Data Safety Consultation Template: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
= Data Safety Consultation Questionnaire = | = Data Safety Consultation Questionnaire = | ||
So as to make the Data Safetey consultation as quick and efficient as possible, we ask that every project fill in an pre-consultation questionnaire. | |||
The goal of this questionnaire is to extract knowledge out of your teams' collective heads specifically around data-related issues such as privacy, security, legal complaints, user control, etc. | |||
You may need to create documentation to answer the questions, but most likely you already have existing documents that can be reused; also, hopefully answering these questions will help you with subsequent steps like writing privacy policies. | |||
Do not edit this page -- instead please email [[mailto:ahua@mozilla.com Alina Hua]] and she'll create an etherpad version of the questionnaire for your team to fill in. (We'll create a bugform to initiate this process and handle the first few question in the future). | |||
Here are the questions that you'll be asked to fill in the etherpad. | |||
== About Your Project == | == About Your Project == | ||
Project Name: | |||
Contact(s) (name(s) / email(s)): | |||
Date request received: | |||
Please Brief description of your project. (don't be too brief: we should be able to understand the goals of the project as well as the architecture and the data flows). | |||
Please provide the links to your project documentation (both internal and external). | |||
What is the current state of your project? | |||
Please provide your key release / launch dates. | |||
What are the core technical components and features? | |||
Who are the stakeholders involved with your project (internal and external)? | |||
== Infrastructure Security == | |||
Does your project deploy new or modify web application code that runs on mozilla infrastructure? If YES, please file an Infrastructure Security Review Bug: [[x | |||
== Client Security == | == Client Security == | ||
Does your project deploy or modify client-run software (such as Firefox or Android applications)? If YES, please file a Client Security Review bug [[x | |||
== Privacy Engineering == | == Privacy Engineering == | ||
Does your project change how we generate, store, share or collect information from users? If YES, please file a Privacy Review bug [[XXX]] | |||
== Policy and Legal == | == Policy and Legal == | ||
Do you have a privacy policy for your project / site? If YES, Please provide a link to it: ____ | |||
Will user data be collected from global locations (outside the U.S.) and stored in those locations? If yes, please provide the names of the countries where data is collected and stored. If you're collecting data only from the US, will all user data be stored in the US? | |||
== Data | == Data == | ||
=== Does your project collect data from users? === | |||
If YES, then someone from Data Safety will look at this bug, find out how many users' data to be involved, determine priority level (L / M / H). | |||
Please provide list of data elements (e.g., email, name, location, log data, URLs, browser history, etc.). | |||
Why do you need to collect user data? | |||
In particular, it's useful to list the user benefits that result from this data. A possible way of describing the benefits that flow from the data is: | In particular, it's useful to list the user benefits that result from this data. A possible way of describing the benefits that flow from the data is: | ||
User Benefits: (sample!) | User Benefits: (sample!) | ||
A - users find applications that have their photos are more friendly/fun | A - users find applications that have their photos are more friendly/fun | ||
B - users want to be able to access this project from computers where they just have web access | B - users want to be able to access this project from computers where they just have web access | ||
| Line 57: | Line 68: | ||
D - users want notices when important changes happen | D - users want notices when important changes happen | ||
Data collected | Data collected (sample!) | ||
A - profile picture; user submitted image (doesn't have to be their face); meets benefit A; optional | A - profile picture; user submitted image (doesn't have to be their face); meets benefit A; optional | ||
B - pseudonym: users get to pick a screen name (mostly anything goes - see name policy [..] - meets benefit C. | B - pseudonym: users get to pick a screen name (mostly anything goes - see name policy [..] - meets benefit C. | ||
C - browserid-based authentication means we store email identifiers - meets benefit D, B. | C - browserid-based authentication means we store email identifiers - meets benefit D, B. | ||
...etc... | ...etc... | ||
* How is this data being collected? (e.g., forms on web site, provided directly by user, observed data collection, etc.) | * How is this data being collected? (e.g., forms on web site, provided directly by user, observed data collection, etc.) | ||
(Consider that you may be collecting data unintentionally such as automatic logging by web servers) | (Consider that you may be collecting data unintentionally such as automatic logging by web servers) | ||
Will your project / team members need to retain user data? If YES, for how long? | |||
Will any user data be shared or accessed by third party partners, customers or providers? If YES, | |||
* What is the data being shared or accessed? | * What is the data being shared or accessed? | ||
* How would the data be communicated / transferred to the third parties? | * How would the data be communicated / transferred to the third parties? | ||
* Who are the third party vendors and in what countries are they based? | * Who are the third party vendors and in what countries are they based? | ||
== Community Visibility and Input == | |||
Has your proposal been shared publicly, including requirements for Mozilla to collect and host user data? If YES, what communication channels are you using and what kind of input have you received thus far? | |||
Revision as of 22:15, 21 February 2012
Data Safety Consultation Questionnaire
So as to make the Data Safetey consultation as quick and efficient as possible, we ask that every project fill in an pre-consultation questionnaire.
The goal of this questionnaire is to extract knowledge out of your teams' collective heads specifically around data-related issues such as privacy, security, legal complaints, user control, etc.
You may need to create documentation to answer the questions, but most likely you already have existing documents that can be reused; also, hopefully answering these questions will help you with subsequent steps like writing privacy policies.
Do not edit this page -- instead please email [Alina Hua] and she'll create an etherpad version of the questionnaire for your team to fill in. (We'll create a bugform to initiate this process and handle the first few question in the future).
Here are the questions that you'll be asked to fill in the etherpad.
About Your Project
Project Name:
Contact(s) (name(s) / email(s)):
Date request received:
Please Brief description of your project. (don't be too brief: we should be able to understand the goals of the project as well as the architecture and the data flows).
Please provide the links to your project documentation (both internal and external).
What is the current state of your project?
Please provide your key release / launch dates.
What are the core technical components and features?
Who are the stakeholders involved with your project (internal and external)?
Infrastructure Security
Does your project deploy new or modify web application code that runs on mozilla infrastructure? If YES, please file an Infrastructure Security Review Bug: [[x
Client Security
Does your project deploy or modify client-run software (such as Firefox or Android applications)? If YES, please file a Client Security Review bug [[x
Privacy Engineering
Does your project change how we generate, store, share or collect information from users? If YES, please file a Privacy Review bug XXX
Policy and Legal
Do you have a privacy policy for your project / site? If YES, Please provide a link to it: ____
Will user data be collected from global locations (outside the U.S.) and stored in those locations? If yes, please provide the names of the countries where data is collected and stored. If you're collecting data only from the US, will all user data be stored in the US?
Data
Does your project collect data from users?
If YES, then someone from Data Safety will look at this bug, find out how many users' data to be involved, determine priority level (L / M / H).
Please provide list of data elements (e.g., email, name, location, log data, URLs, browser history, etc.).
Why do you need to collect user data?
In particular, it's useful to list the user benefits that result from this data. A possible way of describing the benefits that flow from the data is:
User Benefits: (sample!)
A - users find applications that have their photos are more friendly/fun B - users want to be able to access this project from computers where they just have web access C - users want to be informed of updates from specific other users of the site D - users want notices when important changes happen
Data collected (sample!)
A - profile picture; user submitted image (doesn't have to be their face); meets benefit A; optional B - pseudonym: users get to pick a screen name (mostly anything goes - see name policy [..] - meets benefit C. C - browserid-based authentication means we store email identifiers - meets benefit D, B. ...etc...
- How is this data being collected? (e.g., forms on web site, provided directly by user, observed data collection, etc.)
(Consider that you may be collecting data unintentionally such as automatic logging by web servers)
Will your project / team members need to retain user data? If YES, for how long?
Will any user data be shared or accessed by third party partners, customers or providers? If YES,
- What is the data being shared or accessed?
- How would the data be communicated / transferred to the third parties?
- Who are the third party vendors and in what countries are they based?
Community Visibility and Input
Has your proposal been shared publicly, including requirements for Mozilla to collect and host user data? If YES, what communication channels are you using and what kind of input have you received thus far?