The consultation is also relevant to IRTF. Colin
> Begin forwarded message: > > From: IETF Executive Director <[email protected]> > Subject: Updated consultation on revised IETF Privacy Statement > Date: 16 December 2019 at 03:59:28 GMT > To: "IETF Announcement List" <[email protected]> > Reply-To: [email protected] > > A two-week consultation [1] began on 4 December 2019 on proposed changes [2] > to the IETF Privacy Statement [3]. These proposed changes have been further > revised [4] in response to issues raised [5]. The new full list of changes > proposed to the existing IETF Privacy Statement are as follows: > > 1. Significant reordering, moving of text and changing of headings, with > minimal change in meaning, in order to make the statement clearer and easier > to understand. > > 2. The scope statement has changed from simply listing the IETF/IRTF/IAB to > identifying the specific groups that can legally be considered data > controllers in various data protection regimes, namely the LLC, IESG, IAB, > IRSG and RFC Editor, and being clear that their activities form a single > privacy context. The scope uses "IETF/IRTF/IAB" as a collective term for all > these groups, even though that is not the plainest English possible, as that > is needed to convey accurate structure in this statement. "_This statement > sets out the privacy and data protection policy of the following related > organizations and groups: the Internet Engineering Steering Group (“IESG”) > representing the IETF; the Internet Research Steering Group ("IRSG") > representing the IRTF; the Internet Architecture Board ("IAB"); and the > common supporting organizations of the IETF Administration LLC ("LLC") and > the RFC Editor, which are collectively referred to in this policy as the > IETF/IRTF/IAB and individually as a Party and whose collective activities > constitute a single privacy context._" > > 3. The existing version contains a number of references to the Internet > Society (ISOC) given the legal structure that existed before the creation of > the IETF Administration LLC. Those references have all been removed as data > will no longer be shared with ISOC and a statement added for the avoidance of > doubt: "_For the avoidance of doubt, this policy does not apply to the > Internet Society ("ISOC") and its activities and practices constitute a > separate privacy context. ISOC should be regarded as a third-party for the > purposes of this policy._" > > 4. Two new elements have been added to the list of data that may be made > public, which reflects existing practice. These are "_metadata related to > the time and frequency of your interactions with any IETF system_" and > "_message headers_". > > 5. Added an additional example of personal data to be clear that email > message headers contain a lot of data "_the IP address of a message sender > and details of the device or service used to send the message, as found in > email headers_". > > 6. Added a clear statement that we do not sell data "_We do not sell your > Personal Data nor do we monetize it in any way._" > > 7. Added a new bullet on what data we collect to cover web analytics and a > new paragraph that covers what we intend to do with that data. The bullet is > "_information provided when you interact with any IETF website_" and the > paragraph is "_We track your usage of our websites in order to understand how > our websites are used and how we can improve them. We do this using > Javascript based tracking code, which collects a limited set of technical > data. If Javascript is disabled or not available in your browser then this > tracking will not take place and your usage of our websites should not be > affected._" > > 8. Section on Do Not Track (DNT) made clearer as previous version required > you to read the specification to understand it "_We do not enable or > participate in any third-party tracking of your website activity. As no > third-party tracking is enabled on our website, our websites do not alter > their behavior according to the value of a browser Do Not Track (DNT) > setting._" > > 9. The section on the use of cookies for online transactions has been made > clearer "_When you log into one of our websites or initiate an online > transaction through one of our websites then we may use cookies to uniquely > identify you during that session, to record your preferences and to simplify > the establishment of new sessions. If you disable your web browser's ability > to accept cookies you will still be able to browse the site but authenticated > and transactional services may not function._" > > 10. A new section has been added to explain that if we collect demographic > information in a survey then that will only be published in an aggregated > form that does not allow individual identification. This addition is not > needed to enable collection of demographics, we can do that anyway, it is > solely to explain what we do if we do collect it. "_We may ask you to > provide demographic information (e.g. age, sex, country of residence) in > surveys or other information gathering activities. You are not required to > provide that information and your disclosure of that information to us is > voluntary. We do not disclose the demographic information of individuals. > We may publish aggregated information using demographic data as one > dimension, in which case we will aggregate at a sufficient level to prevent > disaggregation or deanonymization._" > > 11. A new section has been added to cover a range of processes regarding > specific individuals "_Applications for roles, awards/prizes, grants and > workshops_". This is intended to be generic enough to cover new processes of > this nature while also being specific enough to be clear. "_The IETF/IRTF/IAB > operates a number of processes where individuals may submit Personal Data > about themselves or others and where all information is kept confidential, > including any reviews, assessments, deliberations, interviews or other > discussions, except as specified below. These processes are:_ > * _Applications for roles, except the names of applicants_ > * _Feedback on individuals regarding a role application or performance in a > role_ > * _Nominations for awards/prizes, except the names of award/prize winners_ > * _Papers submitted for workshops, except the published papers_ > * _Applications for travel grants, except the names of grant recipients._" > > 12. Updated the section on "_Audio, pictorial and video recordings_" to > address the use of red lanyards at IETF meetings: "_For some meetings we > provide red lanyards for attendees to wear to indicate that they do not wish > to be photographed individually or in small groups. Official IETF/IRTF/IAB > photographers comply with this indication and we use reasonable efforts to > ensure that all other photographers also comply. Photographs of large groups > may contain incidental images of attendees in red lanyards and individuals > wearing red lanyards will still be included in official video recordings._" > > 13. Updated the section on our use of Cloudflare to make it easier for anyone > who wishes to read the Cloudflare Privacy Policy to know what data they > collect and how it is, when providing this service: "_We use services from > Cloudflare to support some of our websites. In Cloudflare terminology that > will make anyone who accesses our websites an 'End User' and information on > what data Cloudflare collect from End Users and how they use it is explained > in their privacy policy. There is a link to the Cloudflare Privacy Policy on > the Cloudflare home page._" > > This email is a reminder of the consultation on this revised statement, which > closes on Wednesday 18 December. > > If you have any comments or questions then you can submit those by any of the > following methods: > > * Raising an issue on the Github repository > https://github.com/ietf-llc/ietf-privacy-statement-consultation > * Direct to me at [email protected] > * To the [email protected] list > > [1] > https://mailarchive.ietf.org/arch/msg/ietf-announce/tAoqjDVzb2_NwT5SD-hzvF9YB1w > [2] > https://github.com/ietf-llc/ietf-privacy-statement-consultation/blob/master/DRAFT%20IETF%20Privacy%20Statement%202019.md > [3] https://ietf.org/privacy-statement/ > [4] > https://github.com/ietf-llc/ietf-privacy-statement-consultation/blob/latest-updates-from-consultation/DRAFT%20IETF%20Privacy%20Statement%202019.md > [5] https://github.com/ietf-llc/ietf-privacy-statement-consultation/issues > > -- > Jay Daley > IETF Executive Director > [email protected]
