Policy:Access to nonpublic personal data policy: Difference between revisions

The community consultation for the Access to Nonpublic Information Policy draft has closed as of 14 February 2014. We thank the many community members who have participated in this discussion since the opening of the consultation 03 September 2013. Your input has provided valuable insight about this sensitive and complicated topic. You can read more about the consultation and the next steps for the Policy draft on the Wikimedia blog. Mpaulson (WMF) (talk) 20:29, 14 February 2014 (UTC)

Purpose

Wikimedia Sites (the “Sites”) are the product of a global community of volunteer contributors and editors. This dedicated group of individuals not only writes and curates content on the Sites -- they also help ensure the safety of the Sites and its users as well as compliance with applicable policies. To manage this immense task effectively, certain community members are entrusted with access to limited amounts of nonpublic information regarding other users. For example, a trusted community member who has “checkuser” rights could use those rights to investigate whether a single user is using multiple accounts in a manner inconsistent with Wikimedia policies. The purpose of this “Access to nonpublic information” policy (the “Policy”) is to:

• explain the minimum requirements that must be met by any community member who has access to nonpublic information;
• explain the personal and legal accountability that accompanies the rights and responsibilities of community members with access to nonpublic information;
• ensure that community members with access to nonpublic information understand and commit to maintaining the confidentiality of nonpublic information; and
• provide guidelines to community members with access to nonpublic information as to when they may access nonpublic information, how they may use such information, and when and to whom they may disclose such information.

Community members covered by this Policy

This Policy applies to any user who has access to nonpublic information covered by the privacy policy, including:

• Community members with access to any tool that permits them to view nonpublic information about other users (such as the CheckUser tool) or members of the public (for example, through OTRS accounts);
• Community members with the ability to access content or user information which has been removed from administrator view (such as the Suppression tool); and
• Volunteer developers with access to nonpublic information.

For illustrative purposes only, some examples of groups of community members to which this Policy applies include: OTRS administrators, email response team members, and Stewards. This Policy does not apply to users whose rights only include the ability to view standard deleted revisions. This Policy also does not apply to Wikimedia Foundation employees or contractors who act in their professional capacity because they are already subject to other confidentiality agreements that are as or more protective than this Policy.

Minimum requirements for community members applying for access to nonpublic information rights

The following conditions are minimum requirements that all community members, including volunteer developers, who are granted access to nonpublic information rights ("access rights") must meet to qualify as a candidate. These conditions should also be considered requirements to be a candidate for any community-run selection process for a role that would convey such access rights. The community may require candidates for access rights to meet additional community-specified criteria on a case-by-case or role-by-role basis.

(a) Minimum age. We value our community members, no matter what their age. However, access to nonpublic information requires legal accountability in part because of the need to ensure confidentiality with respect to others’ nonpublic information. For this reason, any community member who applies for access rights must be at least eighteen (18) years of age, except email response team members who must be at least sixteen (16) years of age.

(b) Identification. The privacy of all of our users is important to us. Our users expect that we know who has access to their nonpublic information. This helps increase accountability and ensure against misuse of information entrusted to community members with access to nonpublic information. For this reason, only those whose identity is known may have access to nonpublic information. Community members with access rights must meet the following identification requirements:

• submit to the Wikimedia Foundation their name, date of birth, current valid email address, and mailing address;
• have an account linked to a valid e-mail address; and
• complete verification of email address or address processes (such as returning a postage-prepaid verification postcard sent to their submitted address or responding to a confirmation email sent to their submitted email address) if requested to do so; and
• inform the Wikimedia Foundation of any change to their name, address, or email address within a reasonable time following such change.

(c) Confidentiality. To ensure that community members with access rights understand and commit to keeping the nonpublic information confidential, they will be required to read and agree to a short Confidentiality Agreement that outlines:

• what community members should treat as confidential information;
• when they are allowed to access nonpublic information;
• how community members may use nonpublic information about other users;
• when and to whom they may disclose the nonpublic information and how they must otherwise refrain from disclosing nonpublic information to anyone, except as permitted under applicable policies;
• how they must safeguard their accounts from unauthorized access; and
• when they must report disclosure of nonpublic information to third parties or improper access, use, or disclosure of nonpublic information.

(d) Submission & retention of submitted documents.

