Picking up this thread...
On Jul 30, 2009, at 12:54 PM, Marshall Eubanks wrote:
THe Trust has a documents retention policy (the current one is at
http://trustee.ietf.org/docs/IETF_Trust_Records_Retention_Policy_(Complete_Final).pdf
)
Here is some background. I am only talking about physical material,
not electronic records.
The records retention policy is a good start, although it's obviously
not a complete privacy policy. Does the policy only apply to paper
records? It was not clear if your statement above was in reference to
the policy itself.
In any event, it seems sensible for the policy (or a separate policy)
to address other privacy aspects besides records retention (e.g.,
onward data transfer, security, notice, etc.) and to cover both
physical records and electronic records. ISOC has such a policy (http://www.isoc.org/help/privacy/
) -- if it doesn't already apply to the data collected by the Trust,
then the Trust (or whoever manages the data collected in connection
with IETF activities) should have its own policy.
I'm happy to help craft a policy if there's a means to put one in
place (and if one doesn't already exist).
Alissa
Most of the physical material held by the IETF Trust was turned over
by CNRI as part of the the Settlement
that set up the Trust. I volunteered to evaluate this material, and
went with the IAD one cold day to look at
several pallets worth of material (much of which was CNRI material
not belonging to the Trust, such records of other conferences run by
Foretec, and all of which was gone through).
This IETF material totaled 64 boxes, including Blue Sheets (starting
with IETF 22 in 1991) and a mass of registration payment material
(starting with IETF 26 in 1993). Some of this material was obviously
highly sensitive (random samplings showed canceled checks, credit
card imprints, passport photo page copies, US Social Security
Numbers, addresses, phone numbers, etc.). While I do know how this
material was treated previously, while in the Trust's possession it
was always held in a secure storage facility.
There were various discussions by the Trustees with counsel about
how to handle this material, what should be kept, and for what
periods. Agreements with Credit Card companies mean that credit card
material has to kept for a relatively short period of time (18
months), in case the bill is disputed, and it was decided to adopt
that period for canceled checks and other sensitive personal
information.
The result is the above Document Retention Policy, and the IAD and I
duly went to the storage facility once this was enacted and the
sensitive material in the Trust's possession was destroyed. New
material is held by the Secretariat and is generally destroyed by
the Secretariat before it goes into the Trust archives. Other
material is held as called for in the Document retention policy.
I hope that you find this background useful.
Regards
Marshall
Alissa
On Jul 30, 2009, at 5:32 PM, David Morris wrote:
On Thu, 30 Jul 2009, Alissa Cooper wrote:
The discussion about blue sheets begs the question: does the IETF
(or the Trust) have a privacy policy? I did a quick look for one
but I didn't see one posted anywhere. If there's a legal entity
collecting personal information (which there obviously is), it
should have a privacy policy.
It is a stretch, which my imagination can't fathom, to consider a
list of attendees in a public meeting to be personal information.
Give the ease with which one can avoid having one's name recorded,
I don't see any issue except the administrative support issues
related to storing old paper.
_______________________________________________
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf