Data Safety Consultation Template: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with "= Data Safety Consultation = Questionnaire Template Questions are mostly Y/N to the extent that issues can be routed to the appropriate team members for consultation / guidance ...")
 
Line 2: Line 2:
Questionnaire Template
Questionnaire Template


Questions are mostly Y/N to the extent that issues can be routed to the appropriate team members for consultation / guidance / resolution.  The questionnaire will be distributed and completed via Etherpad by teams that require a Data Safety review until the web form / Bugzilla is up and running.
Questions are mostly Y/N to the extent that issues can be routed to the appropriate team members for consultation/guidance/resolution.   
Section 1 below is the structure of the questionnaire that includes a quick administrative reference for actions to take based on the responses to the Yes / No questions.
 
Section 2 below is the template version to copy / paste into a new Etherpad for future teams that need to start to the Data Safety Review process.  
The questionnaire will be distributed and completed via Etherpad by teams that require a Data Safety Consultation until the web form / Bugzilla is up and running.
- - -
 
SECTION 1:
* Section 1 below is the structure of the questionnaire that includes a quick administrative reference for actions to take based on the responses to the Yes/No questions.
About Your Project  
* Section 2 below is the template version to copy/paste into a new Etherpad for future teams that need to start to the Data Safety Review process.
 
= SECTION 1 =
 
== About Your Project ==
* Brief description of your project. (10-20 lines)
* Brief description of your project. (10-20 lines)
* Please provide the links to your project documentation (both internal and external).  
* Please provide the links to your project documentation (both internal and external).  
Line 17: Line 21:
** YES -> File IS bug
** YES -> File IS bug
** NO -> Do nothing
** NO -> Do nothing
Client Security
 
== Client Security ==
* Does your project deploy or modify client-run software (such as Firefox or Android applications)?
* Does your project deploy or modify client-run software (such as Firefox or Android applications)?
** YES -> File SecTeam bug
** YES -> File SecTeam bug
** NO -> Do nothing
** NO -> Do nothing
Privacy Engineering
 
== Privacy Engineering ==
* Does your project change how we generate, store, share or collect information from users?
* Does your project change how we generate, store, share or collect information from users?
** YES -> file privacy review bug
** YES -> file privacy review bug
** NO -> do nothing
** NO -> do nothing
Policy and Legal
 
== Policy and Legal ==
* Do you have a privacy policy for your project / site?
* Do you have a privacy policy for your project / site?
** YES --> Please provide the link.  
** YES --> Please provide the link.  
Line 33: Line 40:
** NO --> See next question.   
** NO --> See next question.   
Will all user data be stored in the U.S.?
Will all user data be stored in the U.S.?
User Data Committee (UDC)
 
== Data Safety ==
* Does your project collect data from users?
* Does your project collect data from users?
** YES --> Someone from UDC to look at bug, find out how many users' data to be involved, determine priority level (L / M / H).  
** YES --> Someone from Data Safety to look at bug, find out how many users' data to be involved, determine priority level (L / M / H).  
1) File UDC review bug. Continue with questions below.
1) File Data Safety bug. Continue with questions below.
2) Please provide list of  data elements (e.g., email, name, location, log data, URLs, browser  history, etc.).
2) Please provide list of  data elements (e.g., email, name, location, log data, URLs, browser  history, etc.).
** NO -->  Stop.
** NO -->  Stop.
Line 63: Line 71:
     --> How would the data be communicated  / transferred to the third parties?
     --> How would the data be communicated  / transferred to the third parties?
      
      
     --> Who are the third party vendors and in what countries are they based?  
     --> Who are the third party vendors and in what countries are they based?
 
== Community Visibility and Input ==
*Has your proposal been shared publicly, including requirements for Mozilla to collect and host user data?
**YES -->If so, what communication channels are you using and what kind of input have you received thus far?
**NO --> Stop


= SECTION 2: =
= SECTION 2: =

Revision as of 07:06, 16 February 2012

Data Safety Consultation

Questionnaire Template

Questions are mostly Y/N to the extent that issues can be routed to the appropriate team members for consultation/guidance/resolution.

The questionnaire will be distributed and completed via Etherpad by teams that require a Data Safety Consultation until the web form / Bugzilla is up and running.

  • Section 1 below is the structure of the questionnaire that includes a quick administrative reference for actions to take based on the responses to the Yes/No questions.
  • Section 2 below is the template version to copy/paste into a new Etherpad for future teams that need to start to the Data Safety Review process.

