Talking with some staff members of Wikimedia Italia we noticed that in the contractual phase they sign some standard confidentiality obligations. This is fine to protect some confidentiality and risks, for example:
- billing credentials (of services/servers) (→ ability to destroy a service)
- websites credentials (→ ability to publish stuff in the name of the organization)
- email administration (→ ability to release mailboxes and read other-people email)
- database access (→ ability to delete everything or replace stuff without being logged)
- server credentials (→ like the above one but bigger)
- bank credentials (→ ability to run away with money 🤑)
This is fine. Anyway,
We noticed that volunteers and collaborators often manage some of this data in good faith and without a NDA. This may not be a desirable situation for the protection of the association.
It may be interesting to invest some time to prepare a cute NDA also for volunteers and collaborators following the direction of other organizations like Debian and the Wikimedia Foundation etc.
Some examples we can follow:
- https://wikitech.wikimedia.org/wiki/Volunteer_NDA
- complete text: https://phabricator.wikimedia.org/T281689#7053401
- https://wikitech.wikimedia.org/wiki/Production_access
- complete text: https://phabricator.wikimedia.org/L3
- https://www.debian.org/devel/dmup (it contains interesting practical policies)
- https://phabricator.wikimedia.org/legalpad/query/all/
Other documents:
https://wiki.wikimedia.it/wiki/Associazione:Autorizzazioni_al_trattamento_dei_dati_e_degli_accessi