Re: Conformance - privacy subcommittee meeting

Jim Hutchison

Considering Privacy, many principalities (EU, Brazil, USA, etc.) have described Privacy to involve PII (Personally Identifiable Information).  OpenChain may be collecting PII, for some interpretation.  While the definitions appear to often backstop on human judgement, identifying someone by associating them with a registry could be, in such human judgement, personally identifying.
If we only retained the survey conclusion, after our validation process (not automated), the data of the conclusion would be a company.  We could even keep statistics, such as how long it takes people to complete the form, how many (in)complete, etc..  The company contact for the Open Source Liaison might be the entity to whom we communicate “success”,
and allow them to delete their companies survey information, or redact answers expect to contain names.
Jim Hutchison
-----Original Appointment-----
From: Williams, Kelly [mailto:kellyw@...]
Sent: Friday, November 11, 2016 4:25 PM
To: Williams, Kelly; openchain@...
Subject: [OpenChain] Conformance - privacy subcommittee meeting
When: Wednesday, November 16, 2016 12:00 PM-1:00 PM (UTC-08:00) Pacific Time (US & Canada).
Join the call: (Note – audio only works with Chrome)
Optional dial in number: 855-889-3011
No PIN needed
If you need to use a local phone number, please consult: for the specific country numbers.
1. Dial the local number based on your location.
2. Enter 855 889 3011, then #.
·         Privacy policy – What is required for a privacy policy since we are collecting and storing information provided by businesses?
·         Terms of service – Do we need any terms of service or policy for submitters to follow?
·         Do we need any kind of “click-through” or notice when signing up or when submitting an application (e.g. when submitting, user agrees that it is correct to their knowledge and artifacts can be provided under ?circumstances?)?
·         Should everyone be able to view an accepted certification (see - the site also needs text explanation).
·         What process do we want to put in place to review and confirm submittals?
o   Should we have a distribution list that is notified on new submittals?
o   Do we have one person or a rotating responsibility to review and respond to submittals?
o   Who are the “admins” of the website?
o   What expectations should we have on response time?
o   How automated should it be?
·         Do we need to implement a confirmation that artifacts can be provided or will that be part of the manual confirmation process?
·         How do we handle editing answers after a questionnaire has been submitted?  Do we disallow editing after submittal?
·         Do we need a “printing function”? (note: there is a download to CSV currently)

Join to automatically receive all group messages.