I have not recognised any emails.
Recent discussions showed that there is a lot of open questions in terms of privacy and I believe we should start to do something. Lot of heat in that discussion could have been avoided if the ASF would have processes, tools, policies whatever at hands.
So how can get started?
There is some people saying the GDPR does not apply to us and many say it does.
Indendent to this discussion, I think there is a lot of good things in the GDPR too. One of them is transparency.
I'd like to propose to first start with creating a list of data processing services we are using. Based on that, we can identify if personal data is processed or not.
This list may also help us in future discussions.
Thoughts?
Kind regards
Christian
---------------------------------------------------------------------
To unsubscribe, e-mail: privacy-discuss-unsubscribe@apache.org
For additional commands, e-mail: privacy-discuss-help@apache.org
Re: Privacy at Apache
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
On 6 Dec 2019, at 14:29, Christian Grobmeier <gr...@apache.org> wrote:
> On Fri, Dec 6, 2019, at 14:24, Mads Toftum wrote:
>> On Fri, Dec 06, 2019 at 01:45:42PM +0100, Christian Grobmeier wrote:
>>> this list was created a few weeks ago but I have not recognised any emails.
>>>
>> Nope, the project seems to have been more or less on hold despite we're
>> more than 18 months past the date when GDPR went into effect.
> Oh.
Which does not concern me too much - after all - we are a US inc. And there is a lot of low hanging fruit / way worse issues in healthcare, banking and what not in Europe.
>>> There is some people saying the GDPR does not apply to us and many say it does.
>>>
>> There's a fairly consistent agreement among those of us who are EU based
>> and work with data privacy / security that GDPR does apply.
>
> Agreed. I am also EU based and believe the GDPR applies. I just didn't want to exclude people who are sceptical in this matter.
So I think this is action 1; develop a:
- Short statement why we care about the GDPR (because we care about our community, our commiters. — Heck - our core purpose in live is to protect developers & let people do their work safely — privacy/security by default/design surely comes into that)
- Short statement why it matters (Nexus in Europe, etc)
>>> I'd like to propose to first start with creating a list of data processing services we are using. Based on that, we can identify if personal data is processed or not.
>>>
>> The recommended approach is to identify what PII data we keep and what
>> we do with that data. In particular, also the purpose of keeping that
>> data and for how long we keep it.
>> Once you have the overview of data, then starts the long process of
>> adjusting what we keep, for how long and getting data processor
>> agreements with external parties.
>> IME, it's been easier to approach it from where we collect / generate
>> PII data and working forward from that. Not that this should hold back
>> looking at external processing, just that it's usually easier to find
>> relevant data that way.
>
> Just for the record, I did not mean only third parties, i mean data processing services which includes our own hosts, rented servers etc and see what data keep. We are on the same page.
>
> Should we have a GIT repository for adding text files with our findings?
I think a wiki page is fine. And then for each item the salient info
- Your apache ID, (pseudo)name, email address
Why: for communication
- The details on your CLA
Why: …
How long: …
Who can see it: ...
- Your banking details if we paid you a stiped, travel assist, etc.
Why: ..
Who can see itL ..
How long: minimum statutory period of XX
beware that we do not have full control over this - e.g. our bank may effectively let the treasurer see this `for ever’.
And so on. It won’t be a very long list. And then a little puzzle as how we make clear that the right to be forgotten is not absolute (e..g you cannot really remove your name from a Software Grant document) - or when it is quite `normal’ —e.g if you included your private cell number on a message to party@ 10 years ago by accident.
Dw.
---------------------------------------------------------------------
To unsubscribe, e-mail: privacy-discuss-unsubscribe@apache.org
For additional commands, e-mail: privacy-discuss-help@apache.org
Re: Privacy at Apache
Posted by Mads Toftum <ma...@toftum.dk>.
On Fri, Dec 06, 2019 at 02:29:11PM +0100, Christian Grobmeier wrote:
> On Fri, Dec 6, 2019, at 14:24, Mads Toftum wrote:
> > Nope, the project seems to have been more or less on hold despite we're
> > more than 18 months past the date when GDPR went into effect.
