Page MenuHomePhabricator

Create routine for ensuring parental consent for underaged members
Open, HighPublic

Description

Per GDPR we need explicit consent for under-aged (<13) members. We currently require date of birth on our membership forms which is the only source for determining this.

We need to establish a routine for (ongoing here)

  • Identifying any under-aged members in our membership system
    • A one-off check is needed for all imported members
    • Can either be checked continuously or as part of a routine whenever a new member signs up
  • Contacting and collecting the parental consents
  • Registering the received consent in Zynatic
    • Ideally the signed consents are hosted on our nextcloud and Zynatic contains a reference to the relevant document.
    • The same solution is ideally used for members who sign up on our paper forms and give their (general) consent there

A policy decision on how we deal with members who have not filled in a birth date (or filled in date which we could not reasonably assume to be true). (T189097: Policy for members lacking essential information or consents)

Event Timeline

Jopparn moved this task from Backlog to Watching on the User-Jopparn board.Mar 12 2018, 9:22 AM

The members who do not have accounts now are the 4 people for whom we have no contact information, and the 2 members who are younger than 16.

Lokal_Profil triaged this task as High priority.Apr 16 2018, 8:31 AM
Jopparn moved this task from Backlog to This week on the User-LokalProfil board.May 14 2018, 8:50 AM
Lokal_Profil updated the task description. (Show Details)May 21 2018, 7:21 AM

Changed 16 to 13 per new law

  • Registering the received consent in Zynatic
    • Ideally the signed consents are hosted on our nextcloud and Zynatic contains a reference to the relevant document.
    • The same solution is ideally used for members who sign up on our paper forms and give their (general) consent there

Suggestion for this part of the routine.

  1. The signed consent form is given supplemented with the membership id of the affected member and given a sequential number (within the consent archive*).
  2. The physical form is scanned and archived in the corresponding NextCloud directory and physical folder.
  3. The member data in Zynatic is supplemented with a field containing the sequential number of the form.
  4. Deleting any related consent forms is added to the cleanup routine for discontinued memberships.

*The consent archive would also contains any physical membership forms.

I added the field Samtyckesarkiv-id in Zynatic. Member 240 should have a one which we can use to fine-tune the routine.

I also added the above suggestion to the routine document

Let's change it to medlemsarkiv-id

Let's change it to medlemsarkiv-id

Changed to Medlemsarkiv-id

Consent form updated

Lokal_Profil added a subscriber: Historiker.EditedJun 28 2018, 10:56 AM
  • Identifying any under-aged members in our membership system
    • A one-off check is needed for all imported members
  • Avancerad sökningÅlder0, 14

Sadly there is no way of filtering on has/hasn't got a "Medlemsarkiv-id". It is however possible to view that information by expanding the membership record directly in the search interface.

  • Can either be checked continuously or as part of a routine whenever a new member signs up

I would suggest that the easiest is to run this check whenever we process other membership information. This is done (bi-?)monthly.
Anyone found during such a sweep would be asked for/reminded about the consent form. If the consent has been missing for too long then this would also be the trigger for account deletion.
Would that work @Evelina-Bang-WMSE ?

Per T189097: Policy for members lacking essential information or consents anyone underaged not having a valid consent looses their membership. It does however not specify a timeframe for this.
I would recommend 2 months which means ignoring 2-3 reminders in addition to the original request.
Does that sound reasonable @Jopparn @Historiker ? (also see the related question about incomplete applications)

Ping @Jopparn @Historiker @Evelina-Bang-WMSE about the questions above.

@Evelina-Bang-WMSE Can you start formulating a routine based on the bits which we have decided? The goal being to publish it to our wiki.

@Lokal_Profil I've put a draft named Hantering av medlemmar som är yngre än 13 år in Drive.

@Evelina-Bang-WMSE. Many thanks, like it =) I've added a few comments.

Have you any thought about where (on wiki) to publish it?
When published we should link to it from:

Thank you for the comments! @Lokal_Profil

Maybe there should be page somewhere matching wiki/Ekonomiska rutiner? Like a page under wiki/Medlemskap/Medlemskapsrutiner or wiki/Medlemskapsrutiner.

wiki/Medlemskap/Medlemskapsrutiner would make sense with that page being an index of routines and each actual routines living on a subpage. There will be some overlap with the Zynatic routines but that could be handled by linking to them from the index page.

Per T189097: Policy for members lacking essential information or consents anyone underaged not having a valid consent looses their membership. It does however not specify a timeframe for this.
I would recommend 2 months which means ignoring 2-3 reminders in addition to the original request.
Does that sound reasonable @Jopparn @Historiker ? (also see the related question about incomplete applications)

Per 1 2 months has been confirmed for incomplete applications and under-aged members without consent.