With our new website we have the ability to allow non-staff to contribute with blog posts. When we do this they create an account in our Wordpress instance. We need to clarify what rules apply to the personal data which is collected as part of that account creation.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Evelina-Bang-WMSE | T204632 New wikimedia.se | |||
| Resolved | Jopparn | T225491 Sign personuppgiftsbiträdesavtal with theGeneration and add them to privacy policy subpages | |||
| Open | None | T228023 Clarify personality rights applicable to blog contributors |
Användarnamn, Namn, E-postadress are required. But it is possible to add all kinds of extra info via https://wikimedia.se/wp-admin/profile.php
The extra info is something a contributor might want to add (e.g. their twitter handle) but entirely optional, we need to mention that as well though in the following bullets (i guess)
- Why is it collected
To allow secure access to the blog
- Under what authority is it collected
Samtycke is the likely one since they agree to become contributors. @Evelina-Bang-WMSE do they create the account themselves or do we create it for them? Have we got any other relevant policies for contributors?
- What is it used for
These two are more difficult.
For duration I would say "as long as the user maintains an account with us".
Username+name is necessary to maintain attribution of the written texts. E-mail can be deleted (in practice replaced by e.g. info@) if the person wishes not to have access anymore. Any extra info can be deleted.
But how do we deal with the situation where someone wants their name removed? Or the actual account deleted (because the username itself contains personal data)
Per: https://codex.wordpress.org/User_Privacy_and_your_WordPress_site
When erasing user data, this tool does not automatically delete registered users and their profile data. Administrators should perform that step themselves after successfully erasing personal data for a registered user. User deletion is available for each user in the Users menu in the Dashboard.
So actual account deletion is also needed. Note that when deleting an account you can transfer the posts to another user, including a newly created account. This will of course mean that readers don't see who wrote the original blog post. A few different suggestions can be found at https://www.dougv.com/2016/06/safely-removing-users-wordpress/
Per https://se.wikimedia.org/wiki/%C3%84mne:V42x5wd3b9bww5v3. We need a text which clarifies what is being collected and how it's being used which (non-staff) approve when we provide them with an account. While we might have to update the Rensningsrutinerna an update of the Privacy Policy is not needed.
We create the accounts then email out the credentials. That e-mail should contain a link to the relevant page describing how we deal with personal data and by logging in they accept these.
Have we got any other relevant policies for contributors?
We have this: Riktlinjer - Bloggen
We could add a subsection to that or add a link to a new subpage of wmse:Integritetspolicy/Samtycke.