On 7/7/2010 8:46 AM, Marshall Eubanks wrote:
Again, wearing no hats.
On Jul 6, 2010, at 11:51 PM, John Levine wrote:
I think we all agree that having a privacy policy would be desirable,
in the sense that we are in favor of good, and opposed to evil. But I
don't know what it means to implement a privacy policy, and I don't
think anyone else does either.
A privacy policy is basically a set of assertions about what the IETF
will do with your personal information. To invent a strawman, let's
say that the privacy policy says that registration information will be
kept in confidence, and some newly hired clerk who's a little unclear
on the concept gives a list of registrants' e-mail addresses to a
conference sponsor so they can e-mail everyone an offer for a free
IETF tee shirt.
A privacy policy should set internal guidelines. In your example,
well, we don't have clerks,
and those email addresses are already public, but a request (say) from
a sponsor for
attendee information would flow from the Secretariat to the IAD and
then maybee (depending
on the IAD's evaluation of it) to the IAOC. At some point in that
chain, someone (probably the IAD) should
evaluate it for its privacy implications. Having a privacy policy in
places makes that more likely and gives the evaluator something to
evaluate it against.
Actually if the Attendee is sponsored by the sponsor in question then
the attendee is their Work-For-Hire resource and so they (the Sponsor)
have full legal rights to that attendance and participation information
from NOTEWELL operations.
Then what happens?
In your example, if an employee did something on their own that
clearly violated the privacy policy, I would expect that at a minimum
to be featured in their next performance review, and it might be a
firing offense in a very egregious case.
Actually the Sponsor is responsible for their sponsored's actions no
matter what they do...
Apologies to the offended parties and / or to the community might also
be in order, as also might be mitigation (depending on just what the
violation was).
you mean Litigation right?
Todd
Is a privacy policy a contract, and if it is, what
remedies do IETF participants have for non-performance? And if it's
not, and there aren't remedies, what's the point?
Having a privacy policy in place does two primary things IMO. It helps
to inform and set policy
and it gives others a metric to evaluate performance and a tool to
improve performance.
It also may have the useful effect of finding holes or inconsistencies
in what we are doing, as it is reviewed and revised as technology and
conditions change.
In my opinion, this would help to empower the community. "I oppose the
IAOC's proposed program to monitor cookie consumption using RFID
because it would violate our privacy policy" will tend to be stronger
than "I oppose the proposed RFID cookie program because I don't like
its privacy implications."
Regards
Marshall
R's,
John
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf