GDPR, Privacy, cookies and so on

[nathcast]

We all had the course on GDPR. I am doing a round of looking at potential issues with GDPR, Privacy in the eRA website. see [[GDPR course]]

• reading the Rothamsted PP, https://www.rothamsted.ac.uk/privacy-and-cookies page: listing the promises of that document and ensure that we deliver on these

  • When we hold or use your personal information we will provide you with a privacy notice which sets out in detail what information we hold about you (such as your contact details, address, etc.), how your personal information may be used and the reasons for these uses, together with details of your rights.
  • Where we collect personal information from you directly, we will provide this privacy notice at the time

• https://www.dbxuk.com/blog-2023/cookies-vs-sessions However, it would be possible (but not recommended) to store personal information within a session cookie. This would not be compliant if it could be used to identify an individual. Sessions are OK, but I need to check that I am not recording anything that can identify a person

• TODO:

• [x] Correct the Privacy page in eRA and pass on to others for review

• [x] make specific privacy notices for eRA that is sent with the UserRequest and also review what is on the modal

  • [x] how long we keep the personal data,: 10 years - time it takes to research and write paper
  • [x] their right to be forgotten - note that being forgotten will forego their use of the database: can we do that?

• [x] Check sessions variables : Do they store private information?

  • I am deleting history everyday
  • user info is deleted after 7 days

• [x] send message to LWarren with light suggestions to their document and my documents for review

• [x] make a toast to say that we collect limited information for funding purposes and continuing on this site is considered consent

• [x] Need a chat about the IP address: Do we need them for User Request?

• [x] For the Downloads, It is nice to be able to identify download per unique person. https://law.stackexchange.com/questions/61076/storing-ips-and-gdpr-compliance that article explains that IP is personal data and as such they need to consent to have it collected.

• [ ] Need to make google analytics GA4 GDPR compliant or stop using it. https://www.cookieyes.com/blog/google-analytics-gdpr/

[nathcast]

Drafting Message to ask IT or whom it may concern that their document is not that well written

To whom it may concerns:

I know that nobody reads the Privacy and Cookie notices - https://www.rothamsted.ac.uk/privacy-and-cookies - but I did.

At first glance, it looked like a great document, and I pasted it verbatim for our e-RA website. On further reading, I found it had a lot of repeats and some typos. It could do with some reviewing and editing, to simplify the sentences and correct the typos

Meanwhile, we are drafting our own version (which will point to the Rothamsted one) - http://local-info.rothamsted.ac.uk/eRA/era2023/info/privacy

And as are also checking our forms, cookies and processes to ensure that e-RA is compliant to GDPR ( and might contact you on another ticket. )

Dr Nathalie Castells https://www.rothamsted.ac.uk/our-people/nathalie-castells

[nathcast]

From Meeting:

• We do not want to keep IP addresses .
• review Rothamsted Privacy policy into a word document to then send alongside with PNs to Louise Warren who can then approve of our work.

[nathcast]

During meeting:

• [x] review text for e-RA privacy notice
• [x] write email and send with 2 docs
• [x] some changes to email sent to users