Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GDPR #9769

Closed
rodrigok opened this issue Feb 19, 2018 · 7 comments
Closed

GDPR #9769

rodrigok opened this issue Feb 19, 2018 · 7 comments
Assignees
Milestone

Comments

@rodrigok
Copy link
Member

@rodrigok rodrigok commented Feb 19, 2018

Data Subject Rights

Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic fromat. This change is a dramatic shift to data transparency and empowerment of data subjects.

Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subject withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.

Data Portability
GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly used and machine readable format' and have the right to transmit that data to another controller.


@rodrigok rodrigok added this to the 0.63.0 milestone Feb 19, 2018
@theorenck theorenck added this to Backlog in 0.63.0 Feb 19, 2018
@theorenck theorenck modified the milestones: 0.63.0, 0.64.0 Apr 9, 2018
@theorenck theorenck added this to Desireable in 0.64.0 via automation Apr 9, 2018
@theorenck theorenck moved this from Desireable to Backlog in 0.64.0 Apr 9, 2018
@Hudell Hudell moved this from Backlog to Review/QA in 0.64.0 Apr 10, 2018
@theorenck theorenck moved this from Review/QA to Ready to merge in 0.64.0 Apr 18, 2018
@theorenck theorenck moved this from Ready to merge to Review/QA in 0.64.0 Apr 18, 2018
@Wouter0100
Copy link

@Wouter0100 Wouter0100 commented Apr 20, 2018

Maybe also looking into data retention for messages, for example? This would help implement the GDPR, see , for example, here.

We should store data as little as possible. Messages is of course a complicated matter I think, but keeping it forewver isn't worth the risk. So for example the ability to set a global "message retention policy" would be useful, so we are able to automatically delete messages after a year.

@mootari
Copy link

@mootari mootari commented Apr 20, 2018

@Wouter0100 I disagree. One of the purposes of Rocket.Chat is to provide a searchable archive of past conversations. It can't fulfill that task when all messages are deleted indiscriminately after a fixed amount of time.

I could however see the usefulness of a per-channel setting so that channel owners can decide based on the purpose of the channel which retention time span might be useful.

@Wouter0100
Copy link

@Wouter0100 Wouter0100 commented Apr 20, 2018

@mootari I do agree and personally I would prefer to store it too - but as the same with e-mail, e-mails with customers should also be deleted after a period of time in some circumstances.

Per-channel with a server-wide default would in that case be an option, I suppose.

@rodrigok rodrigok moved this from Review/QA to In progress in 0.64.0 Apr 21, 2018
@Hudell Hudell moved this from In progress to Done in 0.64.0 Apr 23, 2018
@rasos
Copy link
Contributor

@rasos rasos commented Apr 27, 2018

We have discussed the retention policy with users in EU and they would prefer a deletion period setting on three levels:

  • global setting
  • per channel setting
  • per user setting

So a user could decided not to keep his/her messages as the provider or the channel admin set as default.

@rasos
Copy link
Contributor

@rasos rasos commented Apr 27, 2018

Another GDPR issue is showing minimum personal data in the room and directory search. It is configurable site-wide, which fields are taken for the search in admin/Accounts, but not, which fields are shown. Global search and directory search should be a permission configurable per role.

@engelgabriel engelgabriel added this to Desireable in June/2018 via automation May 10, 2018
@engelgabriel engelgabriel modified the milestones: 0.64.0, 0.66.0 May 10, 2018
@engelgabriel
Copy link
Member

@engelgabriel engelgabriel commented May 10, 2018

We need to separate the outstanding tasks into other issue:
#2355

@rodrigok
Copy link
Member Author

@rodrigok rodrigok commented May 14, 2018

Maybe also looking into data retention for messages, for example? This would help implement the GDPR, see , for example, here.

We should store data as little as possible. Messages is of course a complicated matter I think, but keeping it forever isn't worth the risk. So for example the ability to set a global "message retention policy" would be useful, so we are able to automatically delete messages after a year.

@Wouter0100, @mootari and @rasos The expiration police for messages will be implemented in the future since it's not required by GPDR (it's not an unnecessary information). You already have the option to delete your profile and remove your messages or delete each message manually.

Another GDPR issue is showing minimum personal data in the room and directory search. It is configurable site-wide, which fields are taken for the search in admin/Accounts, but not, which fields are shown. Global search and directory serach should be a permission configurable per role.

@rasos we will evaluate this idea and find some solutions that match the GPDR requirements and the minimum viable system usability.

Any further questions about GDPR should be sent to our email gdpr@rocket.chat

Thanks

@rodrigok rodrigok closed this May 14, 2018
June/2018 automation moved this from Desireable to Closed May 14, 2018
@RocketChat RocketChat locked as resolved and limited conversation to collaborators May 14, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
0.63.0
  
Backlog
0.64.0
  
Done
June/2018
  
Closed
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants
You can’t perform that action at this time.