Page MenuHomePhabricator
Create Task
Maniphest T380592

MPIC: Improve Regulation section
Open, Needs TriagePublic
Actions

Assigned To
None
Authored By
Sarai-WMF
Nov 22 2024, 1:50 PM
Tags
Referenced Files
F57745457: Screenshot 2024-11-25 at 13.14.37.png
Nov 25 2024, 12:25 PM
F57745453: image.png
Nov 25 2024, 12:25 PM
F57733445: image.png
Nov 22 2024, 5:54 PM
F57733184: image.png
Nov 22 2024, 3:45 PM
F57733017: image.png
Nov 22 2024, 1:50 PM
Subscribers
Aklapper
Sarai-WMF
VirginiaPoundstone

Description

Problem

The contents of the "Regulation" section in the artifact creation form are not completely aligned with the risk assessment process that experiment owners have to follow (and are familiar with) in order to ensure compliance with WMF's data collection guidelines. In particular, one of the fields requires users to provide a link to the Security and Legal review, when not all data collection projects require it. On the other hand, the "Compliance requirements" field was particularly cryptic in meaning, with users generally missing further clarification of system expectations.

Suggested solution

Fields in the "Regulation" section should be aligned with the steps of the risk assessment process. Following @VirginiaPoundstone's suggestions, we should provide users with a "Risk level" select component that allows them to specify the risks associated with their artifact, and conditionally enable a "Security and legal review" input to collect the link to the L3SC review in case their artifact is either medium or high risk:

image.png (2×5 px, 626 KB)

Note that the Risk level select provides 4 options: "Risk assessment pending", "Tier 1: High risk", "Tier 2: Medium risk" and "Tier 3: Low risk". The required "Security and legal review" field below will remain disabled unless users select the options "Tier 1: High risk" or "Tier 2: Medium risk".

If users select either "Risk assessment pending" or "Tier 3:Low risk", then the "Security and legal review" field will remain inactive.

Find specifications in Figma
Open questions
  • Should the "Risk level" field be required? In that case, users wouldn't be able to save their progress and save their configurations without making a selection. The option "Risk assessment pending" has been provided to allow users to proceed in case they're still working on their review.
  • Should we prevent submission and display an inline error message in case users try to save the form without providing a link to the L3SC review for high and medium-risk artifacts?

Screenshot 2024-11-25 at 13.14.37.png (515×1 px, 61 KB)

  • The message "Data will be automatically discarded after 90 days of storage." seems to indicate that the system (Metrics platform) will be in charge of discarding said data. Is that the case? Does the message need to be updated to ensure accuracy?
  • To our understanding, the most common is for L3SC reviews to be provided via Asana. Which would mean that the "Security and legal review" input should be of the type "url". Nonetheless, this requires validation.
Acceptance criteria
  • The Regulation section provides users with a new Risk level select component, that allows users to input the risk level associated with their artifact
  • The Regulation section provides a text input component that is disabled by default and becomes active if users select the options "Tier 1: High risk" or "Tier 2: Medium risk"

Related Objects

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits