Policy-Discussion

[Guillaume ROMAGNY <guillaume AT tiebogos.fr>]

Hello Uli,

The most of the non critical systems can be moved out of the
netherlands. Of course, it is a burden we will avoid. But here, we are
talking about *personal* data, You can create an account named NoName on
the wiki.

Kind regards,

Guillaume


ulrich AT cacert.org
 a écrit :
> whats about other sources?
> blog, wiki, svn, cats, bugs, community (archive) ....  ?!?
> 
> svn saves metadata to each object in the store, also the login name
> 
> on the wiki history i can follow the revisions who has added, modified,
> deleted something ...
> 
> and so on ...
> 
> what's about the content of the websites?  blog, wiki, main site ?
> 
> regards, uli   ;-)
> 
> -----Original Message-----
> From: Guillaume ROMAGNY 
> [mailto:guillaume AT tiebogos.fr]
>  
> Sent: Wednesday, May 27, 2009 12:55 PM
> To: 
> cacert-policy AT lists.cacert.org
> Cc: CAcert System Administrators
> Subject: Re: Current data processing practices
> 
> 
> Hello,
> 
> Rasika Dayarathna a écrit :
>> Hi All,
>> As privacy officer for CAcert, I am documenting the current practice 
>> of personal data processing. I attempted to document the current 
>> practice, but I might have missed some important points. Therefore, I 
>> need you support to complete our data processing practices in a 
>> concise and clear manner. Please highlight any omission and feel free 
>> to make corrections.
>> *Note: the focus at this stage is on the current practice. We can focus
>> on the best practices later.
>>
>> 1) The purposes of data collection are: to
>> i) issue digital certificates
>> ii) have info for arbitration to resolve disputes
>> iii) notify the status of certificates
>>
>> 2) The purposes of data processing are: to
>>
>> i) issue digital certificates
>> ii) notify the status of certificate (reminders)
>> iii) generate some statistics for service improvements
>> iv) resolve disputes about violations of the rules in disputes by 
>> arbitrators
>> v) detect frauds ( we can push it to the above one),
>> Note: I think we are putting too much onto arbitration.
>>
> 
> detecting fraud can be a support/security team task, before starting an
> arbitration case. better to keep the purpose separate.
> 
>> 3) CAcert's data subject or categories of data subjects are
>> i) CAcert Community Members
>> ii) Assurers ( a special category of community members)
>> ii) Do we collect some information about relying parties such as their 
>> IP addresses?
> 
> As Daniel mentioned, we have some logs, only sysadmin people can tell (CC)
> 
>> 4) Data or categories of personal data collected
>>
>> i) date of birth of a member (mandatory)
>> ii) email address(es) of a member (mandatory)
>> iii) full name of a member (mandatory)
>> iii) Assurer location data and contact information
>> iv) From OCSP request, identification numbers of issued certificates, 
>> IP address and related information of relying parties.
>>
>> I consider these data are not personal data
>> i) type of identification document and issuing date (this may not be
>> necessary)
>> ii) location (optional), assurance location (optional) and date of 
>> assurance.
>> iii) password recovery information (secrete questions and answers to 
>> them)
>>
>>
>>
>> 5) Recipient or categories of recipients and Data or categories of 
>> data
>> i) Assurers - date of birth , full name, location, email address of
>> members assured (assuree).
>> ii) relying parties (anyone )- status of the certificate (revoked, not
>> revoked)
>>
>> 6) Origin of Data-
>> i) CAcert community members
>> ii) relying parties
>>
>> 7) Direct Access - only to authorized persons after obtaining approval 
>> from arbitrators
>>
>> 8) Retention period of data
>> CAP forms : seven years
>> data in the system : Until the termination of membership + 7 years . 
>> membership terminates : on request and after expiring all certificate 
>> (other words, no any valid certificate) Information about assurers: 
>> decide by individual assurer Information obtained from relying 
>> parties: …
>>
>> 9) CAcert does not have any connection to other processing operations 
>> and CAcert does not collect special category of personal data.
>>
>> rasika
>>
>>
> 
> ok good :)
> 


-- 
Cordialement, Best regards,
Guillaume
Tiebogos (by L'Oreal), parce que je le 'veau' bien.

Vision without action is a daydream.
Action without vision is a nightmare.  -- Japanese Proverb

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature