Add data use consent to signup flow

[hollomancer]

Feature

Why is this feature being added?

As we grow, we need to start tightening up our use of data. We need to ensure that users who are signing up for our site have read and understood;

• terms of use
• code of conduct
• privacy policy

As well as understand how their data will be treated as a part of Operation Code.

What should your feature do?

Add a way of ensuring that new members can validate their acceptance of each of these documents as they join OC, and ensure that the document version they accepted is recorded against each user.

References/Resources

• https://www.privacyshield.gov/
• https://consentjs.com/

[kylemh]

Do you mean like a:

"Read this... Do you agree?" system for all 3 of those links?

[hollomancer]

Pretty much, plus a corresponding entry in the backend to record the date which this took place.

[kylemh]

@hollomancer is that specifically required by the policy? Registration date would be good enough for me, otherwise.

[nellshamrell]

Hello!

Just went through the Privacy Shield docs in depth and want to share what they are and how the affect us (skip down to the bottom for what we need to do).

This is indeed motivated by GDPR.

What is Privacy Shield?

• way of ensuring that we are compliant with user data requirements of GDPR. Although we have few non-US members, we do have some volunteers from outside the US, and even if we didn’t this is the right thing to do when it comes to treating our user’s data with care and respect.

Main principles of Privacy Shield

Notice

• includes informing users the purpose of us collecting personal information, how to contuct us with inquiries or complaints, type of third parties we discolse personal information to and the purpose, right of individuals to access personal data, etc. (for more, check out https://www.privacyshield.gov/article?id=1-NOTICE)
• this appears to be covered with our updated privacy policy

Choice

• gives people a chance to opt out (it appears that the only option to opt out of our limited data collection is to not sign up as a member of our org, which is certainly a bummer, but having the checkboxes will ensure that someone is aware that they have opted in)

Accountability for Onward Transfer

• I believe this is also covered in our updated privacy policy
• basically - we need to be aware that any third parties we share data with (i.e. Google Analytics, Send Grid) are doing so in a limited purpose that the individual consented to - basically if we are going to use a 3rd party service, we need to make sure that they are following the same guidelines we do

Security

• This is around us taking reasonable and appropriate measures to protect and data from loss, misuse, and unauthorized access. I believe this is covered by our use of AWS IAM users, etc. to limit access to data. We do need to be more careful in the future or any data transfered outside of our core database (i.e. csv sheets) - these should be deleted as soon as they are no longer needed and should never be placed on external drive (i.e. USB drive). I’ll put together a data policy that covers this.

Data Integrity and Purpose Limitation

• we should only use the data exactly how we say we are (i.e. we should never, ever sell our user emails lists) - I’ll include this in a data policy as well.

Access

• this covers a user being able to correct, amend, or delete their information. They do have access to correct or amend it through editing their Operation Code profile - but if there is data they cannot access or if they want their data deleted entirely, they can reach out to us as stated in updated privacy policy

Recourse, Enforcment, and Liability

• TLDR; there are consequences for not complying with these policies

What do we need to do?

We absolutely need "Have your read this? Do you agree?" checkboxes for:

• terms of use
• code of conduct
• privacy policy

The privacy policy one is the most important, but it's also a good practice to have them for the terms of use and code of conduct as well.

The reason we need to date the user agreed to these policies is so we can trace back exactly what language they agreed to. In case we ever decide to have users agree to updated policies (which I believe we should), this should be separate from the registration date.

[dmarchante]

anyone assigned to this issue yet, and will we have to coordinate with the back-end

[kylemh]

Documented in https://github.com/OperationCode/front-end/issues/174