Talk:SPG:Drafts:Data Privacy EGI CheckIn

From EGIWiki
Revision as of 13:32, 18 November 2016 by Ian (talk | contribs) (Comments from Hannah Short (8 Nov 2016))
Jump to: navigation, search

Comments and discussion

Comments from Hannah Short (8 Nov 2016)

Minor points since this looks very thorough:

  • It is potentially confusing to have two nested policies. There are references to "The Policy", "This policy", "this Policy" and it's not obvious to which one they are referring. It might be clearer to insert the word Privacy or Data Processing before each use of the word Policy

Answer from DaveK: Agreed. Now done. "Privacy Policy" and "Data Protection Policy". Also made this clearer in the Appendix I hope.

  • "Stored where?" I worry this is opening a can of worms since we do not specify the actual location and readers will want to see a physical country listed. As far as I can see, this isn't a requirement of the Policy on the Processing of Personal Data

Answer from DaveK: Agreed. Potentially a BIG can of worms! In the past with the old User-level Job Accounting Policy we did require the data to be held within the EU (or country with similar data protection). In general this does not work for e-Infrastructures like WLCG where we do need to store and process outside of the EU, so our plan was that the fact that all members of the e-Infrastructure are bound by the single set of policy documents should be sufficient.

Comments from Ian Neilson (18 Nov 2016)

  • Sec 2 first line - "..grant you access to the Infrastructure and to the services and resources provided by the Infrastructure". What else is there apart from the services and resources? Suggest just "..grant you access to the services ...".
  • Sec final bullet - "..rights" might be somewhat loaded or confusing. How about "roles" instead which implies some rights?
  • Sec 3 last line - "We will store your personal data in log files and audit archives. These logs and other records will ...." --> "Your personal data will be stored and used solely ...."
  • Sec 3 - line 2 lists 3 possible uses, line 3 adds monitoring. Suggest delete as monitoring could be both security and operational? Also, it's at first thought it's hard to see how "dispute resolution" could be done without sharing?
  • Sec 7 - "..same purposes.." --> ".. purposes given above .." ?
  • ditto - "..but only where the recipient..". Why not "..and only.."