Privacy policy

[twinkarma]

• Add a privacy policy page
  • They should include what data is recorded, what happens when user account is deleted
• Add a link from navigation menu or footer
• Add a link from user registration page along with notice

Example draft privacy policy for GATE Cloud: https://cloud.gate.ac.uk/info/help/privacy.html

[ianroberts]

For the Teamware installation administrator, as the "Data Controller":

What personal data do we actually collect and why, and how long do we retain it? What is the Legal Basis for Processing each category of data.

• user email address - LBfP = "consent" or "contract"
  • password reset
  • email notifications about projects
  • retained as long as user's account remains active
• IP address from which user is connecting
  • technical purposes - web server logs, DoS detection, etc. - LBfP = "legitimate interest" (ours, not user's)
  • web server logs retained for {X} days/weeks - this will vary depending who is hosting, e.g. we (Sheffield) keep logs for 14 days but other people may keep them for shorter or longer

Who is data shared with and why?

• email addresses shared with project managers (if they are third parties rather than part of "us")
• IP addresses shared with hosting provider if the installation is not locally self-hosted

[ianroberts]

For SaaS deployments where party A deploys Teamware on their servers and gives admin credentials to party B for them to run their own projects with C, D, ... as annotators

• A is the data controller for their contract with B, but B is the controller for data about the annotators
• A is a data processor acting on behalf of B
• Privacy Policy shown to C, D, ... needs to make this distinction

We probably need a different policy template for the SaaS case vs the self-hosted case.

[davidwilby]

Do we need to have a data controller for the contract between A & B here?

Re: technical implementation, I was thinking about having some fields in the .env file, corresponding to some environment variables in the base settings. Then using a vue template for displaying the policy as a webpage.

[ianroberts]

Re: technical implementation, I was thinking about having some fields in the .env file, corresponding to some environment variables in the base settings. Then using a vue template for displaying the policy as a webpage.

That should work, and if a particular deployer needs more customisation than the variables will allow then they can bind-mount a complete replacement template into their containers (we should document how to do this).

[ianroberts]

The sign-up form probably also needs a checkbox for "I agree to the [terms] and [privacy policy]" and only let users sign up once they've ticked it. Or at least a message that "by clicking register you confirm that you have read the [T&C] and [privacy policy] and agree to their terms".

This would be good to have regardless of whether or not we're gathering separate consent for marketing per #284

[ianroberts]

Also cookies - we need to audit what cookies we set and whether we need consent from the user. I guess the Django session cookie would be deemed "essential", but if we use third party analytics like Google then that would need pre-consent.

Also if a particular annotation task involves embedding content from elsewhere (like a Twitter widget or YouTube video iframe) then that third party content may set its own cookies. This isn't something we can know in advance but I guess such cookies would only be set for managers or annotators of the project in question, so we just need to make a general reference to the issue in the site-level policy (since any site-level admin user can get to the config screen of any project, and will have their cookies set by the preview logic), and say it's up to the project managers to gain any necessary consents from their annotators as part of the process of recruiting them to a particular project, e.g. on the participant info sheet.

[davidwilby]

Done