On 7/7/2010 8:46 AM, Marshall Eubanks wrote: > Again, wearing no hats. > > On Jul 6, 2010, at 11:51 PM, John Levine wrote: > >> I think we all agree that having a privacy policy would be desirable, >> in the sense that we are in favor of good, and opposed to evil. But I >> don't know what it means to implement a privacy policy, and I don't >> think anyone else does either. >> >> A privacy policy is basically a set of assertions about what the IETF >> will do with your personal information. To invent a strawman, let's >> say that the privacy policy says that registration information will be >> kept in confidence, and some newly hired clerk who's a little unclear >> on the concept gives a list of registrants' e-mail addresses to a >> conference sponsor so they can e-mail everyone an offer for a free >> IETF tee shirt. > > A privacy policy should set internal guidelines. In your example, > well, we don't have clerks, > and those email addresses are already public, but a request (say) from > a sponsor for > attendee information would flow from the Secretariat to the IAD and > then maybee (depending > on the IAD's evaluation of it) to the IAOC. At some point in that > chain, someone (probably the IAD) should > evaluate it for its privacy implications. Having a privacy policy in > places makes that more likely and gives the evaluator something to > evaluate it against. Actually if the Attendee is sponsored by the sponsor in question then the attendee is their Work-For-Hire resource and so they (the Sponsor) have full legal rights to that attendance and participation information from NOTEWELL operations. > >> >> Then what happens? > > In your example, if an employee did something on their own that > clearly violated the privacy policy, I would expect that at a minimum > to be featured in their next performance review, and it might be a > firing offense in a very egregious case. Actually the Sponsor is responsible for their sponsored's actions no matter what they do... > Apologies to the offended parties and / or to the community might also > be in order, as also might be mitigation (depending on just what the > violation was). you mean Litigation right? Todd > >> Is a privacy policy a contract, and if it is, what >> remedies do IETF participants have for non-performance? And if it's >> not, and there aren't remedies, what's the point? > > Having a privacy policy in place does two primary things IMO. It helps > to inform and set policy > and it gives others a metric to evaluate performance and a tool to > improve performance. > > It also may have the useful effect of finding holes or inconsistencies > in what we are doing, as it is reviewed and revised as technology and > conditions change. > > In my opinion, this would help to empower the community. "I oppose the > IAOC's proposed program to monitor cookie consumption using RFID > because it would violate our privacy policy" will tend to be stronger > than "I oppose the proposed RFID cookie program because I don't like > its privacy implications." > > Regards > Marshall > > >> >> R's, >> John >> _______________________________________________ >> Ietf mailing list >> Ietf@xxxxxxxx >> https://www.ietf.org/mailman/listinfo/ietf >> > > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf > _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf