Review Data Protection & practices for different parts of the project

[aleesteele]

Summary

I have been working with Kit Good, the Data Protection Officer to understand what parts of TTW are subject to data protection and how that applies more broadly across the project. This issue is to keep track of key questions and processes related to GDPR and data protection in order to ensure that we are compliant.

Kit has kindly clarified the different roles that pertain to GDPR specifically within the project:

• personal data: what data is being process or stored by people?
• data subject: the people that the data concerns
• data controller: the Alan Turing Institute, who are deciding what data to collect and what to do with it
• data processor: different platforms (i.e. buttondown for the newsletter, github for storing book) who carry out our data processing (storage and sending of information) on our behalf

What needs to be done?

• Should we a statement to our wider github repository regarding how we process data, and/or linking to the Turing's privacy policy?
• How does this affect how we process every single platform that we engage with?
• How does this affect how we archive (or revisit existing archives) of notes and meetings?

This issue is a work in progress to keep track of notes and information after consultations with Kit.

---

Updates

[aleesteele]

5 April: Had a discussion with Kit about how to collate notes around GDPR and DPP's more broadly for the project – created a (closed) HackMD to log osome of these notes, which we will open more broadly once the wording and information is more clear!

[aleesteele]

16 April:

• Reviewing the Data Protection Assessment Process (DPAP) with @Arielle-Bennett
• Established forms & processes that we'll undergo at the Turing level
• Will think through process of data protection for an open source community (maybe a policy? other resources?)