[Wikimedia-l] New access to non-public information policy, re-ID requirements and data retention

Nathan nawrich at gmail.com
Mon Oct 14 19:51:42 UTC 2013

Thanks for the pointer, Tomasz. I made a couple of points I'll reiterate here:

1) Under "Secure and Confidential Storage" this is a sentence
describing how the WMF will share / release the information submitted
by volunteers. Part A allows the WMF to disclose the information to
third parties with a WMF-approved non-disclosure agreement, without
limitation. Part D allows it to disclose the information to third
parties to protect the "rights and property" of the WMF, contractors
and employees. Both of these parts need to be substantially tightened,
in my opinion, to limit the purpose for which information is disclosed
and the circumstances under which any recipient of the information can
retain copies.

2) The policy really doesn't make an effort to justify the data
retention. Data is retained for three years in case an Arbitration
Committee (project undefined, no limitations expressed) needs to see
it? Honestly, I'm struggling to understand why any ArbCom would need
access to the preserved copy of a government issued ID to begin with.
ArbComs are evidently on the "need to know" list for access to stored
IDs? That's concerning. I think the policy needs to make a strong
argument for why this type of data retention is necessary and useful,
and it needs to consist of more than convenience for the WMF.

3) The process for data destruction is pretty weak. It doesn't mention
anything about data that has been shared (nowhere in the document is
it discussed how and in what form the data will be shared), the
process it describes doesn't currently exist, and it relies on the
actions of volunteers. Destroying data at the end of the retention
period ought to be a WMF responsibility, assigned to an employee, and
treated with the seriousness it deserves.

Overall I don't know that the legal team has taken into account the
likely reaction of European functionaries in particular; those
countries have very popular, and very strict, rules and expectations
around the use and retention of private information. Given the
conditions set by all the surveillance revelations recently... I'd
hate to see an exodus of advanced users on our non-English projects
because of this policy.

More information about the Wikimedia-l mailing list