Skip to Content.
Sympa Menu

cacert-policy - Current data processing practices

Subject: Policy-Discussion

List archive

Current data processing practices


Chronological Thread 
  • From: Rasika Dayarathna <privacy AT cacert.org>
  • To: Policy-Discussion <cacert-policy AT lists.cacert.org>
  • Subject: Current data processing practices
  • Date: Wed, 27 May 2009 12:24:17 +0530
  • Authentication-results: lists.cacert.org; dkim=neutral header.i= AT cacert.org; dkim-asp=none

Hi All,
As privacy officer for CAcert, I am documenting the current practice of personal data processing. I attempted to document the current practice, but I might have missed some important points. Therefore, I need you support to complete our data processing practices in a concise and clear manner. Please highlight any omission and feel free to make corrections.
*Note: the focus at this stage is on the current practice. We can focus on the best practices later.

1) The purposes of data collection are: to
i) issue digital certificates
ii) have info for arbitration to resolve disputes
iii) notify the status of certificates

2) The purposes of data processing are: to

i) issue digital certificates
ii) notify the status of certificate (reminders)
iii) generate some statistics for service improvements
iv) resolve disputes about violations of the rules in disputes by arbitrators
v) detect frauds ( we can push it to the above one),
Note: I think we are putting too much onto arbitration.

3) CAcert's data subject or categories of data subjects are
i) CAcert Community Members
ii) Assurers ( a special category of community members)
ii) Do we collect some information about relying parties such as their IP addresses?

4) Data or categories of personal data collected

i) date of birth of a member (mandatory)
ii) email address(es) of a member (mandatory)
iii) full name of a member (mandatory)
iii) Assurer location data and contact information
iv) From OCSP request, identification numbers of issued certificates, IP address and related information of relying parties.

I consider these data are not personal data
i) type of identification document and issuing date (this may not be
necessary)
ii) location (optional), assurance location (optional) and date of assurance.
iii) password recovery information (secrete questions and answers to them)



5) Recipient or categories of recipients and Data or categories of data
i) Assurers - date of birth , full name, location, email address of members assured (assuree).
ii) relying parties (anyone )- status of the certificate (revoked, not revoked)

6) Origin of Data-
i) CAcert community members
ii) relying parties

7) Direct Access - only to authorized persons after obtaining
approval from arbitrators

8) Retention period of data
CAP forms : seven years
data in the system : Until the termination of membership + 7 years .
membership terminates : on request and after expiring all certificate (other words, no any valid certificate)
Information about assurers: decide by individual assurer
Information obtained from relying parties: …

9) CAcert does not have any connection to other processing operations
and CAcert does not collect special category of personal data.

rasika


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.16.

Top of Page