General Data Protection Regulation : action plan proposition

Thanks @myriam yes I am happy with the plan. I agree with @oliver that it is frustrating to be spending money on this when it could go towards dev work, but I also agree with Myriam that we need to be on top of this.

Thanks @Oliver - are these the guidelines you have? It would be great if you could put up here the Stroudco plan based on this so that we can offer it to other hubs. Let us know if you need help with this. Thanks very much

Hi @NickWeir there is other guidance specifically pointing to the new requirements from the European regulation rather than our Data Protection Act though there is quite some overlap.

@MyriamBoure I agree. OFN is a processor and I’m a controller. OFN will mainly have to implement the technology and security. I mainly have to implement policy.
But I am curious where you get your advice from. For example here in the UK, the regulator hasn’t written anything about a European body to whom you need to send something every year. And why would it be non-compliant if I download a spreadsheet? As long as I have a procedure that makes sure the date is secure, is kept up-to-date and only for as long as is necessary etc, why would that in itself by a problem?

I think it’s important to keep thing in proportion. For example Stroudco doesn’t have to appoint a Data Protection Officer or carry out a Data Protection Impact Assessment according to the UK guidelines and the same must be true for most enterprises. And I think anything that the regulation refers to as large scale process, profiling etc can safely be assume to not be us, either OFN or its enterprise users.

A good starting point is the following list of rights of individuals concerning their data:
1. The right to be informed [what information is collected, how is it processed etc]
2. The right of access [we need to be able to show them what data is held]
3. The right to rectification [we need to correct any incorrect information]
4. The right to erase [we need to be able to delete information! but not necessarily provide a front-end user interface]
5. The right to restrict processing [I think this will in practice be that the hub manager tells them what processes are necessary and if the individual doesn’t like it, then they get deleted and can’t order in the future]
6. The right to data portability [not relevant to us]
7. The right to object [similar to 5]
8. Rights in relation to automated decision making and profiling. [relates to where decisions are made without human intervention]

Hi @Oliver and thank you for your investigation on that.
In fact I think we could do without consultancy on this if we take the time to read carefully all the documents. I would be happy to work with you on that if you want to team up :wink: I think I wanted to be reassured that what I understood was correct and our plan make sense, and I didn’t want to work alone on that, but if we can pair that would be great. The person I know is a contact from OuiShare who is very involved in Open Source advocacy and also data protection and is starting an activity to support data management compliance processes for companies. But of course, if we can avoid to spend money on this it’s better.
Would be great to list both the duties of the processor and the controller and compare to what OFN and hubs actually do and what needs to be changed. Like build a plan :slight_smile: This can be useful then for OFN to publish some guidance on that for other food hubs on what is their responsability regarding their customer data, and what is the OFN responsability and we have set up or are setting up to be compliant.
And maybe in that process if there are really crucial points we can always ask some advice on our way.

I had started in C in this discussion to list some things but I can go again through all that and we can open a common spreadsheet on the drive for instance.
I just found this link wich seems pretty useful : https://gdpr-info.eu/art-24-gdpr/

About the register, actually when re-reading the article 30 I think you are right, we don’t seem to be in the scope. If we are in the scope in France we are supposed to make the register available for the CNIL, but anyway you are right we don’t need to send it. You’re right that there is no issue in itself with uploading data in a spreadsheet, and that things need to be kept proportional. But for instance if you upload that file on drive and don’t control carefully access to the drive, I guess this is not so much of a good practice regarding the “data security”. So that can be interesting I guess for both processors and controllers to think about what they do with the data, where they are stored, is it secured, who has access, etc. And keep that in a kind of “register” I guess anyway makes sense and just prove that we have reflected on that.

Article 37, on data protection officer : “In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.” So it seems to depend on every country. On the French CNIL website they say it is “encouraged” for all.

I’m leaving on Sunday for Australia, not sure I’ll have time to work on that before but if you open a document I’m happy to work with you on that if you want.
Cheers !

I’m travelling now @MyriamBoure but will make a start while you are in Australia. Makes sense to team up. Safe travels!

Hi @MyriamBoure
This link https://gdpr-info.eu/art-24-gdpr/ was useful, thank you. It seems to confirm that what OFN needs is mainly a) to be able to technically implement the requirements of the Controller and b) some documentation such as policies and contract terms.

What seems to be lacking in OFN and which you have pointed out here already, is that we cannot properly delete data and nor can we determine (as far as I know) if any customer has been inactive for a certain number of years. The latter isn’t urgent as OFN is too young for this to be too much of a problem right now but it will become more relevant in the future. We do need to be able to delete personal data however, or, if we want to keep sales statistics, then something more complex will be needed to remove the personal element.

