Fork me on GitHub
#off-topic
<
2018-07-03
>
helios07:07:36

small question about gdpr: for things that are IDs in my system, when exporting the data, can I keep stuff expressed as an ID or do i have to translate what the id means? Practical example: a user chooses in his profile that they are a "unicorn" but that value is represented in my system as 123. When exporting their data do i have to show Unicorn or can I keep 123 (and the mapping 123 -> Unicorn is only in my system)?

seancorfield17:07:26

IANAL (I Am Not A Lawyer) but the GDPR is focused on "personal data" -- stuff that can "directly or indirectly identify" a person -- so it's not clear yet how expansive that is in terms of what data you'd need to provide in response to a request for access to a user's data. https://gdpr-info.eu/art-15-gdpr/ Whether a user identifies as a "unicorn" or not may well not be covered by "personal data" -- if it isn't part of that, you shouldn't need to be provide it.

jonahbenton17:07:59

IANALE (either) but after my conversations with same my advice would be to include the label Unicorn, which represents the choice the user made (e.g. they chose "Unicorn", not "123"). The ID is an implementation detail and irrelevant. When you go through the GDPR and the backstory and motivation, the definition of personal information is intended to be expansive, and includes their choices and decisions as well as their attributes. You had a particular product decisioning process that led to the label "Unicorn" to be offered as an option, some of your users chose that label, and it may be that now or in the future you do some "processing" (in the GDPR sense) that uses that choice. The fact that the label is "Unicorn" may have some semantic implications on that processing, users may request explanations for the results of that processing, and those explanations will have to refer to "Unicorn." So- my non-legal advice would be to include it.

jonahbenton17:07:40

If the term Unicorn does not represent an explicit choice the user made, and instead is the results of processing of other data they have provided, you should be prepared to provide explanations of that processing, and of the choice of labels. If providing those explanations makes business stakeholders uncomfortable- then GDPR is working.

seancorfield18:07:12

Yeah, I think we'll see a lot of this tested in the courts to clarify what the GDPR really requires as its definition of "personal data" is extremely fuzzy. If the user can reasonably argue that a combination of elements from their profile when taken together could (indirectly) identify them, then "personal data" applies.

seancorfield18:07:50

I think a good rule of thumb regarding expectations is that if a user can see something on their profile page in your app, then they'll probably expect that information to show up in the same readable format if they request access to the personal data you hold on them. Even tho' some of it could not be argued to even indirectly identify them.

seancorfield18:07:37

We've already had to start processing erasure requests. We haven't had any data access requests yet (presumably because in our system the users can see every part of their profile for themselves).

jonahbenton18:07:13

Erasure for people matching is interesting- so if you allow people to keep a history of their matches, and one of their matches requests to be forgotten, then is it that that match never occurred? Or they were matched to someone who left the platform and has been forgotten?

seancorfield21:07:10

@U0FF3A4V6 Members could already change their status in various ways that make their profile inaccessible (as can our Admins) so we already supported the case of matched profiles becoming inaccessible.

joelkuiper09:07:09

Months of clouds, but the remote observatory is finally back in action! https://www.flickr.com/photos/joelkuiper/29032867308

😮 16
cfleming00:07:23

Very nice! I’ll be in Spain later this year, I’ll have to come visit 🙂

seancorfield17:07:26

IANAL (I Am Not A Lawyer) but the GDPR is focused on "personal data" -- stuff that can "directly or indirectly identify" a person -- so it's not clear yet how expansive that is in terms of what data you'd need to provide in response to a request for access to a user's data. https://gdpr-info.eu/art-15-gdpr/ Whether a user identifies as a "unicorn" or not may well not be covered by "personal data" -- if it isn't part of that, you shouldn't need to be provide it.

Bravi18:07:18

hi clojurians! does anyone know of any good project / task management app that integrates with github? I’m using FastHub at the moment that allows me to view github issues on my repos, but I wanted to have something a bit more project management-y so to say

jonahbenton21:07:34

http://clubhouse.io is produced by a clojure team

clj 8
metacritical21:07:38

@seancorfield Can one move a thread to another channel?

seancorfield21:07:05

I don't think so. But it will age out and disappear in a week anyway 🙂