Privacy Policy Changes for WordCamp.org

Welcome!

This is the home of the Make Community team for the WordPress open sourceOpen Source Open Source denotes software for which the original source code is made freely available and may be redistributed and modified. Open Source **must be** delivered via a licensing model, see GPL. project!

Here is where we have policy debates, project announcements, and assist community members in organizing events.

Everyone is welcome to comment on posts and participate in the discussions regardless of skill level or experience.

We’ll be making some changes to the WordCamp.org privacy policy this month. This post outlines the changes we’ll be making, including information on WordCamp.org data retention and erasure in what I hope is easy-to-understand language. Read on for details and if you have any feedback, questions, or suggestions, please comment on this post! 🙂

What data we collect and who can access it

The majority of what’s collected and stored on WordCamp.org is WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. attendee data, through our registration pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party called CampTix. Currently we require the following information: name, email address, agreement to follow the code of conductCode of Conduct “A code of conduct is a set of rules outlining the norms, rules, and responsibilities or proper practices of an individual party.” - Wikipedia, whether the attendee has a life-threatening allergy, and whether the attendee needs special accommodations to participate in the WordCamp.

Local WordCamp organizing teams can (and do) collect more information than that, when they set up registration. This data can vary widely, but the reason questions are added is to help our volunteers organize an event that’s better for attendees, and to assist the growth of the WordPress community and, by extension, the WordPress open sourceOpen Source Open Source denotes software for which the original source code is made freely available and may be redistributed and modified. Open Source **must be** delivered via a licensing model, see GPL. project.

All attendee-provided data can be viewed and changed by the attendee via the Access Token URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org that is emailed to confirm a successful ticket purchase.

Other than the attendee, the only people who can view attendee information are WordCamp volunteers with access to the WordCamp site’s dashboard. WordCamp volunteers are expected to access attendee data only to serve the interests of the WordCamp, not for the benefit of certain businesses or individuals. We’ll be adding a line to the speaker/sponsor/organizer/volunteer agreement to make this expectation more explicit.

Currently, WordCamp attendees are listed by default on the WordCamp attendee page, but can request to be removed by emailing the organizing team. We plan to make the Attendees page listing opt-in by the end of this month (with another one of those annoying required registration questions).

When WordCamp volunteers request reimbursement for (budgeted) out-of-pocket expenses they may have incurred while organizing WordCamp, we may also collect banking-related financial information from them so that we can reimburse them. A volunteer’s banking details and address are only visible to the WordCamp.org user who submitted the request and the financial administrators who process the request.

How long data is retained

We’d like to keep data for as little time as possible, while still maintaining accurate business records and not limiting our ability respond to reports related to attendee safety. We don’t have a time limit on code of conduct complaints right now. If we were to delete attendee data 12 months after the event, for example, that could make it harder for the community team to respond to a code of conduct report that might come in 5 15 months after the event. So my proposal is that we hold *all* attendee data for at least three years after the WordCamp is complete. Once non-essential WordCamp attendee data is over three years old, we’ll automatically delete the answers to all but the mandatory registration questions; some examples of to-be-automatically-deleted data here include t-shirt size, meal preference, etc. We plan to retain attendee names indefinitely (unless erasure is requested), as historical records of the participants in WordPress community events.

Banking/financial data collected as part of a reimbursement request is deleted from WordCamp.org 7 days after the request is marked paid. The reason for the 7-day retention period is to prevent organizers having to re-enter their banking details if a wire fails or if a payment was marked Paid in error.

We keep invoices and receipts related to WordCamp expenses for 7 years after the close of the calendar year’s audit, by instruction of our financial consultants (auditors & bookkeepers).

Records showing who organized, spoke at, sponsored, or volunteered at WordCamp is considered a matter of public record for the WordPress open source project, and important information to keep for historical/archival purposes. This data will be kept indefinitely, and will not be subject to erasure requests. We’ll add a line to the speaker/sponsor/organizer/volunteer agreement to make this expectation more explicit as well.

What data is subject to erasure requests

If a WordCamp attendee had no official role in the event (meaning: they were not an organizer, speaker, sponsor, or volunteer), then we will remove their data from public display after the 3 year retention period, if asked to do so. For business record-keeping purposes, the plan is to retain essential registration records indefinitely, with some data visible only to data administrators.

As mentioned above, data indicating who organized, spoke at, sponsored, or volunteered at WordCamp is considered a matter of public record for the WordPress open source project, and not subject to erasure requests. If a person whose user ID is linked to a WordCamp custom post typeCustom Post Type WordPress can hold and display many different types of content. A single item of such a content is generally called a post, although post is also a specific post type. Custom Post Types gives your site the ability to have templated posts, to simplify the concept. requests that their WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ account be deleted, their user account will be removed from all WordCamp sites, and the authorship of any posts/pages they published will change to a text version of their display name. The text fields in the WordCamp custom post types won’t change.

