Hello,
At 10:02 16-03-2016, IETF Administrative Director wrote:
The IAOC would like community input on a proposed IETF Privacy Policy.
The above says "Privacy Policy" whereas the "IETF Draft 24 Feb. 2016"
says "Statement Concerning Personal Data".
According to www.ietf.org the "Internet Engineering Task Force (IETF)
is an organized activity of the Internet Society". Who is the
operator of www.ietf.org?
I'll use "personal data" to refer to "personally identifiable
information" as it might be easier to understand. The following is
considered as personal data:
(a) first and last name
(b) home address
(c) e-mail address
(d) Any other identifier that permits the physical or online contacting
of a specific individual
IETF online participation requires (a) and (c) [1]. IETF attendance
requires more personal data, e.g. payment information. There is also
the audio and video recordings. According to the Attorney General,
California Department of Justice, the United States "Federal Trade
Commission (FTC) has called for improved data practice transparency,
encouraging privacy policy statements that are 'clearer, shorter, and
more standardized
to enable better comprehension and comparison of privacy
practices'. I suggest having a subdivision so that the participant
can easily find which personal data he/she has to provide. There
would be a separate division for an attendee as other personal data
may be required. A third division would be for the (web) visitor.
There isn't any information in the draft about data use and
sharing. The draft mentions that it is possible "to request
information regarding our disclosure of your Personal Data to third
parties for direct marketing purposes". I suggest explicitly asking
for consent before sharing personal data with third parties.
"We believe that we have implemented commercially reasonable precautions
to prevent the unauthorized use, disclosure and alteration of Non-Public
Information. However, no data security measures can guarantee complete
data security, and IETF does not guaranty the confidentiality of anything
that you submit to IETF."
Does that mean that the IETF will not notify a person affected by a
data breach? What is the difference between "commercially reasonable
precautions" and "reasonable precautions"?
This draft is better than the draft which was posted in February 2015.
Regards,
S. Moonesamy
1. I skipped the exceptions.