Data Collection: Difference between revisions

Jump to navigation Jump to search

Data Collection (view source)

Revision as of 18:34, 22 September 2022

2,481 bytes added ,  22 September 2022
Clarifying our review process for sensitive data collection as per Sept 14 email discussion.
(→‎Step 1: Submit Request: Identify that glean_parser can help generate a data review request template for Glean data collections.)
(Clarifying our review process for sensitive data collection as per Sept 14 email discussion.)
Line 32: Line 32:
Most assets involved in data review can be found [https://github.com/mozilla/data-review in this repository].  References to who fills out a form when are covered in the documentation below.
Most assets involved in data review can be found [https://github.com/mozilla/data-review in this repository].  References to who fills out a form when are covered in the documentation below.


= Scope =
These guidelines are '''required''' for data collection in products with an active user base and established privacy policies under the Firefox organization, but may be applied to any Mozilla product as needed. Changes to policies themselves or the creation of a policy for a new product is out of scope of what is described here.


= Key Roles for Data Collection =
= Key Roles for Data Collection =
Line 74: Line 77:
* Complex requests that pose broader policy and legal implications may be escalated to the Trust and Legal teams. (See Step 3)  
* Complex requests that pose broader policy and legal implications may be escalated to the Trust and Legal teams. (See Step 3)  
   
   
== Step 3: (Optional) Escalated Response ==
== Step 3: Sensitive Data Collection Review Process ==
More complex requests, like those that call for a new data collection mechanism or require changes to the privacy notice, often require one or more of the following additional reviews:  
 
* Privacy analysis: Feedback from the mozilla.dev.privacy mailing list and/or privacy experts within and outside of Mozilla to discuss the feature and its privacy impact.
=== Determine if you need to follow this process ===
* Policy compliance review: An assessment from the Mozilla data compliance team to determine if the request matches the Mozilla data compliance policies and documents.
 
* Legal review: An assessment from Mozilla’s legal team.
For any data collection that is classified as category 3 or 4 (described below) – including in pre-release channels and experiments – we require additional review to be performed and an announcement to a mailing list. The reason for this is that while our privacy policies describe what we can do without additional user notice, this is an upper bound; even for collection which fits within the policy, we need to determine whether that collection is appropriate and conforms to our overall commitment to privacy and minimization.
 
=== Create documentation and request review===
 
As a first step, it is important that the details of the implementation, intended use, and value to users be clearly documented for future reference and efficient review. As soon as this is ready (we recommend as early as possible, before you move forward with the implementation), send an email to the [https://groups.google.com/a/mozilla.com/g/data-review data-review@mozilla.com] mailing list.
 
The initial documentation from engineering/data stewardship and privacy/technical review should be completed as a prerequisite ahead of legal and security.
 
{| class="wikitable"
|-
! Risk Assessment !! Owner !! Facilitator
|-
| Privacy/Technical Review || Office of the Firefox CTO || Kate Hudson
|-
| Legal/Trust Review || Legal || Nneka Soyinka
|-
| Security Review || Office of the CSO || Marc Perrault
|}
 
Facilitators (named above) are expected to express judgement about how much risk is involved and will involve the appropriate reviewers.
 
If the level of risk is determined to be low enough and/or there is clear precedent, further discussion may not be necessary and each reviewer may give a sign-off immediately; otherwise, mitigations should be incorporated and documentation updated once they have been addressed. Live discussion is often very helpful – and should be planned for – when there is significant risk involved.
 
Data collection may not be shipped to users until final sign-offs have been obtained.
 
=== Escalation ===
In the case of a dispute about sensitive data collection and/or which mitigations are appropriate, the proposer or any reviewer should work with one of the facilitators to escalate the decision to the VP/XLT member in charge of the product (e.g., Head of Firefox, Head of Pocket). Depending on the scope and nature of the risk, there may also be cases where escalation goes beyond the immediate product owner (i.e., to the CPO or CEO). When this happens, the facilitator and escalating party:


Data stewards participate in these discussion and will document the outcome in the same bug used for the collection request.
* Give each party a chance to document their recommended approach in writing.
* Share the document with all involved parties for asynchronous review/comment.
* Schedule a meeting for discussion if necessary.
* Record the final decision by the product owner.


= Data Collection Categories =
= Data Collection Categories =
K88hudson
Confirmed users
50

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1244038"

Navigation menu