Code of conduct reports will not be subject to erasure, so that we can more effectively preserve attendee safety. Emails sent to and from wordcamp.org email addresses are not subject to erasure.

Next steps

In cooperation with the Meta team, we’re working on making all the relevant data on WordCamp.org exportable and, where relevant, erasable. Because WordCamp.org uses the same user tables and privacy policy as WordPress.org, we’ll also share a Subject Access Request form and deletion process. Our shared privacy policy will be updated by the end of this week.

I plan to publish a separate post this week, addressing communities using third-party tools like newsletter services to contact community members, so stay tuned for that. 🙂

Questions? Feedback? Concerns? Kittens? Leave a comment with any and all (except kittens), below!

#privacy

Hugo 3:45 pm on May 22, 2018

Hi, thank you for your work on this, it is a great start, it is clear a lot of work has been done on this since the tickets I put in last year around some of these issues. I have a couple of questions and wanted to raise a couple of things.

We keep invoices and receipts related to WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. expenses for 7 years after the close of the calendar year’s audit, by instruction of our financial consultants (auditors & bookkeepers).

Will volunteers who submit receipts be required to remove personal information from them? Or at least black out personal details like partial card numbers etc.

Will the invoices and receipts still be held in the media library where anyone with the correct URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org address can find them? I know it is hard to implement a system for these but do quite strongly believe that WC should invest in a third party system for dealing with receipts and invoices (but I also understand the financial implications of doing this).

I feel there are some issues still with Local WordCamp organising teams access rights. As a Lead organiser, myself I would like my team to be able to see the budget without giving them full admin rights to the back end, I know we work on the principle of ‘trust’ but I struggle with giving full access to everything on a WC site, including the ‘Banking/financial data collected as part of a reimbursement request’ even if it is only for seven days.

I would also recommend having an agreed contact for DPO issues and long term requests, I assume (but don’t know) that WordCamp stuff has logging information about who did what, this data is subject to a ‘Subject Matter Request’ so WC will need to be able to provide this as well.

Any material added by local WC volunteers would need to be reviewed and checked to make sure it is an appropriate information request. I am guessing this responsibility currently lies with the lead organiser (named lead).

Lastly, I would very much encourage that financial things really separate account details from identity, this could be done by tokenising everything personal.
- Ian Dunn 8:00 pm on May 22, 2018
  
  Hi Hugo, thanks for the feedback! I don’t have answers to all of your questions, but here are some notes on the technical aspects:
  
  Will the invoices and receipts still be held in the media library where anyone with the correct URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org address can find them?
  
  I’m planning to add a cryptographically-secure psuedorandom number to those filenames, making them essentially impossible to guess via brute-force. That’s the same technique that Core used in 4.9.6 to protect personal data exports.
  
  I struggle with giving full access to everything on a WC site, including the ‘Banking/financial data collected as part of a reimbursement request’ even if it is only for seven days.
  
  That was changed last year; the only people who can see those details now are the person who created the request, and the trusted financial admins.
- Andrea Middleton 10:28 pm on May 22, 2018
  
  Will volunteers who submit receipts be required to remove personal information from them? Or at least black out personal details like partial card numbers etc.
  
  Yes, in fact I’ve just updated our documentation to ask volunteers to black out full or partial credit card numbers from any receipts they submit as documentation for reimbursement.
  
  I feel there are some issues still with Local WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. organising teams access rights. As a Lead organiser, myself I would like my team to be able to see the budget without giving them full admin rights to the back end
  
  You’re totally right; there’s no reason to restrict *read access* of the budget to site admins. We’ll make a change to user roles to make it possible for any user role on the site to be able to view the budget tabs.
  
  I would also recommend having an agreed contact for DPO issues and long term requests
  
  We’re still determining who this person/these people will be, but once we settle, it’ll be public. 🙂
  
  Any material added by local WC volunteers would need to be reviewed and checked to make sure it is an appropriate information request.
  
  Lastly, I would very much encourage that financial things really separate account details from identity, this could be done by tokenising everything personal.
  
  I’m not sure I understand what you mean in these passages, sorry. 🙂
Ian Dunn 7:52 pm on May 22, 2018

I know you said not to, but I couldn’t help myself. You deserve it for all the hard work you’ve been doing behind the scenes on this 🙂
kcristiano 7:13 pm on May 24, 2018

Thanks @andreamiddleton I appreciate all the hard work. Do you know when the policy will be published?
- Andrea Middleton 7:24 pm on May 24, 2018
  
  The plan is to publish the updated policy somewhere between 22:00-0200 UTC today (I realize that “today” is a weird word to use when I’m giving a time spread that covers two days in UTC, but I can’t figure my way out of this predicament).