search

IREXorg / data-compass

The Data Compass tool helps teams and organizations improve their strategic use of data. As part of that tool, this software helps them to survey and analyze how data flows between actors in a system.
Other
4 stars 1 forks source link

GDPR compliance #46

Open svasdev opened 4 years ago

svasdev commented 4 years ago

I have asked IT about what we need to do when a user requests their account + data to be deleted (i.e. can we assign their responses to an anonymous "deleted user" profile? Must we delete all their responses, even those which are not personally identifying and which can be de-linked to their account?). I'll update this issue once they respond. Find my full email to them below.

The software developers have a specific question about GDPR compliance / right to be forgotten. Your feedback would be appreciated!

We will be collecting data about users (their IP, when they log in, their usernames/passwords, etc), as well as data from users (their responses to surveys, etc.).

If we (a sysadmin) wants to delete a user's data in compliance with GDPR, we can delete both those types of information. However, we have a couple questions: Depending on when a user submits a request to delete data, that person's data might already be shared (such as in a previously printed or published report). For instance, a Facilitator may already have exported a copy of that person's survey responses to their computer, or a copy might already have been shared with a respondent's boss. IREX wouldn't be responsible for finding and scrubbing that person's responses from those exports, right? When a user asks us to "delete my data", are we required to delete all their data (including their responses), or just data that links their responses to personally identifying information? In other words, if a users asks us to delete their account + data, can we keep their previously submitted survey response data anonymously (i.e. link it to a new "deleted user" profile that omits any personally identifying information?

svasdev commented 4 years ago

I have discussed this with our IT team. Although we don't know for sure since the rules are still new for us, if someone requests that their data be deleted, we have to delete it—not just anonymize it, or uncouple it from their PII. So, sysadmins must have the ability to delete all data associated with a user account, including data they submitted voluntarily in response to a survey.

Any time the database is queried after that (such as to populate a table or a chart), it shouldn't include that person's data.

machakux commented 4 years ago

Noted