>
> Oh.
>
I should be more precise: apart from a board report and creation of this
list I've not seen anything that looked like forward progress. There
could have been much going on, just not where I've been looking.
vh
Mads Toftum
--
http://flickr.com/photos/q42/
---------------------------------------------------------------------
To unsubscribe, e-mail: privacy-discuss-unsubscribe@apache.org
For additional commands, e-mail: privacy-discuss-help@apache.org
Re: Privacy at Apache
Posted by Christian Grobmeier <gr...@apache.org>.
Hi,
On Fri, Dec 6, 2019, at 14:24, Mads Toftum wrote:
> On Fri, Dec 06, 2019 at 01:45:42PM +0100, Christian Grobmeier wrote:
> > this list was created a few weeks ago but I have not recognised any emails.
> >
> Nope, the project seems to have been more or less on hold despite we're
> more than 18 months past the date when GDPR went into effect.
Oh.
> > There is some people saying the GDPR does not apply to us and many say it does.
> >
> There's a fairly consistent agreement among those of us who are EU based
> and work with data privacy / security that GDPR does apply.
Agreed. I am also EU based and believe the GDPR applies. I just didn't want to exclude people who are sceptical in this matter.
>
> > I'd like to propose to first start with creating a list of data processing services we are using. Based on that, we can identify if personal data is processed or not.
> >
> The recommended approach is to identify what PII data we keep and what
> we do with that data. In particular, also the purpose of keeping that
> data and for how long we keep it.
> Once you have the overview of data, then starts the long process of
> adjusting what we keep, for how long and getting data processor
> agreements with external parties.
> IME, it's been easier to approach it from where we collect / generate
> PII data and working forward from that. Not that this should hold back
> looking at external processing, just that it's usually easier to find
> relevant data that way.
Agreed.
Just for the record, I did not mean only third parties, i mean data processing services which includes our own hosts, rented servers etc and see what data keep. We are on the same page.
Should we have a GIT repository for adding text files with our findings?
Cheers,
Christian
>
> vh
>
> Mads Toftum
> --
> http://flickr.com/photos/q42/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: privacy-discuss-unsubscribe@apache.org
> For additional commands, e-mail: privacy-discuss-help@apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: privacy-discuss-unsubscribe@apache.org
For additional commands, e-mail: privacy-discuss-help@apache.org
Re: Privacy at Apache
Posted by Mads Toftum <ma...@toftum.dk>.
On Fri, Dec 06, 2019 at 01:45:42PM +0100, Christian Grobmeier wrote:
> this list was created a few weeks ago but I have not recognised any emails.
>
Nope, the project seems to have been more or less on hold despite we're
more than 18 months past the date when GDPR went into effect.
> Recent discussions showed that there is a lot of open questions in terms of privacy and I believe we should start to do something. Lot of heat in that discussion could have been avoided if the ASF would have processes, tools, policies whatever at hands.
Agreed.
>
> So how can get started?
>
> There is some people saying the GDPR does not apply to us and many say it does.
>
There's a fairly consistent agreement among those of us who are EU based
and work with data privacy / security that GDPR does apply.
> Indendent to this discussion, I think there is a lot of good things in the GDPR too.
Agreed.
> One of them is transparency.
>
> I'd like to propose to first start with creating a list of data processing services we are using. Based on that, we can identify if personal data is processed or not.
>
The recommended approach is to identify what PII data we keep and what
we do with that data. In particular, also the purpose of keeping that
data and for how long we keep it.
Once you have the overview of data, then starts the long process of
adjusting what we keep, for how long and getting data processor
agreements with external parties.
IME, it's been easier to approach it from where we collect / generate
PII data and working forward from that. Not that this should hold back
looking at external processing, just that it's usually easier to find
relevant data that way.
vh
Mads Toftum
--
http://flickr.com/photos/q42/
---------------------------------------------------------------------
To unsubscribe, e-mail: privacy-discuss-unsubscribe@apache.org
For additional commands, e-mail: privacy-discuss-help@apache.org