Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "Talk:SPG:Drafts:Data Privacy EGI CheckIn"

From EGIWiki
Jump to navigation Jump to search
Line 11: Line 11:


'''Answer from DaveK''': Agreed. Potentially a BIG can of worms! In the past with the old User-level Job Accounting Policy we did require the data to be held within the EU (or country with similar data protection). In general this does not work for e-Infrastructures like WLCG where we do need to store and process outside of the EU, so our plan was that the fact that all members of the e-Infrastructure are bound by the single set of policy documents should be sufficient.
'''Answer from DaveK''': Agreed. Potentially a BIG can of worms! In the past with the old User-level Job Accounting Policy we did require the data to be held within the EU (or country with similar data protection). In general this does not work for e-Infrastructures like WLCG where we do need to store and process outside of the EU, so our plan was that the fact that all members of the e-Infrastructure are bound by the single set of policy documents should be sufficient.
== Comments from Ian Neilson (18 Nov 2016) ==
* Sec 2 first line - "..grant you access to the Infrastructure and to the services and resources provided by the Infrastructure". What else is there apart from the services and resources? Suggest just "..grant you access to the services ...".
* Sec final bullet - "..rights" might be somewhat loaded or confusing. How about "roles" instead which implies some rights?
* Sec 3 last line - "We will store your personal data in log files and audit archives. These logs and other records will ...." --> "Your personal data will be stored and used solely ...."
* Sec 3 - line 2 lists 3 possible uses, line 3 adds monitoring. Suggest delete as monitoring could be both security and operational? Also, it's at first thought it's hard to see how "dispute resolution" could be done without sharing?
* Sec 7 - "..same purposes.." --> ".. purposes given above .." ?
* ditto - "..but only where the recipient..". Why not "..and only.."

Revision as of 12:32, 18 November 2016

Comments and discussion

Comments from Hannah Short (8 Nov 2016)

Minor points since this looks very thorough:

  • It is potentially confusing to have two nested policies. There are references to "The Policy", "This policy", "this Policy" and it's not obvious to which one they are referring. It might be clearer to insert the word Privacy or Data Processing before each use of the word Policy

Answer from DaveK: Agreed. Now done. "Privacy Policy" and "Data Protection Policy". Also made this clearer in the Appendix I hope.

  • "Stored where?" I worry this is opening a can of worms since we do not specify the actual location and readers will want to see a physical country listed. As far as I can see, this isn't a requirement of the Policy on the Processing of Personal Data

Answer from DaveK: Agreed. Potentially a BIG can of worms! In the past with the old User-level Job Accounting Policy we did require the data to be held within the EU (or country with similar data protection). In general this does not work for e-Infrastructures like WLCG where we do need to store and process outside of the EU, so our plan was that the fact that all members of the e-Infrastructure are bound by the single set of policy documents should be sufficient.

Comments from Ian Neilson (18 Nov 2016)

  • Sec 2 first line - "..grant you access to the Infrastructure and to the services and resources provided by the Infrastructure". What else is there apart from the services and resources? Suggest just "..grant you access to the services ...".
  • Sec final bullet - "..rights" might be somewhat loaded or confusing. How about "roles" instead which implies some rights?
  • Sec 3 last line - "We will store your personal data in log files and audit archives. These logs and other records will ...." --> "Your personal data will be stored and used solely ...."
  • Sec 3 - line 2 lists 3 possible uses, line 3 adds monitoring. Suggest delete as monitoring could be both security and operational? Also, it's at first thought it's hard to see how "dispute resolution" could be done without sharing?
  • Sec 7 - "..same purposes.." --> ".. purposes given above .." ?
  • ditto - "..but only where the recipient..". Why not "..and only.."