Difference between revisions of "Internal:Privacy policy"

Status: Under Review

ARTICLE I – PURPOSE

1. Purpose. The purpose of this Privacy Policy ("Policy") is to explain how Wikimedia District of Columbia ("Wikimedia DC") collects, uses, and shares data, including personally identifiable information ("PII"), from website users, program participants, and donors.

ARTICLE II – GENERAL PROVISIONS

1. Access. Access to any non-public data collected under this Policy shall be limited to those staff and volunteers who have a legitimate business need to access that data for the purposes described in this Policy.

2. Retention. Unless otherwise stated in this Policy, the retention of all data collected under this Policy shall be governed by the Record Retention Policy.

3. No Sale or Lease. Wikimedia DC shall not sell, trade, or lease any data collected under this Policy.

4. Use of Third-Party Providers. Wikimedia DC uses third-party providers, within and outside the United States, for collecting, storing, and processing public and non-public data collected under this Policy.

(a) Third-Party Privacy Policies. Access to and use of data by third-party providers shall be governed by the respective privacy policies published by such providers, and by any specific agreements between Wikimedia DC and such providers.

(b) Requirements for Third-Party Providers. Wikimedia DC shall select third-party providers in accordance with the security requirements set forth in the Technology Access Policy, and shall exercise a reasonable standard of care to ensure the privacy of any data transferred to such providers.

(c) List of Third-Party Providers. A complete list of third-party providers is included in Appendix B of this Policy. The Secretary shall update Appendix B as necessary to maintain said list.

5. Anonymized Data. Wikimedia DC may publish anonymized and aggregated data for promotional, fundraising, and reporting purposes, including to report progress against stated organizational goals. Wikimedia DC may also share anonymized data with third parties, including the Wikimedia Foundation, to conduct research on its operations, including its programs.

ARTICLE III – WEBSITE

1. Applicability. For the purposes of this Policy, "Website" shall refer to any web domain that is hosted by Wikimedia DC. A complete list of such domains is included in Appendix A of this Policy, and the Secretary shall update Appendix A as necessary to maintain said list.

2. Non-Public Website Data. Wikimedia DC collects certain non-public data from users of the Website (the "Non-Public Website Data"), as follows:

(a) Visitor Data. Wikimedia DC collects the Internet Protocol (IP) address, time of visit, the URL requested, the server response code, the bytes served, the referrer (if provided), and the user agent (which includes the browser, browser version, and operating system), collectively the "Visitor Data", of anyone who visits the Website. Wikimedia DC uses Visitor Data to conduct research on Website usage, to assess technical issues that may arise, and to optimize the delivery of Website content.

(b) Editor Data. The MediaWiki software used by Wikimedia DC collects the IP address, user agent, and XFF header, collectively the "Editor Data", of any person who makes an edit to the Website or performs any action that is logged in the Website's Recent Changes feed. Editor Data is used to prevent abuse of the Website.

(c) Other Data. The Website makes use of cookies and JavaScript applications for personalization of the Website, including the function of user accounts. Persons with user accounts on the Website may optionally provide email addresses, used to send email through the Website without exposing the email address publicly.

3. Retention of Non-Public Website Data. Non-Public Website Data may be retained indefinitely in the event that an IP address is associated with abuse, including denial of service attacks and posting unsolicited, undesirable messages ("spam"). Otherwise, Non-Public Website Data shall be retained for no longer than ninety (90) days.

4. Sharing of Non-Public Website Data. Wikimedia DC shall only share Non-Public Website Data:

(a) With the permission of affected persons;

(b) Upon the presentation of a valid court or government order;

(c) As reasonably necessary to prevent imminent and serious bodily harm or death to a person;

(d) To protect Wikimedia DC, its employees, contractors, and users, or the public; or

(e) To detect, prevent, or otherwise assess and address potential spam, malware, fraud, abuse, unlawful activity, and security or technical concerns.

5. Public Website Data. Any information provided in the process of registering an account on the Website, and any information contained within an edit or other logged action to the Website, shall be considered public and shall be retained indefinitely. Passwords and email addresses shall not be considered public unless directly posted to the Website.

6. Collection of Additional Data. The Website may collect additional information for specific purposes, such as for grant applications or participation in certain programs. This information shall be used for the effective conduct of Wikimedia DC programs, and shall subject to the same protection as other data collected through the Website.

ARTICLE IV – DONORS

1. Donor Bill of Rights. Wikimedia DC adopts as its policy the Donor Bill of Rights developed by the Association of Fundraising Professionals (AFP), the Association for Healthcare Philanthropy (AHP), the Council for Advancement and Support of Education (CASE), and the Giving Institute.

2. Donor Data Collected by Wikimedia DC. Data that Wikimedia DC collects from donors may include name, address, telephone number, email address, amount donated, and any other personal information provided by the donor (collectively the "Donor Data"). For donations by check, the Donor Data also includes any data visible on the check. For donations processed online, the Donor Data includes Visitor Data.

3. Donor Data Collected by Payment Processors. Third-party payment processing services utilized by Wikimedia DC have access to Donor Data, as well as access to payment card information supplied by donors. Use of such services is governed by their respective privacy policies. Wikimedia DC does not store credit card information, bank account numbers, or other financial account data provided by donors directly to third-party payment processing services.

4. Use of Donor Data. Wikimedia DC uses Donor Data for the following:

(a) Distributing receipts and thanking donors for donations;

(b) Informing donors about upcoming fundraising and other activities;

(c) Internal analysis, such as research and analytics;

(d) Record-keeping and reporting to government agencies and as otherwise required by law;

(f) Surveys, metrics, and other analytical purposes; and

(g) Other purposes related to fundraising operations.

ARTICLE V – OTHER INFORMATION

1. Data Collected through Surveys. Wikimedia DC administers surveys to collect feedback from those participating in Wikimedia DC programs. Participants may decline to complete all or part of a survey. Wikimedia DC uses this information to assess the performance of its programs. Unless stated otherwise, comments that are provided to Wikimedia DC as part of survey responses may be published or used in promotional materials.

2. Collection of Wikimedia Usernames. Wikimedia DC collects Wikimedia project usernames at events to facilitate the collection of editing metrics, including the number of edits made before, during, and after an editing event. Wikimedia DC uses this information to assess the performance of its programs. To the greatest extent possible, Wikimedia DC shall not associate any collected Wikimedia username with any other PII collected or retained by Wikimedia DC.

APPENDIX A – LIST OF WEBSITES

1. https://wikimediadc.org
2. https://wikiconferenceusa.org
3. https://wikidiversity.org

APPENDIX B – LIST OF THIRD-PARTY DATA PROCESSORS

1. https://drive.google.com
2. https://eventbrite.com
3. http://meetup.com
4. https://paypal.com
5. https://podio.com