Visibility and retention of CEPC violation assessments

[nigelmegitt]

When an Ombudsperson or group of Ombudspeople make an assessment about a reported violation incident, we should state that:

• the reported participants in the incident will be informed of the assessment.

But what else should happen to that assessment? Should W3C keep it? Who should be able to see it? How long should it be kept for?

[nigelmegitt]

This issue was raised as a follow-on to the comment that I made to the proposed new wording in #33:

If such behaviour occurs W3C will act to minimise the harm caused to participants and the likelihood of the behaviour being repeated.

My comment was:

---

This seems great, but realistically what can W3C do to minimise the harm caused to participants given that in this situation it has already been caused?

I think what W3C will actually do is:

• provide impartial Ombudspeople who will:
  • assess whether or not the reported incident is a violation of the CEPC;
  • inform all the reported participants in the incident of the result of this assessment;
• keep a confidential record of the assessment, available to [WHO SHOULD HAVE ACCESS?] for [HOW LONG SHOULD WE KEEP IT FOR?];
• potentially take further action in relation to any individuals who have violated the CEPC.

Perhaps we could write this down? Is this list correct and complete?

---

Originally posted by @nigelmegitt in https://github.com/_render_node/MDIzOlB1bGxSZXF1ZXN0UmV2aWV3VGhyZWFkMTY0NjIzMjk2OnYy/pull_request_review_threads/discussion

[TzviyaSiegman]

Thanks @nigelmegitt. I think this will be addressed as we (primarily @jorydotcom) fleshes out the work on an ombuds program. IMO, the process for these can be somewhat vague because some of this will be at the judgment of the ombuds and determined on a case by case basis.

[nigelmegitt]

@TzviyaSiegman agreed the details of the process can be somewhat vague; we should write down the minimal expectations, for example about what communication is required, who should have access to records, and for how long, and if that is a matter for the ombud to decide on a case by case basis.

[AdaRoseCannon]

Regarding the reported participants in the incident will be informed of the assessment. is the person who raised it and the person is was on behalf of kept anonymous?

[nigelmegitt]

@AdaRoseCannon good point, they should be I think, but I'm not aware of us having discussed it. Options include:

• Always anonymous
• Anonymous only on request
• Anonymous under judgement of the Ombudsperson
• Never anonymous

[AdaRoseCannon]

I think for the reporter and the person being reported on behalf of (sometimes the same person) being anonymous is important because it could invite later harassment from the reported person, even in the case where the ombuds person found no CEPC violating issue in the original situation, the reported person may hold a grudge for being reported at all against both or either reporter and the person it was on behalf of.

[nigelmegitt]

So "always anonymous" unless the individual deliberately goes public, and even then, if they do that they are not permitted to de-anonymise anyone else?

[AdaRoseCannon]

Yes, would be my go-to, or at least an option to be anonymous which defaults to 'keep me anonymous from the person being reported'.

[jeffjaffe]

I'm a bit concerned about reaching a particular decision about retaining records. Each assessment is different and I worry that the keeping of records could actually discourage some people from using the process.

[brewerj]

I do not believe that this topic belongs in the CEPC. It may belong in the Procedures, but only once we have a more solid foundation with regard to handling confidentiality, to begin with; and because each case is different.

[TzviyaSiegman]

We removed this line from the CEPC. It will be an issue for ombuds to assess.

[nigelmegitt]

I'm a bit concerned about reaching a particular decision about retaining records. Each assessment is different and I worry that the keeping of records could actually discourage some people from using the process.

@jeffjaffe then we should say that the CEPC does not state any policy about keeping records and that they will be dealt with elsewhere.

I have the converse concern, that a lack of clarity about record keeping will discourage people from using the process.

I'm reopening this issue because the original issue as I raised at the top has not been addressed at all; rather it has been sidetracked by a side issue.

[TzviyaSiegman]

@nigelmegitt the Process is a separate document. We are not addressing this in the CEPC. I have never seen a CoC address record keeping. Can you point to one that has?

[nigelmegitt]

@TzviyaSiegman We don't seem to have labels on our issues to indicate which document they refer to. The procedures are in the PWE home page (Editor's Draft, source), which is in the same repo and is clearly being managed by the PWETF. I'm happy for this issue to be considered to apply to that document rather than the CEPC itself.

Update: I saw that there is a CEPC label, but not a PWE-homepage label, so I added the latter and assigned it to this issue.

[mnot]

Note that the Board is working on a records retention policy; see https://github.com/w3c/board/issues/13. Note that's separate from records visibility; at first blush, I'd be very reluctant to make such documents public or member-visible. Retention is more for legal purposes.

[TzviyaSiegman]

Thank you. This will need to be part of ombuds training as well. There are concerns about both confidentiality and avoiding repeat offenders.