On privacy and takedown requests

[joepio]

Since ORI pulls data from various governments, some of these governments might accidentally share private data such as names and (email) addresses. Governments might be able to directly control the meeting systems (raadsinformatiesystemen) and delete the private data after publishing by themselves, but these changes will currently not appear in ORI, resulting in ORI hosting potentially private data.

So we need a strategy to deal with this. There are easy, dirty solutions, and cleaner ones.

1. Set up some sort of takedown system that removes entries upon request. E.g. a webform + someone that manually removes the data from ORI. This is pretty easy to implement, but does not really scale well and will probably miss most of the leaked data.
2. Give meeting systems access to a new ORI API which they can post removal requests to. They can use this API when someone removes something from their own system. This is quite easy to implement, but requires some integration effort from meeting systems.
3. Periodically check data suppliers for updates in their data for each entry. Remove data when it's removed from their system. This will result in expensive queries to all suppliers, which they won't like. It will also be computationally expensive for the ORI instance.
4. Set up an event sourcing system, where suppliers dispatch change events for their data. They push changes to ORI, which in turn adjusts the right data. This requires a change in both suppliers and the ORI architecture, which makes it quite an expensive option. However, an architecture like this is future proof and enables cool features like version control and historical playback (e.g. see what value any resource had at any time in history).

Perhaps there are other, better solutions to this problem.

[jurrian]

Can we use the system that WaarOverheid uses for takedown?

[jurrian]

Will be implemented in the new API frontend