- Map out all the datasets used by the Services team including datasets "in transit" (e.g. data in Kafka)
- Draft data access guidelines
Staff from various teams have asked for a clear set of rules to follow for how to handle personally identifiable information. So Legal & Security want to harmonize access policies and practices among WMF staff as much as possible for personally identifiable information. We have a data retention policy, an access policy for community members, and ask people from outside WMF to sign an NDA, but our staff access practices vary across teams, and we don't have a comprehensive idea of where data sits or how it flows through WMF.
First, the data map: We'd like to know what personal data WMF collects and uses. So we're asking teams to fill out a spreadsheet about the data sets that they use and have control over. To give a sense of the level of granularity, here are examples that Editing and Discovery are currently filling out. The idea is to take the info from each team to create a single data map that all staff can easily refer to.
Second, a staff access policy: Last year, Discovery drafted a Data Access Guide. We'd like to use that as a starting point for other teams to tailor to their own needs, since some teams handle a lot more personal data than others. But having too many people work off one Google Doc is messy. So please make your comments, edits, and suggestions to the draft provided here, and we'll consolidate them. Eventually, each team can decide whether it's better to adopt a general guide, or to draft one more specific to their needs.
Finally, as to timing, the idea is to have all teams take a first pass at filling out the spreadsheets by the end of May.