Implement Best Practices in Privacy Management, Copyright, and Trademarks

[kariljordan]

Goal 5 in the Carpentries strategic plan is to Strengthen organisational structure and capacity to be strategic and responsive. Under this goal is the following objective:

• Be aware of and implement best practices in privacy management, copyright, and trademarks.

Under Privacy Management, our goals are to ensure that:

• we are fully compliant with privacy laws (GDPR, CCPA)
• we clarify how data is processed in relation with our member organizations and partners
• we communicate clearly and transparently with our community of our practices
• we set up high standard security practices to protect our infrastructure and our data
• we have appropriate training for all Core Team members to understand how to work with personal data and to use good security practices to keep their systems safe.
• explore and address personal data use through risk assessment

Under Copyright and Trademarks, our goals are to:

• Determine the jurisdictions for current and new trademarks
• Identify legal counsel to support our trademark work
• Submit paperwork for all identified trademarks in their respective jurisdictions
• Submit paperwork to transfer our current trademarks to CI

[orchid00]

hi @fmichonneau what needs to take place in order to achieve those goals?

[fmichonneau]

This is ongoing work. We are working with an attorney to review our privacy policy and I'm working on updating our security practices.

[fmichonneau]

This year we:

• drafted new versions of our privacy policy
• drafted terms & conditions, cookies policy
• drafted internal privacy policies and security policy
• completed an inventory of our data flows and practices
• piloted the use of Data Protection Impact Assessments for some of our teams

Current on-going work includes:

• account inventory (who has access to what?)
• redefinition of permission levels in AMY

We are also working on developing the communication strategy around the public release of the various policies. Some of these policies will be released in 2021 Q2.

[kariljordan]

We are in the process of transfering all of our current registrations and registering The Carpentries name and logo. Our trademarking priorities are:

• Current Registrations:
  • SWC: USA, WO/WIPO
  • DC: USA
• New Registrations
  • Name: USA
  • Logo: USA

[fmichonneau]

We are continuing to put into place the systems and processes that will ensure our compliance with Privacy Laws.
We have completed the account inventory and developed a system to audit ownership of the files hosted in The Carpentries's Google Drive.

We are working to add features to AMY that will allow us to archive the profile of users who are inactive with us and remind users to update their personal information. We are also developing an interface to make it easier to audit when users provide their consent and revoke them.

We are also developing internal documentation for DPIA (Data Protection Impact Assessment).

[kariljordan]

In the second quarter of the year we made progress on transferring and registering trademarks for the organisation. Here is a breakdown of that information:

• Our Data Carpentry transfer to CI (US) has been recorded
• Our Software Carpentry transfer to CI (Canada) has been recorded
• We submitted paperwork to transfer the Software Carpentry trademark to the WIPO
• Our Software Carpentry trademark to CI (US) has been recorded
• Our Software Carpentry trademark (AU) is being processed
• We submitted an application to transfer The Carpentries (name) and logo (US)

[fmichonneau]

Several new features have been integrated into AMY (lesson archival, revamp of the consent system) or will be soon (reminder to update personal information, automated archival of inactive instructors) to improve our compliance with privacy laws.

Work on drafting our policies to improve our GDPR compliance continues. We are aiming to release our T&C and privacy policies by the end of Q3.

[fmichonneau]

Most of the work needed in AMY for us to be compliant with privacy laws has now been implemented.
Our DPIA (Data Protection Impact Assessment) template and overall strategy have been drafted.
We are finally ready to publicly release our updated Privacy Policy and Terms & Conditions in the next few weeks.

[fmichonneau]

The final blocking feature to release the new privacy policy will be merged in AMY before the end of the year. We should then be able to publish our new privacy policy in January 2022.

[fmichonneau]

The new privacy policy has been released on January 15th, 2022.

[kariljordan]

Thank you @fmichonneau! Can you check off all of the tasks that are complete in the opening comment of this issue?

[ErinBecker]

Adding @froggleston to this issue. Will discuss in his onboarding.

[froggleston]

In general, we have:

• updated our privacy policy to include a lot more detail about what data we keep depending on organisational/volunteer role
• updated the internal Online Accounts security and safety documents
• undergone a review of GitHub repositories and their activity status with a view to backups
• drafted plans for backing up key information resources, e.g. GitHub repositories
• undergone initial setup of a test VPN to secure critical data collection services

We are:

• Nearing completing of the updated consent system in AMY
• Undertaking the first steps of the work to improve the user permissions and profile archival systems in AMY
• Updating internal Data Processing and Privacy documentation to train Core Team staff on best practice when accessing and using data from our systems
• Creating the AWS infrastructure and scripts to facilitate regular backups of GitHub repositories
• Creating the AWS infrastructure to bring Matomo in house to-achieve more predictable pricing and privacy processes as our curriculum and web presence expands

[froggleston]

We have:

Completed the new consent mechanism in AMY
Created a new IT Regulations Policy and cleaned up the draft of our Internal Security Policy
Developed an automated system for the backing up of all Carpentries GitHub repositories
Continued to test a VPN solution and are using it to secure our first service, i.e. our production build-server where many maintenance scripts are run

We are:

Postponing the profile archival work but maintaining the deadline for User Permissions in AMY
Updating internal Data Processing and Privacy documentation to train Core Team staff on best practice when accessing and using data from our systems
Continuing to explore the costs and benefits balance of running Matomo in house
Considering how to expand the use of the VPN to our private dashboard service

[froggleston]

We have:

Completed the first stage roll-out of the Carpentries VPN to the Core Team.
Deployed an in-house Matomo instance and this is being tested by the CurrT to track additional lessons, with a view to moving our cloud instance data over.

We are:

Postponing the User Permissions and archival work as other higher priority tasks and AMY features are required