ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Retention of blue sheets

2009-07-30 12:55:18
from [Marshall Eubanks] [Permanent Link] 

On Jul 30, 2009, at 11:49 AM, Alissa Cooper wrote:
The fact that this came up in the context of subpoenas argues in the other direction. That meeting attendance is subject to subpoena was probably not evident (or disclosed) to most attendees. What kinds of legal process does the Trust respond to? Do requests have to have court backing, or would the blue sheets be disclosed to anyone who wanted to see them? I agree that in the context of blue sheets, the answers to these questions are unlikely to be frequently invoked. But it still makes sense to have a policy around it and to disclose that policy. Otherwise, people who would want to avoid signing a sheet due to privacy concerns wouldn't even know of their need to avoid signing.
Furthermore, the blue sheets are in some ways the least of the data collected by the IETF. What happens to all of our meeting registration and payment data? What about the server logs for the IETF web sites? I'm not saying less data should be collected (I don't really know enough to evaluate that). I just think there should be a policy for protecting that data and the people it describes. It is hard to come by an organization web site that doesn't contain a privacy policy these days. 



THe Trust has a documents retention policy (the current one is at
http://trustee.ietf.org/docs/IETF_Trust_Records_Retention_Policy_(Complete_Final).pdf )
Here is some background. I am only talking about physical material, not electronic records.
Most of the physical material held by the IETF Trust was turned over by CNRI as part of the the Settlement that set up the Trust. I volunteered to evaluate this material, and went with the IAD one cold day to look at several pallets worth of material (much of which was CNRI material not belonging to the Trust, such records of other conferences run by Foretec, and all of which was gone through).
This IETF material totaled 64 boxes, including Blue Sheets (starting with IETF 22 in 1991) and a mass of registration payment material (starting with IETF 26 in 1993). Some of this material was obviously highly sensitive (random samplings showed canceled checks, credit card imprints, passport photo page copies, US Social Security Numbers, addresses, phone numbers, etc.). While I do know how this material was treated previously, while in the Trust's possession it was always held in a secure storage facility.
There were various discussions by the Trustees with counsel about how to handle this material, what should be kept, and for what periods. Agreements with Credit Card companies mean that credit card material has to kept for a relatively short period of time (18 months), in case the bill is disputed, and it was decided to adopt that period for canceled checks and other sensitive personal information.
The result is the above Document Retention Policy, and the IAD and I duly went to the storage facility once this was enacted and the sensitive material in the Trust's possession was destroyed. New material is held by the Secretariat and is generally destroyed by the Secretariat before it goes into the Trust archives. Other material is held as called for in the Document retention policy. 

I hope that you find this background useful.

Regards
Marshall


Alissa

On Jul 30, 2009, at 5:32 PM, David Morris wrote:




On Thu, 30 Jul 2009, Alissa Cooper wrote:
The discussion about blue sheets begs the question: does the IETF (or the Trust) have a privacy policy? I did a quick look for one but I didn't see one posted anywhere. If there's a legal entity collecting personal information (which there obviously is), it should have a privacy policy.
It is a stretch, which my imagination can't fathom, to consider a list of attendees in a public meeting to be personal information. Give the ease with which one can avoid having one's name recorded, I don't see any issue except the administrative support issues related to storing old paper. 
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf











_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [TLS] Last Call: draft-ietf-tls-extractor (Keying Material Exporters for Transport Layer Security (TLS)) to Proposed Standard, Bernard Aboba
Next by Date:  Re: Retention of blue sheets, Bill Manning
Previous by Thread:  Re: Retention of blue sheets, Alissa Cooper
Next by Thread:  Re: Retention of blue sheets, Simon Josefsson
Indexes:  [Date] [Thread] [Top] [All Lists]