[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding

Hi,

On 10/08/18 09:28, Jonathan McDowell wrote:

> Legitimate interest should be a suitable basis for processing such
> information; it sounds like a reasonable chunk of the funding for
> DebConf was conditional on these government funds, so in order to run
> the conference it's required to hand the details over. However this is
> something that should have been made apparent to attendees up front, so
> they could make an informed decision about whether to attend or not.
> DebConf team, please note this for future DebConfs.

I think we should be telling people in advance how we will use their
personal data. Even if this is legally OK, I think some Debconf
attenders will be (not unreasonably) unhappy about their data being used
like this without their consent.

> I would suggest that the best approach in the current circumstance is
> probably to email attendees saying something like:
> 
> | It has come to our attention that National Chiao Tung University, our
> | hosts for DebConf18, have an expectation that some of their costs will
> | be covered by funding from the Taiwanese government. As part of this
> | they need to prove that there were a certain percentage of foreign
> | attendees. To do so requires passing attendee name + nationality details
> | to the university and thus the government. As we did not make attendees
> | aware of this before they registered for the conference we are
> | contacting you now to give you an opportunity to request that we
> | withhold your information from the details we pass over. If you wish
> | to do so please contact us by <date>.

I sort-of feel that this should be an opt-in rather than an opt-out, but
I see that is going to be more difficult.

> I don't know whether you also want to add that there will be a financial
> penalty if we don't provide this information; personally I can't think
> of a way to word it that doesn't sound a bit like coercion.

Your proposed text does mention the costs, although without explicitly
saying "if we refuse to provide these data, NCTU will expect us to cover
this funding shortfall". Does our contract with them let them do this?

> For those who don't want their details passed over it should be possible
> to provide aggregate data; a total number of foreign attendees to
> declined to have their data provided won't reveal anything. A breakdown
> per country might well leak such information however.

Yes; I would twitch if any of the relevant numbers were below, say, 5.

Regards,

Matthew
Reply to: