Ability to Delete Accounts

[ki9us]

Users should be able to delete their accounts.

[themightychris]

Accounts can be disabled currently, and we can and should add the option for users to self-disable their account (which removes them from most views), but we cannot allow people to retroactively remove data that has been contributed to the public domain or de-attribute it. For example, if someone has posted projects or posted updates to projects, that content belongs to the community. That's the social contract under which everyone engages and it wouldn't be fair to others who have contributes to a project if information they helped create can be disappeared.

It is an open question though whether we should/need to keep names visible after an account has been disabled or replace the rendering of names wherever attribution for a piece of content needs to be shown with a placeholder like "[removed user]'

[schlos]

It's also an GDPR requirement (to allow account removal or depersonalization of private data)

[themightychris]

@schlos any idea how that applies to something like project history? When someone makes edits/contributions to a public project, the work they've contributed seems pretty clearly to not be personal data, but where I get lost is how attribution/auditing fits in with GDPR.

Laddr is going to move towards using a public git repository as the database for project data, so if people create/edit project details their name is going to be signed to their changes in an immutable history

[schlos]

That's a good point @themightychris !

Organisation (i.e. Code for Philly, Code for Croatia, etc) as a Data Controller has obligation to do whatever is in their power to enable/support Erasure of Personal Data when Data Subject requests it.

All Laddr versions (if I'm not mistaken) currently supports erasing user accounts (from members page), now the questions are:

• does erased account data still stays in the db somewhere?
• what happens with user comments, blog posts, project updates, buzz and membership in a project? (i.e. what if this person was the sole maintainer of a project?)

Chris: Accounts can be disabled currently, and we can and should add the option for users to self-disable their account (which removes them from most views), but we cannot allow people to retroactively remove data that has been contributed to the public domain or de-attribute it.

The rule should be:

• erase what you can,
• if some records due to linked entities has to remain in the db, then personal data should be pseudonymized

Chris: For example, if someone has posted projects or posted updates to projects, that content belongs to the community.

So in case where person contributed to a public domain - content will stay, you will just need to pseudonymize their personal data linked to this content - account (i.e. replace First Name, Last Name with [Anonymized-userid], [Anonymized-userid] or similar), but erase what you don't need/use when there is no linked data to those items (i.e. gender, DOB, email address ...).

Chris: ...we can and should add the option for users to self-disable their account...

I second this as it will reduce administrative burden on Staff. User can then do this when they want it - more control to the user about their personal data.

External data In cases where personal data comes from other sources, based on DPA (Data Protection Agreement) between those two legal entities, the data is either in control of you or the 2nd party.

Github has help pages explaining that Entering a data protection agreement with GitHub for GDPR compliance and also Github Privacy Statement describing Data Subject rights, quoting:

If you would like to cancel your account or delete your User Personal Information, you may do so in your user profile. We retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements, but barring legal requirements, we will delete your full profile (within reason) within 90 days of your request. You may contact GitHub Support or GitHub Premium Support to request the erasure of the data we process on the basis of consent within 30 days.

After an account has been deleted, certain data, such as contributions to other Users' repositories and comments in others' issues, will remain. However, we will delete or de-identify your User Personal Information, including your username and email address, from the author field of issues, pull requests, and comments by associating them with a ghost user.

That said, the email address you have supplied via your Git commit settings will always be associated with your commits in the Git system. If you choose to make your email address private, you should also update your Git commit settings. We are unable to change or delete data in the Git commit history — the Git software is designed to maintain a record — but we do enable you to control what information you put in that record.

So I would say, you do not need to worry about 2nd/3rd party much. Github has mechanisms in place to support personal data erasure - so if you fetch data from there, any user update will be reflected on your site.

The remaining thing you need to cover is in this setup where you get all data form Github, but you still keep something on your side (i.e. local user accounts data) then this needs to be covered by Laddr.

Cheers!