Anonymization procedure

[cturbelin]

Enable account anonymization (as it implemented on GrippeNet.fr platform)

Context : Allow to remove identifying information about user

When:

• User request (a button in account settings should be available)
• When the "contract fo service" with the user seems to be broken : when user has no activity and we can infer is no longer participating to the project

Proposed Workflow:

• On user request:

  • An email is sent to the account owner to warn about the request
  • After some delay (for example two days or one week) proceed to anonymization (protect from wrong request!)
  • When anonymization is done a last email is sent to the account owner with the ID of the account (only way to go back if the user wants to do it later)

• "User request" should be triggered by the team also because many account actions are requested by email users (they ask us to do it, so it would probably not be a good idea to respond them to do it by themselves :))

• After user inactivity: I dont think this procedure should be always automatic (i.e : an automatic mode could be proposed but it should be possible to do it by the team supervision)

• Warn the user by an email : the account is flagged as to be anonymized, can cancel the procedure by clicking on a link

• If still flagged after some delay : anonymize account

• Send last email with account ID

Tracing: All actions should be properly logged as we need to be able to prove the action has been done in a proper time (GPDR), so each event should be traced

• User request (from user account, from the team)
• Automatic Warning
• Cancel from user
• Anonymization done

[phev8]

@cturbelin Thank you for the description.

Do you think it's necessary to be able to reclaim the account? If user requests the "anonymization", he should be properly warned, that this results in an irreversible deletion of the account. The same user should be able to sign up again with the same email address or other authentication method in a later time point, if she or he decides so, but then this account is not connected with any old information.

[cturbelin]

Yes you're right. It's not necessary when the user request the procedure, but maybe when it's after inactivity.. But I agree it's not very useful and we did not received once such reclaim after we anonymized thousands of account.