SECTION 1

About Your Project

  • Brief description of your project. (10-20 lines)
  • Please provide the links to your project documentation (both internal and external).
  • What is the current state of your project?
  • Please provide your key release / launch dates.
  • What are the core technical components and features?
  • Who are the stakeholders involved with your project (internal and external)?
  • Does your project deploy new or modify web application code that runs on mozilla infrastructure?
    • YES -> File IS bug
    • NO -> Do nothing

Client Security

  • Does your project deploy or modify client-run software (such as Firefox or Android applications)?
    • YES -> File SecTeam bug
    • NO -> Do nothing

Privacy Engineering

  • Does your project change how we generate, store, share or collect information from users?
    • YES -> file privacy review bug
    • NO -> do nothing

Policy and Legal

  • Do you have a privacy policy for your project / site?
    • YES --> Please provide the link.
    • NO -->
  • Will user data be collected from global locations (outside the U.S.) and stored in those locations?
    • YES --> Provide locations (i.e., country names) for data collection and data storage.
    • NO --> See next question.

Will all user data be stored in the U.S.?

Data Safety

  • Does your project collect data from users?
    • YES --> Someone from Data Safety to look at bug, find out how many users' data to be involved, determine priority level (L / M / H).

1) File Data Safety bug. Continue with questions below. 2) Please provide list of data elements (e.g., email, name, location, log data, URLs, browser history, etc.).

    • NO --> Stop.
  • Why do you need to collect user data?

In particular, it's useful to list the user benefits that result from this data. A possible way of describing the benefits that flow from the data is: User Benefits: (sample!) 

A - users find applications that have their photos are more friendly/fun
B - users want to be able to access this project from computers where they just have web access
C - users want to be informed of updates from specific other users of the site
D - users want notices when important changes happen

Data collected 

A - profile picture; user submitted image (doesn't have to be their face); meets benefit A; optional
B - pseudonym: users get to pick a screen name (mostly anything goes - see name policy [..] - meets benefit C.
C - browserid-based authentication means we store email identifiers - meets benefit D, B.
...etc...
  • How is this data being collected? (e.g., forms on web site, provided directly by user, observed data collection, etc.)

(Consider that you may be collecting data unintentionally such as automatic logging by web servers) Will your project / team members need to retain user data?

    • YES --> If so, for how long?
    • NO --> Stop
  • Will any user data be shared or accessed by third party partners, customers or providers? **YES --> (If Yes, please respond to questions below.)
    • NO --> Stop
   --> What is the data being shared or accessed?
   
   --> How would the data be communicated  / transferred to the third parties?
   
   --> Who are the third party vendors and in what countries are they based?

Community Visibility and Input

  • Has your proposal been shared publicly, including requirements for Mozilla to collect and host user data?
    • YES -->If so, what communication channels are you using and what kind of input have you received thus far?
    • NO --> Stop

SECTION 2:

Data Safety Review Questionnaire Project: Contact(s) (name(s) / email(s)): Date request received: - - About Your Project

  • Brief description of your project:
  • Links to your project documentation (both internal and external, wikis, etc.):

(not too brief: we should be able to understand the goals of the project as well as the architecture and the data flows).

  • Current state of your project:
  • Key release / launch dates:
  • Core technical components and features:
  • Stakeholders involved with your project (internal and external):

- -

  • Does your project deploy new or modify web application code that runs on Mozilla infrastructure? (Yes / No)

- -

  • Does your project deploy or modify client-run software (such as Firefox or Android applications)? (Yes / No)

- -

  • Does your project change how we generate, store, share or collect information from users? (Yes / No)

- -

  • Do you have a privacy policy for your project / site? (Yes / No)
       If yes, provide link:

- - User Data

  • Does your project collect data from users? (Yes / No)
       If yes, what type of data would you need to collect?  (e.g., email, name, location, log data, URLs, browser  history, etc.)

(Consider that you may be collecting data unintentionally such as automatic logging by web servers)

  • Why do you need to collect user data?

In particular, it's useful to list the user benefits that result from this data. A possible way of describing the benefits that flow from the data is: User Benefits: (sample!) 

A - users find applications that have their photos are more friendly/fun
B - users want to be able to access this project from computers where they just have web access
C - users want to be informed of updates from specific other users of the site
D - users want notices when important changes happen

Data collected 

A - profile picture; user submitted image (doesn't have to be their face); meets benefit A; optional
B - pseudonym: users get to pick a screen name (mostly anything goes - see name policy [..] - meets benefit C.
C - browserid-based authentication means we store email identifiers - meets benefit D, B.
...etc...
  • How is this data being collected? (e.g., forms on web site, provided directly by user, observed data collection, etc.)
  • Will your project / team members need to retain user data? (Yes / No)
       If yes, for how long?
  • Will user data be collected from global locations (outside the U.S.) and stored in those locations? (Yes / No)
       If yes, provide locations (i.e., country names) for data collection and data storage:
  • Will any user data be shared or accessed by third party partners, customers or providers? (Yes / No)
       If yes, please answer questions below:
   * What is the data being shared or accessed?
   
   * How would the data be communicated  / transferred to the third parties?
   
   * Who are the third party vendors and in what countries are they based?
Retrieved from "https://wiki.allizom.org/index.php?title=Data_Safety_Consultation_Template&oldid=397999"