Add tools for GDPR compliance 🇪🇺

[pferreir]

# Ticket imported from Trac

There is a new CERN Data Protection Policy being drafted. This will imply that all CERN-stored data will have to respect a series of constraints, depending on its classification. Indico already does something like that, as content can be set as "public" or "restricted". However, other levels may be required.

Since we will have to eventually conform to this policy at CERN, it would be nice to find a simple and configurable scheme that allows administrators to cope with local security rules without necessarily enforcing any particular behavior.

[pferreir]

It would be also interesting to have an access level called "authenticated users" that would require authentication with any Indico account (stops bots, etc).

[TimSmithCH]

GDPR will arrive in May 2018, and CERN's version (OC11) about the same time, so we should chart out minimum required actions:

• Add a privacy statement hook in the footer of all pages, next to T&C
• Add a default privacy statement which should include "details on how the data will be processed, who it may be passed to and how long it will be kept for. It also informs the individual of how to exercise their rights as a data subject"
• Add a "conspicuous link" next to the "apply" button on all registration forms, pointing to the data privacy statement, and saying that by proceeding they acknowledge and accept
• Ensure personal registration data (e.g DoB, ID card numbers, etc) are can be deleted automatically after (configuration parameter) specified number of weeks after the conference
• more?

[pferreir]

@TimSmithCH Someone mentioned cookies recently. Do we have to add one of those "annoying" "this site uses cookies" warnings?

[bpedersen2]

Related discussion on is here as well: Disable/Hide Log option in event administration

[bpedersen2]

A way to mark a field as 'needs data protection cleaning' in the regform setup would definitly be nice.

[pferreir]

Another possibly related discussion: https://talk.getindico.io/t/user-search-during-abstract-submission/323 . We shouldn't probably leak e-mail information to other users. However, if we get rid of the e-mail it will be impossible to distinguish duplicate accounts in some cases.

@bpedersen2, @TimSmithCH, regarding webforms, I believe there are two aspects:

• Giving event managers the tools to mark certain fields as "self-destructing";
• Making it clear to event managers (and users as well) that Indico only needs minimal data about the user to operate (i.e. name and e-mail) and that all additional data will be handled by the organizers and it's thus their responsibility to ensure Indico is properly configured to erase it and not improperly leak it;

I wonder whether the "self-destructing" feature is a must at least in a first phase. It would be ideal to add that during the long-awaited rewrite of the registration form's UI.