Page MenuHomePhabricator

Clarify personality rights applicable to blog contributors
Open, Needs TriagePublic2 Story Points

Description

With our new website we have the ability to allow non-staff to contribute with blog posts. When we do this they create an account in our Wordpress instance. We need to clarify what rules apply to the personal data which is collected as part of that account creation.

  • What information is collected
  • Why is it collected
  • Under what authority is it collected
  • What is it used for
  • How long is it stored for
  • What happens if you want it deleted

Event Timeline

  • What information is collected

Användarnamn, Namn, E-postadress are required. But it is possible to add all kinds of extra info via https://wikimedia.se/wp-admin/profile.php
The extra info is something a contributor might want to add (e.g. their twitter handle) but entirely optional, we need to mention that as well though in the following bullets (i guess)

  • Why is it collected

To allow secure access to the blog

  • Under what authority is it collected

Samtycke is the likely one since they agree to become contributors. @Evelina-Bang-WMSE do they create the account themselves or do we create it for them? Have we got any other relevant policies for contributors?

  • What is it used for
  • For login to blog, including password resets
  • Name is displayed in association with published texts
  • How long is it stored for
  • What happens if you want it deleted

These two are more difficult.
For duration I would say "as long as the user maintains an account with us".
Username+name is necessary to maintain attribution of the written texts. E-mail can be deleted (in practice replaced by e.g. info@) if the person wishes not to have access anymore. Any extra info can be deleted.

But how do we deal with the situation where someone wants their name removed? Or the actual account deleted (because the username itself contains personal data)

Alicia_Fagerving_WMSE renamed this task from Clarify personality rights appicableto blog contributors to Clarify personality rights appicable to blog contributors.Jul 15 2019, 11:06 AM

Per: https://codex.wordpress.org/User_Privacy_and_your_WordPress_site

When erasing user data, this tool does not automatically delete registered users and their profile data. Administrators should perform that step themselves after successfully erasing personal data for a registered user. User deletion is available for each user in the Users menu in the Dashboard.

So actual account deletion is also needed. Note that when deleting an account you can transfer the posts to another user, including a newly created account. This will of course mean that readers don't see who wrote the original blog post. A few different suggestions can be found at https://www.dougv.com/2016/06/safely-removing-users-wordpress/

Lokal_Profil renamed this task from Clarify personality rights appicable to blog contributors to Clarify personality rights applicable to blog contributors.Jul 15 2019, 12:27 PM

Per https://se.wikimedia.org/wiki/%C3%84mne:V42x5wd3b9bww5v3. We need a text which clarifies what is being collected and how it's being used which (non-staff) approve when we provide them with an account. While we might have to update the Rensningsrutinerna an update of the Privacy Policy is not needed.

We create the accounts then email out the credentials. That e-mail should contain a link to the relevant page describing how we deal with personal data and by logging in they accept these.

Have we got any other relevant policies for contributors?

We have this: Riktlinjer - Bloggen

Jopparn set the point value for this task to 2.Aug 21 2019, 10:37 AM

Have we got any other relevant policies for contributors?

We have this: Riktlinjer - Bloggen

We could add a subsection to that or add a link to a new subpage of wmse:Integritetspolicy/Samtycke.