Page MenuHomePhabricator

Create routine for ensuring parental consent for underaged members
Open, HighPublic

Description

Per GDPR we need explicit consent for under-aged (<13) members. We currently require date of birth on our membership forms which is the only source for determining this.

We need to establish a routine for (ongoing here)

  • Identifying any under-aged members in our membership system
    • A one-off check is needed for all imported members
    • Can either be checked continuously or as part of a routine whenever a new member signs up
  • Contacting and collecting the parental consents
  • Registering the received consent in Zynatic
    • Ideally the signed consents are hosted on our nextcloud and Zynatic contains a reference to the relevant document.
    • The same solution is ideally used for members who sign up on our paper forms and give their (general) consent there

A policy decision on how we deal with members who have not filled in a birth date (or filled in date which we could not reasonably assume to be true). (T189097: Policy for members lacking essential information or consents)


TODOs based on 2021-03-17 meeting 8in Swedish)

  • Skapa följebrev till medgivande (som går ut till vårdnadshavare)
  • Identifiera plats på wikin där den ska publiceras: Medlemskap/Hantering av medlemmar som är yngre än 13 år
  • Lägg till referens i Rensningsrutin samt loggdokumentet
  • Fundera på om Integritetspolicy/Registerförteckning och rensningsrutiner måste ha en not om rensade medgivande
  • Lägg till referens i Orgassistentdokument
  • Kolla vad som finns i Ekonomi > [Aktuellt år] > Ekonomi > Medlemmar > Medlemsarkiv idag
  • Dokumentera sökningar
  • Publicera på wikin
  • Förtydliga att medlemskapsavgift återbetalas ( i rutinen nedan)
  • Skapa en brevmall där man meddelar att medlemskapaet avslutas att medlem är välkommen när hen är 13. Lägg till på [[ Medlemskap/Avsluta_medlemskap#E-postutskick | Medlemskap/Avsluta_medlemskap#E-postutskick]].
  • Gör en not i Medlemskap/Avsluta medlemskap

Event Timeline

The members who do not have accounts now are the 4 people for whom we have no contact information, and the 2 members who are younger than 16.

Changed 16 to 13 per new law

  • Registering the received consent in Zynatic
    • Ideally the signed consents are hosted on our nextcloud and Zynatic contains a reference to the relevant document.
    • The same solution is ideally used for members who sign up on our paper forms and give their (general) consent there

Suggestion for this part of the routine.

  1. The signed consent form is given supplemented with the membership id of the affected member and given a sequential number (within the consent archive*).
  2. The physical form is scanned and archived in the corresponding NextCloud directory and physical folder.
  3. The member data in Zynatic is supplemented with a field containing the sequential number of the form.
  4. Deleting any related consent forms is added to the cleanup routine for discontinued memberships.

*The consent archive would also contains any physical membership forms.

I added the field Samtyckesarkiv-id in Zynatic. Member 240 should have a one which we can use to fine-tune the routine.

I also added the above suggestion to the routine document

Let's change it to medlemsarkiv-id

Changed to Medlemsarkiv-id

  • Identifying any under-aged members in our membership system
    • A one-off check is needed for all imported members
  • Avancerad sökningÅlder0, 14

Sadly there is no way of filtering on has/hasn't got a "Medlemsarkiv-id". It is however possible to view that information by expanding the membership record directly in the search interface.

  • Can either be checked continuously or as part of a routine whenever a new member signs up

I would suggest that the easiest is to run this check whenever we process other membership information. This is done (bi-?)monthly.
Anyone found during such a sweep would be asked for/reminded about the consent form. If the consent has been missing for too long then this would also be the trigger for account deletion.
Would that work @Evelina-Bang-WMSE ?

Per T189097: Policy for members lacking essential information or consents anyone underaged not having a valid consent looses their membership. It does however not specify a timeframe for this.
I would recommend 2 months which means ignoring 2-3 reminders in addition to the original request.
Does that sound reasonable @Jopparn @Historiker ? (also see the related question about incomplete applications)

Ping @Jopparn @Historiker @Evelina-Bang-WMSE about the questions above.

@Evelina-Bang-WMSE Can you start formulating a routine based on the bits which we have decided? The goal being to publish it to our wiki.

@Lokal_Profil I've put a draft named Hantering av medlemmar som är yngre än 13 år in Drive.

@Evelina-Bang-WMSE. Many thanks, like it =) I've added a few comments.

Have you any thought about where (on wiki) to publish it?
When published we should link to it from:

wiki/Medlemskap/Medlemskapsrutiner would make sense with that page being an index of routines and each actual routines living on a subpage. There will be some overlap with the Zynatic routines but that could be handled by linking to them from the index page.

Per T189097: Policy for members lacking essential information or consents anyone underaged not having a valid consent looses their membership. It does however not specify a timeframe for this.
I would recommend 2 months which means ignoring 2-3 reminders in addition to the original request.
Does that sound reasonable @Jopparn @Historiker ? (also see the related question about incomplete applications)

Per 1 2 months has been confirmed for incomplete applications and under-aged members without consent.

@Evelina-Bang-WMSE Do you remember what is left to do here?

Should I move the task to 2020? Or is it underway to be closed? @Evelina-Bang-WMSE @Lokal_Profil

@Evelina-Bang-WMSE Do you remember what is left to do here?

It's probably me moving the routine from Drive to the wiki. It's here now: https://docs.google.com/document/d/1xxvWlMkCTXLV-C5mDODVI5x_2T1D0Hj3dr2ar9u6aH8/edit?ts=5b9f9775

Thanks =)

@Lokal_Profil Was this done? Could you look into it in the coming weeks otherwise?

@Lokal_Profil Was this done? Could you look into it in the coming weeks otherwise?

There is a draft of the routine over in Drive. There are still some open questions in that document which need to be resolved.

@Jenny_Brandt_WMSE (and possibly @Maria_Burehall_WMSE ) it would be great if we could have this one done before I leave mid April.

Scheduled a meeting on this for March 17

@Jenny_Brandt_WMSE Can you handle the last remaining things on this one or do you need any additional input from me?

@Jenny_Brandt_WMSE Can you handle the last remaining things on this one or do you need any additional input from me?

Yes, I can finalize this. Thank you.