ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Proposed IETF Privacy Policy for Review

2016-03-18 05:33:31
from [S Moonesamy] [Permanent Link] 
Hello,
At 10:02 16-03-2016, IETF Administrative Director wrote:

The IAOC would like community input on a proposed IETF Privacy Policy.
The above says "Privacy Policy" whereas the "IETF Draft 24 Feb. 2016" says "Statement Concerning Personal Data".
According to www.ietf.org the "Internet Engineering Task Force (IETF) is an organized activity of the Internet Society". Who is the operator of www.ietf.org?
I'll use "personal data" to refer to "personally identifiable information" as it might be easier to understand. The following is considered as personal data: 

  (a) first and last name
  (b) home address
  (c) e-mail address
  (d) Any other identifier that permits the physical or online contacting
      of a specific individual
IETF online participation requires (a) and (c) [1]. IETF attendance requires more personal data, e.g. payment information. There is also the audio and video recordings. According to the Attorney General, California Department of Justice, the United States "Federal Trade Commission (FTC) has called for improved data practice transparency, encouraging privacy policy statements that are 'clearer, shorter, and more standardized to enable better comprehension and comparison of privacy practices'. I suggest having a subdivision so that the participant can easily find which personal data he/she has to provide. There would be a separate division for an attendee as other personal data may be required. A third division would be for the (web) visitor.
There isn't any information in the draft about data use and sharing. The draft mentions that it is possible "to request information regarding our disclosure of your Personal Data to third parties for direct marketing purposes". I suggest explicitly asking for consent before sharing personal data with third parties. 

  "We believe that we have implemented commercially reasonable precautions
   to prevent the unauthorized use, disclosure and alteration of Non-Public
   Information. However, no data security measures can guarantee complete
   data security, and IETF does not guaranty the confidentiality of anything
   that you submit to IETF."
Does that mean that the IETF will not notify a person affected by a data breach? What is the difference between "commercially reasonable precautions" and "reasonable precautions"? 

This draft is better than the draft which was posted in February 2015.

Regards,
S. Moonesamy
1. I skipped the exceptions.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Last Call: <status-change-ip-versions-5-8-9-to-historic-01.txt> (Moving IP versions 5, 8, and 9 to Historic) to Historic, mohamed.boucadair
Next by Date:  Re: Last Call: <status-change-ip-versions-5-8-9-to-historic-01.txt> (Moving IP versions 5, 8, and 9 to Historic) to Historic, Brian Haberman
Previous by Thread:  Re: [IAB] Proposed IETF Privacy Policy for Review, John Levine
Next by Thread:  Re: Proposed IETF Privacy Policy for Review, S Moonesamy
Indexes:  [Date] [Thread] [Top] [All Lists]