[GNC-dev] GDPR and gnucash as a project

David T. sunfish62 at yahoo.com
Tue May 22 10:36:47 EDT 2018 

Geert,

I am not fluent with the issues of the GDPR, but I have had a lifetime of considering intellectual property issues (as a librarian). Personal contributions of ideas, thoughts, or intellectual content are IMHO NOT personal data, even when signed by an individual’s name*. Those would fall under intellectual property/copyright rules rather than personal data. It is my understanding also that use of GPL addresses the question of IP rights in code and documentation; if a user contributes to the GC project in these areas, they do so with this release understood. It is also my understanding that unless someone explicitly states otherwise, their posting of information in a public place (such as a website, wiki, mailing list, etc.) would constitute permission to release that information generally.

David T.

* - I would be extremely surprised to find that a user’s name, in and of itself, would constitute protected personal information. 

> On May 22, 2018, at 6:02 PM, Geert Janssens <geert.gnucash at kobaltwit.be> wrote:
> 
> Yesterday John raised some concerns about GDPR compliance of the gnucash 
> project itself.
> 
> This is a different question from the one Mike Evans asked in April this year 
> about GDPR compliance by people *using* gnucash.
> 
> This requires some thought as the GDPR has many aspects.
> 
> The essence of the GDPR (global data protection regulation) is to regulate the 
> processing of EU citizen's personal data.
> 
> The first question this raises is which personal data does the gnucash project 
> process ? So far I have come up with:
> - e-mail addresses on the gnucash mailing lists
> - user accounts in bugzilla
> - user accounts in our wiki
> - user accounts on Uservoice
> The above are pretty clear. There are others that are less clear to me whether 
> they constitute personal data or not:
> - the actual messages people send to mailing lists and which are stored in a 
> public archive
> - the actual comments on bugs
> - the actual page edits in wiki
> And also what about things like our irc channel ? Does that fall under 
> processing personal data ? We don't really run the irc channel, we only use 
> it. But on the other hand we do publish irc logs. Does GDPR apply to those ? I 
> can't tell really.
> And the same question could be asked about our code itself in a way. Does a 
> code contribution represent personal data ? Each commit logs an e-mail address 
> of a committer which can't easily be removed.
> 
> Once we have established what constitutes personal data we need to formulate a 
> "privacy policy" in which we explain how we process this data and whether 
> third parties are involved (think github, uservoice, travis-ci, our social 
> media presence,...).
> 
> An open source project is a bit in an odd situation because we do almost 
> everything in public so there's very little being kept private. We publish 
> archives of our mailing list conversations, irc logs, commits and so on. We 
> have to inform our users of this in a clear manner. The good thing is we only 
> do keep the absolute minimum amount of information to function: a username 
> (which can be an e-mail address) and a password is usually sufficient. Unless 
> the message content also falls under personal data.
> 
> We also require explicit consent to use the personal data. We're reasonably 
> good in this respect as for all services we offer we require the user to opt-
> in. We will never use for example mail addresses gathered from bugzilla user 
> accounts to automatically enroll the same people in a mailing list. We 
> probably should more clearly indicate what people subscribe to in each case 
> while they are registering. So when registering for a mailing list, it should 
> be pretty clear that anything the person contributes will end up on a public 
> web page. The same goes for all other services we offer and make use of.
> 
> Next a person should be allowed to make corrections to the personal data we 
> were provided with and "the right to be forgotten". For user accounts in the 
> various services we offer this is not really a problem. Most of these do allow 
> the user to change passwords, user names or e-mail addresses. However if the 
> message content is also part of private data it becomes much harder. In that 
> case the question becomes whether a user can request a mail message to be 
> removed from our mailing list archive. I have no answer to this.
> 
> Next there is the requirement to protect children. I don't know for sure if 
> this applies to us. If it does our registration processes should ask a minimum 
> age and require consent of a parent or equivalent in order to continue with 
> the registration. This is mostly mentioned in the context of social networks. 
> But as we publish all communication in public it may apply to us as well.
> 
> And finally in case of data breaches we should inform the affected people of 
> this. Again one I don't know exactly how to deal with.
> 
> This mail is meant as a kick-off to start thinking about this. Any feedback is 
> very welcome.
> 
> Regards,
> 
> Geert
> 
> 
> _______________________________________________
> gnucash-devel mailing list
> gnucash-devel at gnucash.org
> https://lists.gnucash.org/mailman/listinfo/gnucash-devel

More information about the gnucash-devel mailing list