Policies/en/Access-to-Nonpublic-Personal-Data/Exceptions
This is a draft version. Source: adapted notably from the Wikimedia Foundation Governance Wiki, https://foundation.wikimedia.org/wiki/Policy:Wikimedia_Foundation_Access_to_Nonpublic_Personal_Data_Policy/Exceptions (CC BY-SA 4.0), with changes. Status: proposal, to be adopted. See the detailed disclaimer.
In simple words: the Access to Nonpublic Personal Data policy says who may see private user data, and under which conditions. In a few precise situations, other trusted people would need a limited access outside of that policy (for example checking whether an account has two-factor authentication enabled). This page proposes the list of those exceptions, each one reviewed by the Legal department.
Exceptions to the Access to Nonpublic Personal Data policy
The Access to Nonpublic Personal Data policy sets minimum requirements for who would be allowed to gain access to nonpublic information, as well as when that nonpublic information may be used and disclosed. The Ynternet.org Foundation may, at its sole discretion, provide Nonpublic Personal Data to groups of community members who are not covered by that policy, and to covered community members under terms outside of that policy ("exceptions"). Such exceptions must be reviewed by the Legal department of the Ynternet.org Foundation. The proposed exceptions:
- Bureaucrats: bureaucrats would be permitted to access account two-factor authentication (2FA) status, to verify whether other users have enabled 2FA prior to being added to groups that require 2FA. Bureaucrats are not covered under the Access to Nonpublic Personal Data policy, but would nonetheless be expected to use and disclose account 2FA status only when necessary.
- Temporary account IP addresses: access to temporary account IP addresses would be provided to users under separate terms (under construction). Additionally, users who are covered by the Access to Nonpublic Personal Data policy and have access to temporary account IP addresses would also be permitted to disclose temporary account IP addresses when it is reasonably believed to be necessary, as provided by the separate policy.
- Arbitration Committees: the access of an Arbitration Committee (ArbCom) to Nonpublic Personal Data would be covered by the Access to Nonpublic Personal Data policy terms. However, a Committee would additionally be permitted to disclose Nonpublic Personal Data publicly as part of decisions, when the Committee has determined that (1) a sanction is necessary and (2) disclosure of Nonpublic Personal Data in its decision is reasonably believed to be necessary for community safety or transparency purposes. Individual ArbCom members must still refrain from such disclosures when not speaking on behalf of the Committee, unless the disclosure was previously made by the Committee under the above authorized conditions.
- Stewards: steward access to Nonpublic Personal Data would be covered by the Access to Nonpublic Personal Data policy terms, except when disclosure is reasonably believed to be necessary by the stewards' collective decision process. As permitted by a stewards' collective decision, users within the steward group may disclose Nonpublic Personal Data to other users who do not have the same access rights or to the public. Such disclosures must conform with the stewards policy and the relevant section of the Privacy policy, as well as any specific scope created within the stewards' collective decision process.
- U4C non-voting members: non-voting members of the Universal Code of Conduct Coordinating Committee (U4C) would be permitted to access Nonpublic Personal Data involved in cases before the U4C, to enable their participation in case investigations and deliberations. U4C voting members would be permitted to disclose such Nonpublic Personal Data to U4C non-voting members. See the UCoC Enforcement Guidelines.
If you have identified a possible exception or an apparent exception that is not listed above, please email info@wikideal.net.