Meta:Access to non-public personal data policy

From Meta Wiki
Jump to: navigation, search

Purpose[edit source]

Weird Gloop sites (the "Sites") are the product of a global community of volunteer contributors and editors. This dedicated group of individuals not only write and curate content on the Sites, they also help ensure the safety of the Sites and their users as well as compliance with applicable policies. To manage this task effectively, certain community members are entrusted with access to limited amounts of non-public personal information pertaining to other users ("Non-public Personal Data"). For example, a community member who has "checkuser" rights could use those rights to investigate whether a single user is using multiple accounts in a manner inconsistent with global or local policies. The purpose of this "Access to non-public personal data" policy (the "Policy") is to:

  • explain the minimum requirements that must be met by any community member in order to be granted the ability to access Non-public Personal Data;
  • explain the rights and responsibilities of community members with access to Non-public Personal Data ("Designated Community Members");
  • ensure that Designated Community Members understand and commit to maintaining the confidentiality of Non-public Personal Data; and
  • provide guidelines to Designated Community Members as to when they may access Non-public Personal Data and how they may use such information, including when and to whom they may disclose it.

Community members covered by the Policy[edit source]

The Policy applies to any community member to whom Weird Gloop has granted rights to access Non-public Personal Data covered by the privacy policy ("access rights"), including:

  • Community members with access to any tool that permits them to view Non-public Personal Data (such as the CheckUser tool);
  • System administrators with access to Non-public Personal Data.

Minimum requirements for community members applying for access rights[edit source]

The following conditions are minimum requirements that a community member must meet before being granted access rights. These conditions should also be considered requirements to be a candidate for any community-run selection process for a role that conveys access rights. The community may require applicants to meet additional community-specified criteria on a case-by-case or role-by-role basis.

(a) Minimum age. Access to Non-public Personal Data requires maturity because of the significant responsibilities that come along with confidentiality obligations. For this reason, any community member who applies for access rights (the "applicant") must:

  • be at least eighteen (18) years of age; and
  • certify to Weird Gloop that they meet the minimum age required for the access rights that they are applying for.

(b) Valid, linked email address. In order to ensure that Weird Gloop can contact the individuals who take on these important roles, the applicant must:

  • submit a valid email address to Weird Gloop;
  • have the account under which they are applying for access rights linked to a valid email address;
  • complete verification of the submitted and/or linked email address (such as responding to a confirmation email sent to their submitted email address), if requested to do so; and
  • inform Weird Gloop of any change to their email address within one week of said change.

(c) Confidentiality. To ensure that applicants understand and commit to keeping Non-public Personal Data confidential, they will be required to read and certify that they agree to a short confidentiality agreement. The agreement outlines:

  • what Designated Community Members should treat as confidential information;
  • when they are allowed to access Non-public Personal Data;
  • how Designated Community Members may use Non-public Personal Data;
  • when and to whom they may disclose Non-public Personal Data and how they must refrain from disclosing Non-public Personal Data to anyone, except as permitted under applicable policies;
  • how Designated Community Members must safeguard their accounts from unauthorised access; and
  • when they must report disclosure of Non-public Personal Data to third parties or improper access, use, or disclosure of Non-public Personal Data.

(d) Privacy. In consideration of the privacy of Designated Community Members, any personal information submitted to Weird Gloop as part of the application process or otherwise under this Policy is subject to Weird Gloop's privacy policy.

Use and disclosure of Non-public Personal Data[edit source]

Designated Community Members provide valuable services to the Sites and their users by fighting vandalism, ensuring that improperly disclosed private data is removed from public view, investigating sockpuppets, and much more. However, Designated Community Members' use of their access rights is limited to specific circumstances and contexts. This section elucidates the situations in which access rights may be used and Non-public Personal Data may be disclosed to third parties.

(a) Use of access rights and Non-public Personal Data. All Designated Community Members may only use their access rights and the subsequent information they access in accordance with the policies that govern the tools they use to gain such access. For example, community members with access to the CheckUser tool must comply with the global CheckUser policy and, unless they are performing a cross-wiki check, they must also comply with the more restrictive local policies applicable to the relevant Site. If a Designated Community Member's access to a certain tool is revoked, for any reason, they must destroy all Non-public Personal Data that they previously obtained through use of that tool.

(b) Disclosure of Non-public Personal Data. In the course of keeping the Sites and their users safe, Designated Community Members must sometimes disclose Non-public Personal Data to third parties. Disclosures of Non-public Personal Data are limited to:

(i) other Designated Community Members with the same access rights, or who are otherwise permitted to access the same Non-public Personal Data, in order to fulfill the duties outlined in the applicable policy for the access tool used;
(ii) service providers, carriers, or other third party vendors to assist in the targeting of IP blocks or the formulation of a complaint to such a third party;
(iii) the public, when it is a necessary and incidental consequence of blocking a sockpuppet or other policy-abusing account.

All other formal and informal requests for Non-public Personal Data (i.e. those not covered by one of the situations described above or those not acted upon by a community member with access rights), including subpoenas, from law enforcement, government agencies, attorneys, or other third parties should be directed to Weird Gloop's administration at admin@weirdgloop.org.