On 10/11/2018 05:12 PM, Paul W. Frields wrote:
On Wed, Oct 10, 2018 at 10:41:07PM -0400, Dusty Mabe wrote:
> /me waves at legal experts
>
> In the Fedora CoreOS community we'd like to log our IRC channel so we
> can refer back to conversations we've had or link people to conversations
> if they weren't in the channel and start a discussion with them while
> allowing them to gain full context.
>
> We were using botbot.me, but they will be shutting down soon [1]. We
> are looking to explore other options for this and are looking for legal
> help to know what we can and can not do. A few comments/questions:
>
> - logging channels seems to possibly conflict with GPDR
> - if we were to keep logs for a shorter period of time, would it help?
> - if an individual kept logs and provided a service, would that be
> possible or would that possibly have implications for the individual's
> employer?
> - Are fedora irc meeting logs something that should have GPDR concern?
> - If not, why not? Could the same reason apply to a general channel?
>
> Do you have any advice on how we can achieve this goal?
>
> See [2] where we have been having this discussion in Fedora CoreOS community.
>
> Thanks for any help you can provide!
> Dusty
>
> [1]
https://lincolnloop.com/blog/saying-goodbye-botbotme/
> [2]
https://github.com/coreos/fedora-coreos-tracker/issues/11#issuecomment-42...
While IANAL, here is some guidance I can give based on recent
experience in looking at the GDPR:
The Fedora Project has a legitimate business interest in maintaining
records that sometimes have personally identifying information. This
is balanced against GDPR rights such as the so-called "right to be
forgotten," which itself is not unlimited. This is a basis on which
we maintain records like email archives and other communications the
community uses to research, analyze, understand, and act on background
or other information.
A limited lifespan for communications certainly means less risk of
upsetting that balance. So if you intend these communications to be
archived for only a window of a week or two, that's helpful.
It would be a good idea to inform all channel users about any
round-the-clock logging. I'd recommend text like "NOTE: This channel
is logged at all times for historical and decision purposes. Logs are
retained for <$TIME> and can be found here: <$URL>." I'd also
recommend having a bot that echoes a notice to the channel routinely,
at least every few hours (hourly would be even better). The point is
to make sure no one is under-informed.
I do not recommend an individual do the logging or retention, since I
don't know whether they'd have the same level of legitimacy in
retaining information as the Fedora Project does.
Given what I know about GDPR and our project, the above seems
reasonable. Periodic IRC meetings have different sets of
expectations.
Thanks Paul. I'll try to make sure all of your recommendations get put
into practice. I'll also reach out to fedora infra to see if we can set
up a botbot.me instance to solve this problem for us in the future.
Thanks!
Dusty