On 22/05/2018 14:02, Geert Janssens wrote:
Yesterday John raised some concerns about GDPR compliance of the gnucash
project itself.
This is a different question from the one Mike Evans asked in April this year
about GDPR compliance by people *using* gnucash.
This requires some thought as the GDPR has many aspects.
The essence of the GDPR (global data protection regulation) is to regulate the
processing of EU citizen's personal data.
The first question this raises is which personal data does the gnucash project
process ? So far I have come up with:
- e-mail addresses on the gnucash mailing lists
- user accounts in bugzilla
- user accounts in our wiki
- user accounts on Uservoice
The above are pretty clear. There are others that are less clear to me whether
they constitute personal data or not:
- the actual messages people send to mailing lists and which are stored in a
public archive
- the actual comments on bugs
- the actual page edits in wiki
And also what about things like our irc channel ? Does that fall under
processing personal data ? We don't really run the irc channel, we only use
it. But on the other hand we do publish irc logs. Does GDPR apply to those ? I
can't tell really.
And the same question could be asked about our code itself in a way. Does a
code contribution represent personal data ? Each commit logs an e-mail address
of a committer which can't easily be removed.
Once we have established what constitutes personal data we need to formulate a
"privacy policy" in which we explain how we process this data and whether
third parties are involved (think github, uservoice, travis-ci, our social
media presence,...).
An open source project is a bit in an odd situation because we do almost
everything in public so there's very little being kept private. We publish
archives of our mailing list conversations, irc logs, commits and so on. We
have to inform our users of this in a clear manner. The good thing is we only
do keep the absolute minimum amount of information to function: a username
(which can be an e-mail address) and a password is usually sufficient. Unless
the message content also falls under personal data.
We also require explicit consent to use the personal data. We're reasonably
good in this respect as for all services we offer we require the user to opt-
in. We will never use for example mail addresses gathered from bugzilla user
accounts to automatically enroll the same people in a mailing list. We
probably should more clearly indicate what people subscribe to in each case
while they are registering. So when registering for a mailing list, it should
be pretty clear that anything the person contributes will end up on a public
web page. The same goes for all other services we offer and make use of.
Next a person should be allowed to make corrections to the personal data we
were provided with and "the right to be forgotten". For user accounts in the
various services we offer this is not really a problem. Most of these do allow
the user to change passwords, user names or e-mail addresses. However if the
message content is also part of private data it becomes much harder. In that
case the question becomes whether a user can request a mail message to be
removed from our mailing list archive. I have no answer to this.
Next there is the requirement to protect children. I don't know for sure if
this applies to us. If it does our registration processes should ask a minimum
age and require consent of a parent or equivalent in order to continue with
the registration. This is mostly mentioned in the context of social networks.
But as we publish all communication in public it may apply to us as well.
And finally in case of data breaches we should inform the affected people of
this. Again one I don't know exactly how to deal with.
This mail is meant as a kick-off to start thinking about this. Any feedback is
very welcome.
Friends, although people "like us" take the GDPR seriously, it wasn't
and isn't about "us".
In fact, people "like us" that are open source, small businesses
(processing data for sometimes small commercial reasons), non-profits,
individuals recording their accounts around the world, etc are largely
unintended victims.
One of the things that comes to my mind is this familiar sequence
1.a) anyone that asks to be removed from the mailing list should be zapped
1.b) we've been there before, we know about the person that asks to be
removed so they can start again
1.c) at the moment, here in the UK, we think the list address is our
(gnucash list) stuff so we are allowed to keep it to stop a bad person
returning.
1.d) result? we don't remove the address from our records, the GDPR
doesn't apply, the bad person info belongs to us
1.e) i've caused a few upsets here and hopefully no-one has been worse
than me and invokes the GDPR in order to get back onto these lists :)
other details probably aren't kept in any significant way, I mean, I
seriously doubt anyone has been keeping stuff like
gender?
sexual orientation?
skin colour?
religion?
something else
per person on behalf of gnc [2] in any systemic way
I know some people are of a certain religion or political persuasion, I
know some people have a first language, I know some people have some
skills, I know I dislike some people, that is not the same, my (anyone's
head) is not relevant. We all have some stuff in our heads, that isn't
what the GDPR is about.
To make it personal, I am equally sure some people *know* me. That is
also not relevant.
If someone was keeping generalised indicators to show we were open, used
widely, cross border, multi-lingual and so on they should not be concerned.
At worst we might have to think about making some "who uses gnc" stuff
more anon but we've got brains enough in this group to do that [1]
[1] do we actually have person level records? the obvious thing is for
whoever has them to anon, pass on, allow them to be summarised, passed
back and checked and then flush to an anon place in case one of Donald
Trump's Russians was involved <-- yes, it *is* compulsory, you dumb
fucking idiots, you voted as a country, take the hit!
[2] the list, the project, not individuals [3]
[3] if I know Liz is a lady in my head, it doesn't count
I am following the legal discussions here in the UK and I think gnc will
be waaaaaaaay at the back of the queue when it comes to bad stuff; the
tricky bit might be the diversity of record if someone decided to be
nasty [4] :)
[4] "remove all trace of my involvement with your project" I'm not sure
we could do that :( but I suspect that is an open source issue rather
than a gnc specific one.
Geert said this was for discussion, I welcome contributions too.
I think I have a feel for the UK and European view (I welcome viewpoints
that differ from my own)
Maybe how it is seen in other places would help the debate?
--
Wm
_______________________________________________
gnucash-devel mailing list
gnucash-devel@gnucash.org
https://lists.gnucash.org/mailman/listinfo/gnucash-devel
