[Foundation-l] Data retention
Thomas Dalton
thomas.dalton at gmail.com
Tue Sep 16 10:13:40 UTC 2008
2008/9/16 Anthony <wikimail at inbox.org>:
> On Mon, Sep 15, 2008 at 4:33 PM, Thomas Dalton <thomas.dalton at gmail.com>wrote:
>
>> 2008/9/15 mboverload <mboverloadlister at gmail.com>:
>> > Maybe legally, but it would be much better if they actually told us
>> > what they are doing.
>>
>> Maybe, but not in the privacy policy.
>>
>
> Why not? What's the point of having a privacy policy if you're going to
> make it a long-winded version of "we can do anything we want to do"?
It doesn't say that at all. The privacy policy is designed to be the
absolute minimum that the foundation commits to doing. In most cases,
the foundation actually goes a little further than that. There is no
harm in publishing that actual practice, but the foundation shouldn't
be committing to continuing that practice - it chose what to commit to
very carefully when writing the policy and with good reason,
restricting itself further would make things harder without
significant gain.
Let me give an example with made up numbers. If the policy says "We
will not keep logs longer than 2 months", however actual practice is
to only keep them one month, then that's fine, we're following policy.
If someone then makes a mistake forgets to delete the logs before they
go home on Friday night and deletes them when they get back in on
Monday when they're a month and a day old, there is no problem,
because we're still within policy. If we'd changed policy to describe
what usually happened, we'd now have violated the policy. It's always
good to make actual practice a little stricter than policy in order to
absorb mistakes - that doesn't work if you then change the policy to
describe the practice.
More information about the foundation-l
mailing list