Again, wearing no hats.
On Jul 6, 2010, at 11:51 PM, John Levine wrote:
I think we all agree that having a privacy policy would be desirable,
in the sense that we are in favor of good, and opposed to evil. But I
don't know what it means to implement a privacy policy, and I don't
think anyone else does either.
A privacy policy is basically a set of assertions about what the IETF
will do with your personal information. To invent a strawman, let's
say that the privacy policy says that registration information will be
kept in confidence, and some newly hired clerk who's a little unclear
on the concept gives a list of registrants' e-mail addresses to a
conference sponsor so they can e-mail everyone an offer for a free
IETF tee shirt.
A privacy policy should set internal guidelines. In your example,
well, we don't have clerks,
and those email addresses are already public, but a request (say) from
a sponsor for
attendee information would flow from the Secretariat to the IAD and
then maybee (depending
on the IAD's evaluation of it) to the IAOC. At some point in that
chain, someone (probably the IAD) should
evaluate it for its privacy implications. Having a privacy policy in
places makes that more likely and gives the evaluator something to
evaluate it against.
Then what happens?
In your example, if an employee did something on their own that
clearly violated the privacy policy, I would expect that at a minimum
to be featured in their next performance review, and it might be a
firing offense in a very egregious case. Apologies to the offended
parties and / or to the community might also be in order, as also
might be mitigation (depending on just what the violation was).
Is a privacy policy a contract, and if it is, what
remedies do IETF participants have for non-performance? And if it's
not, and there aren't remedies, what's the point?
Having a privacy policy in place does two primary things IMO. It helps
to inform and set policy
and it gives others a metric to evaluate performance and a tool to
improve performance.
It also may have the useful effect of finding holes or inconsistencies
in what we are doing, as it is reviewed and revised as technology and
conditions change.
In my opinion, this would help to empower the community. "I oppose the
IAOC's proposed program to monitor cookie consumption using RFID
because it would violate our privacy policy" will tend to be stronger
than "I oppose the proposed RFID cookie program because I don't like
its privacy implications."
Regards
Marshall
R's,
John
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf