-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Compliance with privacy laws when working with conferences #41
Comments
The committee is part of the DSF, and the DSF President sits on the WG in an advisory role in case that helps. Overall, I think we need to revisit and revise quite a bit of this. When we revised the PSF's policies (which are different, but some were based on this repo), we were told that GDPR didn't apply possibly because of our org size and some other reasons I'm not remembering. We should probably use this as an excuse to update/revise and get new legal advice. The second part about reports has firm legal backing both at the DSF and the PSF level from past experience. I believe there was even a case cited where someone harassed someone else and then tried to use GDPR as a defense mechanism for why it couldn't be used in court and it backfired on them (as it should). I think we should revise policies and address concerns. It's definitely been a while. |
Thanks @jefftriplett, that does help 👍 I did suspect the committee was part of the DSF as it’s referred as such in a few places, but I think I’ve also seen it referred as the "Django" CoC committee too, hence the confusion. With the caveat that this isn’t my area of expertise – as far as I know there will be exemptions (no need to appoint a Data Protection Officer, potentially ways to opt out of Subject access requests for CoC information involving multiple people), but I’d expect the GDPR to still apply. And even if it didn’t apply to the DSF / CoC committee, it definitely does apply to UK/EU conference organisers in how they handle the personal data of participants, including making sure the CoC committee and any other processor / controller has adequate data protection policies in place.
That’s exactly the type of thing that would be useful to know! When I asked about this over email, the answer I got was "we don't have any expertise in this area". |
@jefftriplett 👋 I thought I’d check if there’s been movement on this, or if not, what you’d recommend I do to keep the ball rolling? I will be part of the Code of Conduct team for DjangoCon Europe 2024, I’d like to take this further. Perhaps you could suggest specific contacts at the PSF to follow up on the legal guidance for privacy laws? Legislation for 2024 editionDjangoCon Europe 2024 will be in Spain, but with most data processing done by Ad Evolutio (the company of the main organizers), which is registered in Portugal. So we will have to follow either Portuguese or Spanish data protection laws, or both. Which should more or less be direct transpositions of the European Union’s GDPR. For Spanish legislation, I found these two in particular:
2024 edition practical stepsThere is one practical thing I’d like to see happen for the 2024 edition. Disclosure of how personal data is used as part of Code of Conduct enforcementThis would be simple information for a "privacy policy" page, so it’s clear we have informed and specific consent from attendees and speakers. Here is the current draft content: #### Attendees
For all attendees, we collect personal data when you voluntarily provide such information to the buy ticket services.
The personal data we may collect includes without limitation your name, email address and any other information that attendees choose to provide and/or that enables attendees to be personally identified. In some cases, we may collect your credit card information (e.g., your credit card number and expiration date, billing address, etc.), some of which may constitute personal data, to secure certain payments.
#### Speakers
If you are a proposal speaker we will need to collect additional personal data from you. And we will requered other information different from your personal data (e.g., a title, a description, abstract, a profile photo, etc.) when you do the submission. This information is essential to select the titles and defined the conference program.
The DjangoCon Europe 2024 will publicly share the slides from the presentations. This would need updating. I can come up with some content on my own but it feels like something where I’d expect the DSF CoC committee to advise and ideally make specific recommendations. Future eventsI’d like us to be able to send our list of attendees (and speakers) to the DSF committee, but only if the DSF / CoC committee had a privacy policy including details of data processing, data retention, subject access requests. We will be opening ticket sales for the 2024 edition soon, so I don’t see this being possible for the 2024 edition. |
@thibaudcolas I think we should ping the mailing list and get more eyes on it. I think we have ~3 of us in the workgroup and need some more bodies to help. We can also ask the board for assistance in sorting some of this out. |
Sounds good to me! Do you want to initiate that or should I? |
@thibaudcolas feel free. I think getting Michael's input and anyone else who is left would be 💯 |
I’ve ended up not finding any opportunities to take this further over the year, so I think for DjangoCon Europe 2025 we’ll be in a similar situation (though I’m not planning to be involved with the conference Code of Conduct team this year aside from knowledge handover). Ticket sales are on. The privacy policy wording they went for is:
The relevant legal framework in Ireland is the EU GDPR and the Irish 2018 Data Protection Act (see Data Protection Legislation overview). Next stepsI think what I shared above still makes sense. The simplest improvement I think would be to write a list of data processors. So for example for DjangoCon Europe 2024 as far as Code of Conduct that would be something like:
(then for each of them write their location, use, the data processed there, link to their privacy documentation and list of sub-processors) |
👋 I thought this might be more useful for me to raise this here rather than via email. On Conferences – Support for event organizers - Before the event:
We considered doing this as part of DjangoCon Europe 2023 but the DSF Code of conduct committee didn’t seem to us to be set up so this can be done lawfully according to the UK / EU GDPR. Based on my understanding of official UK GDPR guidance by the ICO, the committee (or the organisation the committee is part of) would be considered either a controller, processor, or both.
Specific issues (from my understanding) are:
After the event
This side of the committee’s data processing is much better documented and there already are privacy-protecting policies in place, however there are still a few sources of concern as a conference organizer:
Again I want to restate the above is all based on my personal understanding of the UK GDPR, and this isn’t my field of expertise. So do take this with a grain of salt!
The text was updated successfully, but these errors were encountered: