Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding
Yao Wei writes: > Hi, > > I was publishing the announcement too haste. Should we do one of the > followings: > > * not sending any personal data to the list > * have an opt-in list instead of opt-out I'd have thought that most of the people that are OK with the data being handed over will also actually respond to say so (but maybe I'm over optimistic). To make sure that really happens, I'd have thought that one just needs to explain that each "Yes" you get is likely to be worth however many tens of thousands of TWD to Debconf, so people should not say "No" simply out of habit. Making it clear that it's only initials, or whatever, also seems likely to help. Obviously this change of strategy would need to be announced before the previously mentioned deadline expires. One could perhaps do neither opt-in nor opt-out, but instead say that you actually want an answer one way or the other ... and will try asking again, possibly via other channels, in order to get that answer simply because getting the answer to that question is quite important to Debconf finances. BTW I'm happy to help chasing people on that if it helps, although I'll be flying home to Germany on the 15th so it might be that my availability is not great at the time that you need the most effort. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg,GERMANY signature.asc Description: PGP signature
Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding
Hi, - Mensagem original - > De: "Yao Wei" > Para: "phil" > Cc: data-protect...@debian.org, "debconf-team" > Enviadas: Sábado, 11 de agosto de 2018 21:32:58 > Assunto: Re: [DebConf18] About Personal Data Sent to Government Agencies and > University for Funding > Hi, > > I was publishing the announcement too haste. Should we do one of the > followings: > > * not sending any personal data to the list > * have an opt-in list instead of opt-out > > The difficulty I mentioned is to reach the minimum we need to report. > > Also the data we are providing only has the initials of the name plus the > country. But combining the list of Debian developers and other facts > that's already on the Internet it can still be used to identify an entity. > > If they can accept only the aggregated data of nationality I would be happy > to provide that instead. i suggest you start doing a list with the speakers, because their names is already public. https://debconf18.debconf.org/talks/ After that, you will know how many names you need. you can ask for people from global team if they agree to give their names. Best regards, -- Paulo Henrique de Lima Santana (phls) Curitiba - Brasil Membro da Comunidade Curitiba Livre Site: http://www.phls.com.br GNU/Linux user: 228719 GPG ID: 0443C450 Apoie a campanha pela igualdade de gênero #HeForShe (#ElesPorElas) http://www.heforshe.org/pt
Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding
Hi, I was publishing the announcement too haste. Should we do one of the followings: * not sending any personal data to the list * have an opt-in list instead of opt-out The difficulty I mentioned is to reach the minimum we need to report. Also the data we are providing only has the initials of the name plus the country. But combining the list of Debian developers and other facts that's already on the Internet it can still be used to identify an entity. If they can accept only the aggregated data of nationality I would be happy to provide that instead. Yao Wei On Sun, Aug 12, 2018 at 07:26 Philip Hands wrote: > Yao Wei writes: > > > Hi, > > > > I am thinking that this should be an opt-in rather than opt-out for > > GDPR compliance. However it is difficult to accomplish in my > > opinion... So opt-out can be really a compromise here. > > I don't think I've ever come across an opt-out list that didn't contain > people that (if properly informed) would prefer not to be on that list. > > Is it really a compromise to ignore that fact? > > Personally, now that I'm aware of this, I will opt-out myself and my > family from an opt-out list, simply because I think opt-out lists are > fundamentally unethical. > > On the other hand, if I'm given the chance to opt-in, along with a > full-disclosure description of exactly how opting-in will help DebConf > fund itself, I will almost certainly opt in (for myself at least). > > If there is some option to fuzz the data a bit, I might[1] be able to > persuade Gunde (my wife) that all four of us should opt in. > > Even if I don't get upset enough about "Debian" and "opt-in" being in > the same sentence to blog about it, I'm pretty sure others will, and the > resulting news reports will not be good for Debian's reputation. > > Is that aspect of our reputation worth more than 70k EUR? If so, we > should definitely prefer telling them "No!", and paying the money out of > Debian funds. > > However I suspect that there is a way of proving that the attendees were > sufficiently international without handing over an improperly authorised > list. I'd suggest that we should find out how that might be achieved. > > Cheers, Phil. > > [1] No guarantees about persuading Gunde though: > > She has initiated legal action in the past when someone used her > data without proper permission. > > The saga of how/if one could discover if the UK's NHS had uploaded > our kids data to "The Spine" is quite a long story -- Gunde tends > not to give up on these things. > > I doubt she's unique among our attendees in this attitude. > -- > |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. > |-| http://www.hands.com/http://ftp.uk.debian.org/ > |(| Hugo-Klemm-Strasse 34, 21075 Hamburg,GERMANY >
Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding
Yao Wei writes: > Hi, > > I am thinking that this should be an opt-in rather than opt-out for > GDPR compliance. However it is difficult to accomplish in my > opinion... So opt-out can be really a compromise here. I don't think I've ever come across an opt-out list that didn't contain people that (if properly informed) would prefer not to be on that list. Is it really a compromise to ignore that fact? Personally, now that I'm aware of this, I will opt-out myself and my family from an opt-out list, simply because I think opt-out lists are fundamentally unethical. On the other hand, if I'm given the chance to opt-in, along with a full-disclosure description of exactly how opting-in will help DebConf fund itself, I will almost certainly opt in (for myself at least). If there is some option to fuzz the data a bit, I might[1] be able to persuade Gunde (my wife) that all four of us should opt in. Even if I don't get upset enough about "Debian" and "opt-in" being in the same sentence to blog about it, I'm pretty sure others will, and the resulting news reports will not be good for Debian's reputation. Is that aspect of our reputation worth more than 70k EUR? If so, we should definitely prefer telling them "No!", and paying the money out of Debian funds. However I suspect that there is a way of proving that the attendees were sufficiently international without handing over an improperly authorised list. I'd suggest that we should find out how that might be achieved. Cheers, Phil. [1] No guarantees about persuading Gunde though: She has initiated legal action in the past when someone used her data without proper permission. The saga of how/if one could discover if the UK's NHS had uploaded our kids data to "The Spine" is quite a long story -- Gunde tends not to give up on these things. I doubt she's unique among our attendees in this attitude. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg,GERMANY signature.asc Description: PGP signature
Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding
Hi Holger, On Sat, Aug 11, 2018 at 00:51 Holger Levsen wrote: > i'm a bit puzzled, you ask the data-protection list for advice and then go > against their advice. (they suggest to make this opt-in). Jonathan (from Data Protection team) made a email template that we can go with opt-out. Also opt-in could impact the funding if we have too little people on the list, even if we match the requirements. then suddenly the government fundings went up from 50k USD to 80k USD, > home come? (your 1st mail in this thread here vs what you just wrote on > -announce.) > My first email on this thread is incorrect. The break down is below: MEET TAIWAN: 504,040 TWD NCHC: 550,000 TWD NCTU: 1,500,000 TWD (this is unlisted in budget, but NCTU MIRC claimed such venue fee to NCTU CS dept, and CS dept is seeking from other fundings like MOST (Minister of Science and Technology) and MOE (Minister of Education) etc.) also you didnt reply to my question how many names they need. I thought I already replied to that, but my email got filtered by spam filter on the list. That is put in the announcement. Copying from that: > We need at least 100 attendees, and in which we need at least 30 attendees not from Taiwan. Note that even if we meet such requirement, it will also affects fundings if we have much less people than we should report. also you didnt explain this (that not everybody needs to give their > names) and thus the people on -announce are not aware that them opting > out is a serious option which will not impact the funding. > > last but not least, you make it sound dramatic, while according to what > i have heard, dc18 will make 60k USD profit, so we could very well cover > this from dc18 funds and not violate the rights of the people we love. I am thinking about covering everything from SPI as well. But not really sure what we will lose other than money. We can gain reputations on our data policy if doing so. not impressed. (perceived) urgency often gives bad advice. Debian needs > people more than money. Sorry for my haste action. We have to give funds the report 1 months within the end of event, and I am being pressured to hand over the list. > Best regards, Yao Wei
Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding
On Fri, Aug 10, 2018 at 04:51:08PM +, Holger Levsen wrote: > also you didnt explain this (that not everybody needs to give their > names) and thus the people on -announce are not aware that them opting > out is a serious option which will not impact the funding. I was wrong, you explained this. I was just so annoyed by this opt-out stuff already that I stopped reading. -- cheers, Holger signature.asc Description: PGP signature
Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding
hi Yao Wei, i'm a bit puzzled, you ask the data-protection list for advice and then go against their advice. (they suggest to make this opt-in). then suddenly the government fundings went up from 50k USD to 80k USD, home come? (your 1st mail in this thread here vs what you just wrote on -announce.) also you didnt reply to my question how many names they need. also you didnt explain this (that not everybody needs to give their names) and thus the people on -announce are not aware that them opting out is a serious option which will not impact the funding. last but not least, you make it sound dramatic, while according to what i have heard, dc18 will make 60k USD profit, so we could very well cover this from dc18 funds and not violate the rights of the people we love. not impressed. (perceived) urgency often gives bad advice. Debian needs people more than money. -- cheers, Holger --- holger@(debian|reproducible-builds).org signature.asc Description: PGP signature
Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding
]] ChangZhuo Chen "(陳昌倬)" (trimmed Cc) > On Fri, Aug 10, 2018 at 12:27:39PM +0800, Yao Wei wrote: > > We are requested by National Chiao Tung University (NCTU) and National > > Centre of High-performance Computing (NCHC) for the list of attendees > > along with their nationality for applying fundings. NCTU also applies > > government funds MEET TAIWAN [1] which they requires such information > > for checking if our event matches their qualification for funding > > (they requires more than certain number of foreign people attending > > the event as one of the requirements). > > Is this requirement the same as eCode for VISA [0], which is: > > * Come from 3+ nations/regions > * >100 attendees > * >50 foreigner/China, or >30% foreigner/China. > > In this case, I think group photo can easily prove that we meet the > requirement. Since NCTU & NCHC also need to comply with Personal > Information Protection Act [1] when receiving such data, maybe group > photo is also better for them. FWIW, in the context of the GDPR, the group photo is not necessarily much (if at all) better. One can argue that it's opt-in, but on the other hand, it's just as much personal information as a list of names. Like Matthew and Noodles, I agree it would have been preferable if we could have given this information to attendees up front, but as that's a bit late, let's work with the cards we have been dealt. Cheers, -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are
Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding
Hi, I am thinking that this should be an opt-in rather than opt-out for GDPR compliance. However it is difficult to accomplish in my opinion... So opt-out can be really a compromise here. We can tell the attendees we are giving such info to these agencies. I will ask MEET TAIWAN next week if having initials and nationality per person is sufficient for their requirements. Such as: "Y. W.", "Taiwan" "C. C.", "Taiwan" etc. Also along with the (partial) list of attendees, we can give statistics of nationality to them to further telling them we have such many people. (Though, I asked MEET TAIWAN and they don't accept us giving statistics *instead of* list of attendees.) Yao Wei Sending the email again because mailing list considering my email spam.
Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding
On Fri, Aug 10, 2018 at 12:27:39PM +0800, Yao Wei wrote: > We are requested by National Chiao Tung University (NCTU) and National > Centre of High-performance Computing (NCHC) for the list of attendees > along with their nationality for applying fundings. NCTU also applies > government funds MEET TAIWAN [1] which they requires such information > for checking if our event matches their qualification for funding > (they requires more than certain number of foreign people attending > the event as one of the requirements). Is this requirement the same as eCode for VISA [0], which is: * Come from 3+ nations/regions * >100 attendees * >50 foreigner/China, or >30% foreigner/China. In this case, I think group photo can easily prove that we meet the requirement. Since NCTU & NCHC also need to comply with Personal Information Protection Act [1] when receiving such data, maybe group photo is also better for them. [0] https://www.meettaiwan.com/zh_TW/menu/M775/%E5%BD%88%E6%80%A7%E5%85%A5%E5%A2%83%E6%A9%9F%E5%88%B6.html?function=9ABFE646EAF7B357D0636733C6861689 [1] https://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=I0050021 -- ChangZhuo Chen (陳昌倬) czchen@{czchen,debconf,debian}.org http://czchen.info/ Key fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B signature.asc Description: PGP signature
Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding
Hi, On 10/08/18 09:28, Jonathan McDowell wrote: > Legitimate interest should be a suitable basis for processing such > information; it sounds like a reasonable chunk of the funding for > DebConf was conditional on these government funds, so in order to run > the conference it's required to hand the details over. However this is > something that should have been made apparent to attendees up front, so > they could make an informed decision about whether to attend or not. > DebConf team, please note this for future DebConfs. I think we should be telling people in advance how we will use their personal data. Even if this is legally OK, I think some Debconf attenders will be (not unreasonably) unhappy about their data being used like this without their consent. > I would suggest that the best approach in the current circumstance is > probably to email attendees saying something like: > > | It has come to our attention that National Chiao Tung University, our > | hosts for DebConf18, have an expectation that some of their costs will > | be covered by funding from the Taiwanese government. As part of this > | they need to prove that there were a certain percentage of foreign > | attendees. To do so requires passing attendee name + nationality details > | to the university and thus the government. As we did not make attendees > | aware of this before they registered for the conference we are > | contacting you now to give you an opportunity to request that we > | withhold your information from the details we pass over. If you wish > | to do so please contact us by . I sort-of feel that this should be an opt-in rather than an opt-out, but I see that is going to be more difficult. > I don't know whether you also want to add that there will be a financial > penalty if we don't provide this information; personally I can't think > of a way to word it that doesn't sound a bit like coercion. Your proposed text does mention the costs, although without explicitly saying "if we refuse to provide these data, NCTU will expect us to cover this funding shortfall". Does our contract with them let them do this? > For those who don't want their details passed over it should be possible > to provide aggregate data; a total number of foreign attendees to > declined to have their data provided won't reveal anything. A breakdown > per country might well leak such information however. Yes; I would twitch if any of the relevant numbers were below, say, 5. Regards, Matthew
Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding
On Fri, Aug 10, 2018 at 07:30:39AM +0200, Tollef Fog Heen wrote: > ]] Yao Wei > > > We are requested by National Chiao Tung University (NCTU) and National > > Centre of High-performance Computing (NCHC) for the list of attendees > > along with their nationality for applying fundings. NCTU also applies > > government funds MEET TAIWAN [1] which they requires such information > > for checking if our event matches their qualification for funding > > (they requires more than certain number of foreign people attending > > the event as one of the requirements). > > Is there a requirement that the list of names is complete (includes all > attendees)? What is the number of non-Taiwan nationals required? Can I > read more about what the purpose of this is somewhere? (It was not > obvious to me where it is on the MEET TAIWAN site.) > > If the answer to those is «no» and some not-unreasonable number, we > might be able to get consent from enough people. If not, we'll have to > figure out if we have another legal basis for processing. Legitimate interest should be a suitable basis for processing such information; it sounds like a reasonable chunk of the funding for DebConf was conditional on these government funds, so in order to run the conference it's required to hand the details over. However this is something that should have been made apparent to attendees up front, so they could make an informed decision about whether to attend or not. DebConf team, please note this for future DebConfs. I would suggest that the best approach in the current circumstance is probably to email attendees saying something like: | It has come to our attention that National Chiao Tung University, our | hosts for DebConf18, have an expectation that some of their costs will | be covered by funding from the Taiwanese government. As part of this | they need to prove that there were a certain percentage of foreign | attendees. To do so requires passing attendee name + nationality details | to the university and thus the government. As we did not make attendees | aware of this before they registered for the conference we are | contacting you now to give you an opportunity to request that we | withhold your information from the details we pass over. If you wish | to do so please contact us by . I don't know whether you also want to add that there will be a financial penalty if we don't provide this information; personally I can't think of a way to word it that doesn't sound a bit like coercion. For those who don't want their details passed over it should be possible to provide aggregate data; a total number of foreign attendees to declined to have their data provided won't reveal anything. A breakdown per country might well leak such information however. J. -- I wish life had a scroll-back buffer.
Re: [DebConf18] About Personal Data Sent to Government Agencies and University for Funding
]] Yao Wei > We are requested by National Chiao Tung University (NCTU) and National > Centre of High-performance Computing (NCHC) for the list of attendees > along with their nationality for applying fundings. NCTU also applies > government funds MEET TAIWAN [1] which they requires such information > for checking if our event matches their qualification for funding > (they requires more than certain number of foreign people attending > the event as one of the requirements). Is there a requirement that the list of names is complete (includes all attendees)? What is the number of non-Taiwan nationals required? Can I read more about what the purpose of this is somewhere? (It was not obvious to me where it is on the MEET TAIWAN site.) If the answer to those is «no» and some not-unreasonable number, we might be able to get consent from enough people. If not, we'll have to figure out if we have another legal basis for processing. > Meanwhile, I am also requesting the website team to export the data [2]. I suggest we wait a little bit before doing this. Thanks, -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are