Again, wearing no hats. On Jul 6, 2010, at 11:51 PM, John Levine wrote:
I think we all agree that having a privacy policy would be desirable, in the sense that we are in favor of good, and opposed to evil. But I don't know what it means to implement a privacy policy, and I don't think anyone else does either. A privacy policy is basically a set of assertions about what the IETF will do with your personal information. To invent a strawman, let's say that the privacy policy says that registration information will be kept in confidence, and some newly hired clerk who's a little unclear on the concept gives a list of registrants' e-mail addresses to a conference sponsor so they can e-mail everyone an offer for a free IETF tee shirt.
A privacy policy should set internal guidelines. In your example, well, we don't have clerks, and those email addresses are already public, but a request (say) from a sponsor for attendee information would flow from the Secretariat to the IAD and then maybee (depending on the IAD's evaluation of it) to the IAOC. At some point in that chain, someone (probably the IAD) should evaluate it for its privacy implications. Having a privacy policy in places makes that more likely and gives the evaluator something to evaluate it against.
Then what happens?
In your example, if an employee did something on their own that clearly violated the privacy policy, I would expect that at a minimum to be featured in their next performance review, and it might be a firing offense in a very egregious case. Apologies to the offended parties and / or to the community might also be in order, as also might be mitigation (depending on just what the violation was).
Is a privacy policy a contract, and if it is, what remedies do IETF participants have for non-performance? And if it's not, and there aren't remedies, what's the point?
Having a privacy policy in place does two primary things IMO. It helps to inform and set policy and it gives others a metric to evaluate performance and a tool to improve performance.
It also may have the useful effect of finding holes or inconsistencies in what we are doing, as it is reviewed and revised as technology and conditions change.
In my opinion, this would help to empower the community. "I oppose the IAOC's proposed program to monitor cookie consumption using RFID because it would violate our privacy policy" will tend to be stronger than "I oppose the proposed RFID cookie program because I don't like its privacy implications."
Regards Marshall
R's, John _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf