Difference between revisions of "Internal:Privacy policy"

From Wikimedia District of Columbia
Jump to navigation Jump to search
(Working)
(Working)
Line 5: Line 5:
   
 
==ARTICLE II – GENERAL PROVISIONS==
 
==ARTICLE II – GENERAL PROVISIONS==
1. <u>Access</u>. It is Wikimedia DC's policy to limit access to non-public data to staff and volunteers who need to process that information for the purposes described in this Policy.
+
1. <u>Access</u>. Access to any non-public data collected under this Policy shall be limited to those staff and volunteers who have a legitimate business need to access that data for the purposes described in this Policy.
   
2. <u>Retention</u>. Unless otherwise stated in this Policy, the retention of data collected under this Policy is governed by the [[Record Retention Policy]].
+
2. <u>Retention</u>. Unless otherwise stated in this Policy, the retention of all data collected under this Policy shall be governed by the [[Record Retention Policy]].
   
3. <u>No Sale or Lease</u>. Unless otherwise stated, Wikimedia DC does not publish, sell, trade, or rent collected data. Wikimedia DC may use available information to supplement collected data to improve the information Wikimedia DC uses.
+
3. <u>No Sale or Lease</u>. Wikimedia DC shall not sell, trade, or lease any data collected under this Policy.
   
4. <u>Use of Third-Party Data Storage</u>. Wikimedia DC uses third-party providers, within and outside the United States, for collecting and storing data. Examples of this include third-party event registration websites and online accounting software. The [[Technology Access Policy]] establishes requirements for security standards and restriction of access.
+
4. <u>Use of Third-Party Providers</u>. Wikimedia DC uses third-party providers, within and outside the United States, for collecting, storing, and processing public and non-public data collected under this Policy.
  +
:(a) <u>Third-Party Privacy Policies</u>. Access to and use of data by third-party providers shall be governed by the respective privacy policies published by such providers, and by any specific agreements between Wikimedia DC and such providers.
  +
:(b) <u>Requirements for Third-Party Providers</u>. Wikimedia DC shall select third-party providers in accordance with the security requirements set forth in the [[Technology Access Policy]], and shall exercise a reasonable standard of care to ensure the privacy of any data transferred to such providers.
  +
:(c) <u>List of Third-Party Providers</u>. A complete list of third-party providers is included in Appendix B of this Policy. The Secretary shall update Appendix B as necessary to maintain said list.
   
 
5. <u>Anonymized Data</u>. Wikimedia DC may publish anonymized and aggregated data for promotional, fundraising, and reporting purposes, including to report progress against stated organizational goals. Wikimedia DC may also share anonymized data with third parties, including the Wikimedia Foundation, to conduct research on its operations, including its programs.
5. <u>Use of Third-Party Websites</u>. Wikimedia DC uses third-party websites in the conduct of its operations, including social networking and event registration websites. The use of those websites is governed by the privacy policies published on such websites. Wikimedia DC may from time to time retain information that is made available through third-party websites for its own operations.
 
 
6. <u>Anonymized Data</u>. Wikimedia DC may publish anonymized and aggregated data for promotional, fundraising, and reporting purposes, including to report progress against stated organizational goals. Wikimedia DC may also share anonymized data with third parties, including the Wikimedia Foundation, to conduct research on its operations, including its programs. Comments that are provided to Wikimedia DC may be publicly published and may be used in promotional materials.
 
   
 
==ARTICLE III – WEBSITE==
 
==ARTICLE III – WEBSITE==
1. <u>Applicability</u>. For the purposes of this Policy, "Wikimedia DC Website" includes the main Wikimedia DC website and any additional web property that is hosted by Wikimedia DC, a complete list of which is included in Appendix A of this Policy. The Secretary shall update Appendix A at his or her discretion to ensure that the list is accurate.
+
1. <u>Applicability</u>. For the purposes of this Policy, "Website" shall refer to any web domain that is hosted by Wikimedia DC. A complete list of such domains is included in Appendix A of this Policy, and the Secretary shall update Appendix A as necessary to maintain said list.
   
2. <u>Non-Public Website Data</u>
+
2. <u>Non-Public Website Data</u>. Wikimedia DC collects certain non-public data from users of the Website (the "Non-Public Website Data"), as follows:
:(a) <u>Visitor Data</u>. Wikimedia DC collects the Internet Protocol (IP) address, time of visit, the URL requested, the server response code, the bytes served, the referrer if provided, and the user agent (which includes the browser, browser version, and operating system), collectively "Visitor Data," of anyone who visits the Wikimedia DC Website. Wikimedia DC uses Visitor Data to conduct research on Website usage, to assess technical issues that may arise, and to optimize the delivery of Website content.
+
:(a) <u>Visitor Data</u>. Wikimedia DC collects the Internet Protocol (IP) address, time of visit, the URL requested, the server response code, the bytes served, the referrer (if provided), and the user agent (which includes the browser, browser version, and operating system), collectively the "Visitor Data", of anyone who visits the Website. Wikimedia DC uses Visitor Data to conduct research on Website usage, to assess technical issues that may arise, and to optimize the delivery of Website content.
 
:(b) <u>Editor Data</u>. The MediaWiki software used by Wikimedia DC collects the IP address, user agent, and XFF header, collectively the "Editor Data", of any person who makes an edit to the Website or performs any action that is logged in the Website's Recent Changes feed. Editor Data is used to prevent abuse of the Website.
  +
:(c) <u>Other Data</u>. The Website makes use of cookies and JavaScript applications for personalization of the Website, including the function of user accounts. Persons with user accounts on the Website may optionally provide email addresses, used to send email through the Website without exposing the email address publicly.
   
 
3. <u>Retention of Non-Public Website Data</u>. Non-Public Website Data may be retained indefinitely in the event that an IP address is associated with abuse, including denial of service attacks and posting unsolicited, undesirable messages ("spam"). Otherwise, Non-Public Website Data shall be retained for no longer than ninety (90) days.
:(b) <u>Editor Data</u>. The MediaWiki software used by Wikimedia DC collects the IP address, user agent, and XFF header of any person who makes an edit to the website or performs any action that is logged in the website's Recent Changes feed, collectively "Editor Data". Editor Data is used to prevent abuse of the Wikimedia DC Website. The Wikimedia DC Website also makes use of cookies and JavaScript applications for personalization of the Website, including the function of user accounts. Those with user accounts may optionally provide email addresses, used to send email through the Website without exposing the email address publicly.
 
   
 
4. <u>Sharing of Non-Public Website Data</u>. Wikimedia DC shall only share Non-Public Website Data:
3. <u>Retention of Non-Public Website Data</u>. Wikimedia DC retains Visitor Data and Editor Data indefinitely in the event that an IP address is associated with abuse, including denial of service attacks and posting unsolicited, undesirable messages ("spam"). Otherwise, Visitor Data and Editor Data is retained for no longer than 90 days.
 
 
4. <u>Sharing of Non-Public Website Data</u>. Wikimedia DC shall only share non-public data:
 
 
: (a) With the permission of affected persons;
 
: (a) With the permission of affected persons;
 
: (b) Upon the presentation of a valid court or government order;
 
: (b) Upon the presentation of a valid court or government order;
: (c) If it is reasonably necessary to prevent imminent and serious bodily harm or death to a person;
+
: (c) As reasonably necessary to prevent imminent and serious bodily harm or death to a person;
: (d) To protect our organization, employees, contractors, users, or the public; or
+
: (d) To protect Wikimedia DC, its employees, contractors, and users, or the public; or
 
: (e) To detect, prevent, or otherwise assess and address potential spam, malware, fraud, abuse, unlawful activity, and security or technical concerns.
 
: (e) To detect, prevent, or otherwise assess and address potential spam, malware, fraud, abuse, unlawful activity, and security or technical concerns.
   
5. <u>Public Website Data</u>. Any information provided in the process of registering an account on the Website, and any information contained within an edit or other logged action to the Website, is retained indefinitely and shall be considered public. Passwords and email addresses are not considered public unless directly posted to the Website.
+
5. <u>Public Website Data</u>. Any information provided in the process of registering an account on the Website, and any information contained within an edit or other logged action to the Website, shall be considered public and shall be retained indefinitely. Passwords and email addresses shall not be considered public unless directly posted to the Website.
   
6. <u>Collection of Additional Data</u>. The Wikimedia DC Website may collect additional information for specific purposes, such as for grant applications or participation in certain programs. This information is used for the effective conduct of Wikimedia DC programs, and is subject to the same protection as other data collected through the Wikimedia DC Website.
+
6. <u>Collection of Additional Data</u>. The Website may collect additional information for specific purposes, such as for grant applications or participation in certain programs. This information shall be used for the effective conduct of Wikimedia DC programs, and shall subject to the same protection as other data collected through the Website.
   
 
==ARTICLE IV – DONORS==
 
==ARTICLE IV – DONORS==
1. <u>Donor Bill of Rights</u>. Wikimedia DC adopts as its policy the [http://www.afpnet.org/files/ContentDocuments/DonorBillofRights.pdf Donor Bill of Rights] as developed by the Association of Fundraising Professionals (AFP), the Association for Healthcare Philanthropy (AHP), the Council for Advancement and Support of Education (CASE), and the Giving Institute.
+
1. <u>Donor Bill of Rights</u>. Wikimedia DC adopts as its policy the [http://www.afpnet.org/files/ContentDocuments/DonorBillofRights.pdf Donor Bill of Rights] developed by the Association of Fundraising Professionals (AFP), the Association for Healthcare Philanthropy (AHP), the Council for Advancement and Support of Education (CASE), and the Giving Institute.
   
2. <u>Donor Data Collected by Wikimedia DC</u>. Data that Wikimedia DC collects from donors may include name, amount donated, address, telephone number, donor comments, e-mail address, and any other personal information provided to us (“Donor Data”). For donations by check, Donor Data also includes the data visible on the check. For donations processed online, Donor Data includes Visitor Data.
+
2. <u>Donor Data Collected by Wikimedia DC</u>. Data that Wikimedia DC collects from donors may include name, address, telephone number, email address, amount donated, and any other personal information provided by the donor (collectively the "Donor Data"). For donations by check, the Donor Data also includes any data visible on the check. For donations processed online, the Donor Data includes Visitor Data.
   
3. <u>Donor Data Collected by Payment Processors</u>. Payment processors, as identified by Wikimedia DC's website, have access to Donor Data, as well as access to payment card information as supplied by donors. Use of such services is governed by their respective privacy policies. Wikimedia DC does not store credit card information, bank account numbers, or other financial account data sent directly to third-party processing services.
+
3. <u>Donor Data Collected by Payment Processors</u>. Third-party payment processing services utilized by Wikimedia DC have access to Donor Data, as well as access to payment card information supplied by donors. Use of such services is governed by their respective privacy policies. Wikimedia DC does not store credit card information, bank account numbers, or other financial account data provided by donors directly to third-party payment processing services.
   
 
4. <u>Use of Donor Data</u>. Wikimedia DC uses Donor Data for the following:
 
4. <u>Use of Donor Data</u>. Wikimedia DC uses Donor Data for the following:
: (a) Distributing receipts and thanking donors for donations
+
: (a) Distributing receipts and thanking donors for donations;
: (b) Informing donors about upcoming fundraising and other activities
+
: (b) Informing donors about upcoming fundraising and other activities;
: (c) Internal analysis, such as research and analytics
+
: (c) Internal analysis, such as research and analytics;
: (d) Record keeping
+
: (d) Record-keeping and reporting to government agencies and as otherwise required by law;
 
: (f) Surveys, metrics, and other analytical purposes; and
: (e) Reporting to applicable government agencies as required by law
 
 
: (g) Other purposes related to fundraising operations.
: (f) Surveys, metrics, and other analytical purposes
 
: (g) Other purposes related to the fundraising operations
 
 
5. <u>Public Acknowledgment</u>. We may allow donors the option to have their name publicly associated with their donation unless otherwise requested as part of the online donation process.
 
   
 
==ARTICLE V – OTHER INFORMATION==
 
==ARTICLE V – OTHER INFORMATION==
1. <u>Data Collected through Surveys</u>. Wikimedia DC administers surveys from time to time to collect feedback from those participating in Wikimedia DC programs. Participants may decline to complete all or part of a survey. Wikimedia DC uses this information to assess the performance of its programs.
+
1. <u>Data Collected through Surveys</u>. Wikimedia DC administers surveys to collect feedback from those participating in Wikimedia DC programs. Participants may decline to complete all or part of a survey. Wikimedia DC uses this information to assess the performance of its programs. Unless stated otherwise, comments that are provided to Wikimedia DC as part of survey responses may be published or used in promotional materials.
   
2. <u>Collection of Wikimedia Usernames</u>. Wikimedia DC collects Wikimedia project usernames at events to facilitate the collection of editing metrics, including the number of edits made before, during, and after an editing program. Wikimedia DC uses this information to assess the performance of its programs. To the greatest extent feasible, Wikimedia DC shall not associate a Wikimedia username with that person's PII.
+
2. <u>Collection of Wikimedia Usernames</u>. Wikimedia DC collects Wikimedia project usernames at events to facilitate the collection of editing metrics, including the number of edits made before, during, and after an editing event. Wikimedia DC uses this information to assess the performance of its programs. To the greatest extent possible, Wikimedia DC shall not associate any collected Wikimedia username with any other PII collected or retained by Wikimedia DC.
   
 
==APPENDIX A – LIST OF WEBSITES==
 
==APPENDIX A – LIST OF WEBSITES==
1. http://wikimediadc.org
+
# http://wikimediadc.org
  +
# http://wikiconferenceusa.org
 
2. http://wikiconferenceusa.org
+
# http://wikidiversity.org
   
  +
==APPENDIX B – LIST OF THIRD-PARTY DATA PROCESSORS==
3. http://wikidiversity.org
 
  +
# http://eventbrite.com
  +
# http://meetup.com
  +
# http://paypal.com
  +
# http://podio.com

Revision as of 16:25, 21 February 2016

Status: Under Review

ARTICLE I – PURPOSE

1. Purpose. The purpose of this Privacy Policy ("Policy") is to explain how Wikimedia District of Columbia ("Wikimedia DC") collects, uses, and shares data, including personally identifiable information ("PII"), from website users, program participants, and donors.

ARTICLE II – GENERAL PROVISIONS

1. Access. Access to any non-public data collected under this Policy shall be limited to those staff and volunteers who have a legitimate business need to access that data for the purposes described in this Policy.

2. Retention. Unless otherwise stated in this Policy, the retention of all data collected under this Policy shall be governed by the Record Retention Policy.

3. No Sale or Lease. Wikimedia DC shall not sell, trade, or lease any data collected under this Policy.

4. Use of Third-Party Providers. Wikimedia DC uses third-party providers, within and outside the United States, for collecting, storing, and processing public and non-public data collected under this Policy.

(a) Third-Party Privacy Policies. Access to and use of data by third-party providers shall be governed by the respective privacy policies published by such providers, and by any specific agreements between Wikimedia DC and such providers.
(b) Requirements for Third-Party Providers. Wikimedia DC shall select third-party providers in accordance with the security requirements set forth in the Technology Access Policy, and shall exercise a reasonable standard of care to ensure the privacy of any data transferred to such providers.
(c) List of Third-Party Providers. A complete list of third-party providers is included in Appendix B of this Policy. The Secretary shall update Appendix B as necessary to maintain said list.

5. Anonymized Data. Wikimedia DC may publish anonymized and aggregated data for promotional, fundraising, and reporting purposes, including to report progress against stated organizational goals. Wikimedia DC may also share anonymized data with third parties, including the Wikimedia Foundation, to conduct research on its operations, including its programs.

ARTICLE III – WEBSITE

1. Applicability. For the purposes of this Policy, "Website" shall refer to any web domain that is hosted by Wikimedia DC. A complete list of such domains is included in Appendix A of this Policy, and the Secretary shall update Appendix A as necessary to maintain said list.

2. Non-Public Website Data. Wikimedia DC collects certain non-public data from users of the Website (the "Non-Public Website Data"), as follows:

(a) Visitor Data. Wikimedia DC collects the Internet Protocol (IP) address, time of visit, the URL requested, the server response code, the bytes served, the referrer (if provided), and the user agent (which includes the browser, browser version, and operating system), collectively the "Visitor Data", of anyone who visits the Website. Wikimedia DC uses Visitor Data to conduct research on Website usage, to assess technical issues that may arise, and to optimize the delivery of Website content.
(b) Editor Data. The MediaWiki software used by Wikimedia DC collects the IP address, user agent, and XFF header, collectively the "Editor Data", of any person who makes an edit to the Website or performs any action that is logged in the Website's Recent Changes feed. Editor Data is used to prevent abuse of the Website.
(c) Other Data. The Website makes use of cookies and JavaScript applications for personalization of the Website, including the function of user accounts. Persons with user accounts on the Website may optionally provide email addresses, used to send email through the Website without exposing the email address publicly.

3. Retention of Non-Public Website Data. Non-Public Website Data may be retained indefinitely in the event that an IP address is associated with abuse, including denial of service attacks and posting unsolicited, undesirable messages ("spam"). Otherwise, Non-Public Website Data shall be retained for no longer than ninety (90) days.

4. Sharing of Non-Public Website Data. Wikimedia DC shall only share Non-Public Website Data:

(a) With the permission of affected persons;
(b) Upon the presentation of a valid court or government order;
(c) As reasonably necessary to prevent imminent and serious bodily harm or death to a person;
(d) To protect Wikimedia DC, its employees, contractors, and users, or the public; or
(e) To detect, prevent, or otherwise assess and address potential spam, malware, fraud, abuse, unlawful activity, and security or technical concerns.

5. Public Website Data. Any information provided in the process of registering an account on the Website, and any information contained within an edit or other logged action to the Website, shall be considered public and shall be retained indefinitely. Passwords and email addresses shall not be considered public unless directly posted to the Website.

6. Collection of Additional Data. The Website may collect additional information for specific purposes, such as for grant applications or participation in certain programs. This information shall be used for the effective conduct of Wikimedia DC programs, and shall subject to the same protection as other data collected through the Website.

ARTICLE IV – DONORS

1. Donor Bill of Rights. Wikimedia DC adopts as its policy the Donor Bill of Rights developed by the Association of Fundraising Professionals (AFP), the Association for Healthcare Philanthropy (AHP), the Council for Advancement and Support of Education (CASE), and the Giving Institute.

2. Donor Data Collected by Wikimedia DC. Data that Wikimedia DC collects from donors may include name, address, telephone number, email address, amount donated, and any other personal information provided by the donor (collectively the "Donor Data"). For donations by check, the Donor Data also includes any data visible on the check. For donations processed online, the Donor Data includes Visitor Data.

3. Donor Data Collected by Payment Processors. Third-party payment processing services utilized by Wikimedia DC have access to Donor Data, as well as access to payment card information supplied by donors. Use of such services is governed by their respective privacy policies. Wikimedia DC does not store credit card information, bank account numbers, or other financial account data provided by donors directly to third-party payment processing services.

4. Use of Donor Data. Wikimedia DC uses Donor Data for the following:

(a) Distributing receipts and thanking donors for donations;
(b) Informing donors about upcoming fundraising and other activities;
(c) Internal analysis, such as research and analytics;
(d) Record-keeping and reporting to government agencies and as otherwise required by law;
(f) Surveys, metrics, and other analytical purposes; and
(g) Other purposes related to fundraising operations.

ARTICLE V – OTHER INFORMATION

1. Data Collected through Surveys. Wikimedia DC administers surveys to collect feedback from those participating in Wikimedia DC programs. Participants may decline to complete all or part of a survey. Wikimedia DC uses this information to assess the performance of its programs. Unless stated otherwise, comments that are provided to Wikimedia DC as part of survey responses may be published or used in promotional materials.

2. Collection of Wikimedia Usernames. Wikimedia DC collects Wikimedia project usernames at events to facilitate the collection of editing metrics, including the number of edits made before, during, and after an editing event. Wikimedia DC uses this information to assess the performance of its programs. To the greatest extent possible, Wikimedia DC shall not associate any collected Wikimedia username with any other PII collected or retained by Wikimedia DC.

APPENDIX A – LIST OF WEBSITES

  1. http://wikimediadc.org
  2. http://wikiconferenceusa.org
  3. http://wikidiversity.org

APPENDIX B – LIST OF THIRD-PARTY DATA PROCESSORS

  1. http://eventbrite.com
  2. http://meetup.com
  3. http://paypal.com
  4. http://podio.com