Thanks @Oliver and Myriam for your work on this. Please can you let me know;

  1. if you think we need to develop some policies and contract terms and if you think that we need some help with this? James Millar has a UK contact who is willing to help (for a fee) and we also have Myriam’s offer above. James and I are concerned that we need to be compliant by May 2018

  2. has anyone set up a github issue on the need to be able to delete personal data

“has anyone set up a github issue on the need to be able to delete personal data”

No, @NickWeir, but it’s not exactly a bug so github now tells me to use a “feature template”, a link that brings up an empty editor screen under the “wiki” tab. No idea what I’m meant to do with it.

I wonder if this covers it Users and admins can delete accounts / entreprises / customers / order cycles / groups

What say you @MyriamBoure? :slight_smile:

Ah yes, and thereunder is also a link to a (closed) github issue: https://github.com/openfoodfoundation/openfoodnetwork/issues/1880

Hi there, sorry for my lat reply, getting my head around it here again.
You know with our new process we are deciding together as a global team about the focus we choose to prioritize.
And while we go we will be able to prioritze new things.

I know we need to move forward on that ideally before May 2016, we had not initially put it as a priority in the 2018 roadmap (so many important things we need to do!) but probably we need to see how to fit it in.

So I have listed in this first trial for a roadmap management tool two focuses to cover that need:

  • Users can delete themselves their account from the OFN
  • Entreprise users can delete information (test info or info they are not entitled to keep) and archive info they need to keep but don’t want to see.
    Both focuses need a first common step which is to enable soft delete in OFN.

I propose to discuss with the product curation team on the 21st (2018 roadmap kickoff) how to prioritize that somehow in the 2018 roadmap, and when prioritized and we are ready to start work on it we can open a more precise specification discussion (I already had done a lot so that can be a base to start with).

Does it sound good to you @Oliver ?

Hi @MyriamBoure
I’m finally getting a minute to respond. My only addition to what you said would (at this stage) be that ideally the deletion of personal data should only anonymise any data held, so that the total sales data for an enterprise isn’t affected. So personal data disappears, the user account disappears, but if I run a report for how much I sold in the past, the sales to that person are still there, with the name replaced.

Also, admittedly off-topic to this thread but:
"You know with our new process we are deciding together as a global team about the focus we choose to prioritize."
It may be an idea to poll enterprises on what they think is most needed.

The GPDR becomes enforceable in May 2018, right? I think we should prioritise the work that needs to be done to comply with it.

Yes I do believe so, we do have another product curation meeting 20th march so I believe before that we will ask feedbacks from the community about what they believe are the priorities (@danielle we need to plan that somehow before the 20th March, we said in the process that we would have some “dot voting process” before curation meeting :-))
They are so many urgent/important things… we will have to decide where we accept to be a bit behind.

Following a debate at the OFN UK board meeting last week, three of us (including an OFN UK director) did the online self-assessment test here and all of us got the result that OFN UK does not need to register for GDPR.

However we do want to develop a privacy policy. Has anyone developed an OFN privacy policy already? @MyriamBoure @CynthiaReynolds @enricostn If not then we will draft one and you are all welcome to translate it.

Please let me know by Monday 7th May otherwise we will get started on the draft.
Thanks
Nick

@NickWeir yes we do not need to register and as we don’t manage any sensitive date we don’t need to have a data officer, etc. BUT we still need to comply with the law, which as a data processor is:

  • to enable the data controller to do what he is required to do (= delete user data if the user asks it, delete data older than X years, delete data for users that have been inactive for a long period of time (3 years if I remember well)…)
  • to require user agreement for trackers (cookies)
    Cookies work has been prioritized for Q2 and we have started to work on a first UX / legal inception with @Rachel and a French lawyer (https://github.com/openfoodfoundation/openfoodnetwork/issues/2242), we will submit it to the community in the coming days and then run a proper inception with devs to plan implementation.
    For the other point we will probably prioritize later, but it’s not as urgent as we can always delete in database if required and we have not yet reached the legal conservation periods (6 or 7 years usually for trade related documents).

Actually @NickWeir we have an example of a “privacy policy” in France, our plan is to write a similar page in the “about” section about what we do with users data, and this will also be linked in the cookie agreement banner. https://docs.google.com/document/d/1ghR8k07xSKgYs8f_gnSfwdu4ZvSLsyupwnnv0PnCosw/edit?usp=sharing (this one has been written by the French lawyer who supports us, but it’s in French obviously)

Thanks @MyriamBoure

Yes I agree that we need to sort out deletions and cookies. Thank you very much for starting the balls rolling for this.

I have google translated your privacy statement and will have a go next week at producing an English version.

Just to be clear @NickWeir this document is not the privacy policy of Open Food France but the one of another French entity whose lawyer is supporting us. So we can get inspired but we need to adapt as well. We are also going to work on that in France in the coming weeks so maybe we can share the results of our respective works!