(i) Secure & confidential storage. In consideration of the privacy of the community members with access rights, the materials, documents, and identification information submitted to the Wikimedia Foundation under this Policy (collectively “submitted materials”) will be kept confidential, and access to these materials will be limited to a “need to know” basis within the Wikimedia Foundation. Submitted materials will be recorded electronically and held at the same or a greater level of security granted to the personal information of Wikimedia Foundation staff. The Wikimedia Foundation will not share submitted materials with third parties, unless such disclosure is:

(A) permitted by a non-disclosure agreement that: (1) has been approved by the Wikimedia Foundation’s legal department; (2) allows for use of the submitted materials only in a manner compliant with the Wikimedia Foundation’s Privacy Policy;

(B) required by law;

(C) needed to protect against immediate threat to life or limb; or

(D) needed to protect the rights, infrastructure, or safety of the Wikimedia Foundation, its employees, or contractors.

(ii) Retention of submitted materials. Submitted materials will be maintained as long as the community member who submitted the materials has access rights, plus up to an additional six (6) months. The submitted materials will be destroyed by the Wikimedia Foundation in a timely manner following the six (6) month period.

(iii) Submission methods. Community members with access rights may submit the required materials to the Wikimedia Foundation electronically, in-person, or through the public or private mail carrier of their choosing. The submitted materials will be transferred to a secure electronic database upon receipt and the original medium in which the materials were submitted will be destroyed immediately upon transfer to the electronic database.

(iv) Submission timeline. Any community member who has been granted access rights at the time this Policy becomes effective has ninety (90) days from the date of the adoption of this Policy to meet the Identification Requirements of Section 2(b) and the Confidentiality Requirements of Section 2(c) of this Policy.

Any community member who has not met the Identification Requirements of Section 2(b) and the Confidentiality Requirements of Section 2(c) of this Policy by the deadline above should anticipate having their access rights revoked until they have submitted the required information.

Use and disclosure of nonpublic information

Community members with access rights provide valuable services to the Sites and its users -- they fight vandalism, respond to helpdesk emails, ensure that improperly disclosed private data is removed from public view, confirm license permissions, investigate sockpuppets, improve and debug software, and much more. But community members’ use of access rights is limited to certain circumstances and contexts. This section elucidates the situations in which access rights may be used and nonpublic information may be disclosed to third parties.

(a) Use of access rights & nonpublic information. All community members with access to nonpublic information may only use their access rights and the subsequent information they access in accordance with the policies that govern the tools they use to gain such access. For example, community members with access to the CheckUser Tool must comply with the global CheckUser Policy, and, unless they are performing a cross-wiki check, they must also comply with the more restrictive local policies applicable to the relevant Site. Similarly, community members with access to a suppression tool may only use the tool in accordance with the Suppression Policy. When a community member’s access to a certain tool is revoked, for any reason, that member must destroy all nonpublic information that they have as a result of that tool.

(b) Disclosure of nonpublic information. In the course of keeping the Sites and its users safe, community members with access rights must sometimes disclose nonpublic information to third parties. Disclosures of nonpublic information may be made to:

(i) other community members with the same access rights, or who otherwise are permitted to access the same information, to fulfill the duties outlined in the applicable policy for the access tool used;

(ii) service providers, carriers, or other third parties to assist in the targeting of IP blocks or the formulation of a complaint to relevant Internet Service Providers;

(iii) law enforcement in cases where there is an immediate and credible threat to life or limb;

(iv) authorized parties with the express permission of the user whose nonpublic information is to be disclosed;

(v) law enforcement, administrative bodies, or other governmental agencies if required by law, provided that the community member notifies the Wikimedia Foundation unless restricted by law from doing so; or

(vi) the public, when it is a necessary and incidental consequence of blocking a sockpuppet or other abusive account.

While community members with access rights may disclose nonpublic information to third parties under the circumstances described above, they are under no obligation by the Foundation to do so. Please note, however, if a community member with access rights chooses to disclose in a situation covered by (ii), (iii), (iv), or (v) above, they must notify the Wikimedia Foundation by emailing check-disclosure@wikimedia.org an explanation of the disclosure within ten (10) business days of such disclosure.

All other formal and informal requests for user information (i.e. those not covered by one of the situations described above or those not acted upon by a community member with access rights), including subpoenas, from law enforcement, government agencies, attorneys, or other third parties should be directed to the Wikimedia Foundation’s legal department at legal@wikimedia.org.

Back to top