Andreas, Dario, Joel, Latchezar, Maarten, David Kelsey, Julia
1). David answered the question whether privacy notice is compliant with GDPR.
For more complete reference, text from David's answer by mail is provided:
The development work of our overall Data Protection Policy and the related Privacy Notice has been done by a group of individuals who have studied the GDPR document in detail and on guidance from official bodies (e.g. the UK ICO guidance at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/). We have also been following carefully the work of REFEDS/GEANT on its new Code of Conduct version 2 (not yet approved) and provided lots of comments and suggestions to the developers of the document (many of these were accepted).
We have consulted recognised experts in the Research and Education area working on GDPR compliance for Identity Federations, individuals who are in fact fully qualified lawyers. Also many discussions with the previous CERN Data Protection Officer and he gave us lots of advice and we changed things and he in the end agreed to the WLCG MB making the decision – he thought what we were doing was the best in the circumstances.
While we wait for the approval of GEANT Code of Conduct version 2, the extent to which our operations are not fully compliant is very small (risks have been minimised) and WLCG MB has agreed to this approach.
So the conclusion is that the WLCG Privacy notice template is as compliant with GDPR as it could be in the current circumstances. People did agree that it can be used as basis for privacy notices of the WLCG services, only customized in case there is something specific for a given service. Having some initial version in place, even if it is not final and perfect, is better then having nothing.
2). Privacy notice customization.
For some services WLCG template can be used without changes, for those which do need customization, two scenarios are possible:
- Template is modified/complemented with service specific info
- The notice consists of the part which is service specific plus reference to the template which covers everything else
3). Then there was a long discussion regarding CERN RoPO vs WLCG privacy notice. The confusion comes from the fact CERN RoPOs and privacy notices which has to be published for WLCG experiment-specific services can have the same contents but different scopes and workflows for the approval. For some experiment services which are hosted by CERN, CERN RoPO drafts have been already created and are waiting for CERN approval. The same services have to publish a WLCG privacy notice which has a VO scope and therefore has to be approved by the VO.
One of the questions is whether WLCG privacy notice for services hosted by CERN can be published without waiting for RoPO approval. It has been agreed that we bring this question to the next MB.
4). Next steps
- Experiment representatives will look through the table, make it up to date and start working on the privacy notice drafts. Table will be updated as the work progresses. There is a column on the twiki page table where it can be indicated whether privacy notice has been drafted.
- The question regarding CERN RoPO approval will be brought to the next MB
- Every experiment will create a repository for privacy notices of the experiment-specific services, so that these repositories can be linked from the WLCG web page.
- Next meeting will take place after MB. We will check where we are with the privacy notice drafts