## page was renamed from comma/Community/PrivacyStatement
 . '''NOTA BENE - WORK IN PROGRESS''' - [[Brain/Study/Policies/PrivacyDataProtectionStatement#Inputs_&_Thoughts|Your Inputs & Thoughts]] :-)

 . '''To''' '''[[Brain#Brain_Study| Brain Study]]''' - '''To Brain''' '''[[Brain/Study| Study - Overview Projects]]''' - '''To CAcert.org''' ''' [[Brain/PoliciesAndSignificantTechnicalStandards/PrivacyDataProtection| Privacy Policy - PP ]] '''

----

== CAcert.org Privacy & Date Protection Statement - Policy Improvement ==
<<BR>>

== Actual Status ==

 . '''CAcert.org''' ''' [[Brain/PoliciesAndSignificantTechnicalStandards/PrivacyDataProtection| Privacy Policy - PP ]] ''' - Actual valid

 . '''[[attachment:Dutch_DPA_Application_20090607.pdf]]'''

 . '''[[attachment:Legal_Assessment_20090607.pdf]]'''

 . '''[[Brain/Study/Policies/PrivacyDataProtectionStatement/DataProtectionActReport| DPA - Data Protection Act Compliance - Report 20090608]]''' - by Theus Hagen

 . '''[[attachment:Rasika-to-Oophaga_20090621-1.pdf]]'''

 . '''[[attachment:CAcertDataProtectionProject_BertJaapKoops-to-IanGrigg_E-Mail_20090811.pdf]]'''


 . more about [[http://en.wikipedia.org/wiki/Privacy| Privacy]] '' - source: en.wikipedia.org'' 

 . more about [[http://en.wikipedia.org/wiki/Data_Protection| Data Protection]] '' - source: en.wikipedia.org''

 . an example [[http://wikimediafoundation.org/wiki/Privacy_policy| Wikimedia Foundation Privacy Policy]] '' - source: wikimediafoundation.org''

 . an example [[http://doodle.com/about/policy.html| Doodle Privacy Policy]] '' - source: doodle.com''

 . an example [[http://mahara.org/privacy.php| Mahara Privacy Policy]] '' - source: mahara.org''
<<BR>>

== Purpose of Policy to be Improved ==

 . Description
<<BR>>

== Proposed Text of Policy to be Improved ==

 . Text
<<BR>>

----

== Inputs & Thoughts ==

 . 20091008-[[Iang]] /e-mail

 . {{{
Just to underscore Philipp's remarks.

A problem this new board of CAcert faced on taking on responsibility as of 25th July was that there was no reporting from the project team to the board on any rationales or conclusions, nor requests for decisions, as of that date.

Given uncertainty, and the resolution of the members of the association at the SGM, it was only prudent to call an immediate halt.  Board's resolution m20090728.3 below [a] as communicated halts that work, requests any info.  The DPA project since 28th July is firmly here with the board of CAcert Inc, and Teus Hagen's post of attached documentation can be seen in the light of that resolution, e.g., the request for status as of halt.

This resolution was necessary in order to protect the people involved by providing certainty.  With any changeover, there is a clear need for the new board to get up to speed with the entire project, and then confirm anything presented, because the new board is likely the one that is meant to take the responsibility forward.

(Perhaps in my opinion only) the new board has done that research and got up to speed on the issues and options available.  The documentation presented by Teus Hagen represents one such option amongst a handful. We have been working through the issue & options since end July [b]. This Saturday we hope to pick up the issue again in what is (I think) the third substantial meeting on the issue, and one point on the agenda is to discuss those presented documents.

Our thanks to Teus Hagen for delivery of that status.

iang


[a] https://community.cacert.org/board/motions.php?motion=m20090728.3
=======
data protection project: termination of subcommittee

This committee takes notice of the work that has been done with respect to the data protection project of the previous board [1].  Out of an abundance of caution, it is noted that the legal and liability protections afforded to this project have likely expired due to prior events.  m20090330.1 is hereby terminated with immediate effect [2]. The participants of the project are invited to present current status to the board.

[1] http://wiki.cacert.org/wiki/DataProtectionActReport
[2] http://wiki.cacert.org/wiki/EmailBoardDecisions2008-09
=======

[b] Because of some people's concerns of the politics surrounding the issue, we've decided to go private on this issue;  much as we regret it. 
  }}}

----

 . 20090210-YourName

 . {{{
Old wiki page: PolicyDrafts/PrivacyPolicy

THIS PAGE IS NOT POLICY. Rather it is a collected set of ideas, saved for a future review.

Suggested changes for the privacy policy, when it is considered ready for review:

    * Add the CPS2.2 clause that states:
          o

            "CAcert does not publish information on issued certificates. However, due to the purpose of certificates, and the essential public nature of Names and email addresses, all information within certificates is presumed to be public and published, once issued and delivered to the Member."
          o

            The important part is that the information is presumed to be published by the Member. This is important to establish a baseline for disputes and expectations; it is probably not reasonable for the CA to be held to account for a name in a certificate being revealed. 
    * Point 8. CAcert Assurers verifying the information is not "published", term is misapplied. 
  }}}

----

 . 20080523-YourName

 . {{{
Old wiki page: Policy

http://www.hyperorg.com/blogger/mtarchive/anonymity_as_the_default_and_w.html
  }}}

----

 . YYYYMMDD-YourName

 . {{{
Old wiki page: PolicyLaws

Relevant privacy laws:

= Australia =

 * http://www.privacy.gov.au/act/index.html
 * The National Privacy Principles of Australia, Privacy Amendment (Private Sector) Act 2000.  NPP10.1.e supports the use of sensitive information in dispute resolution.

= Germany =

 * http://www.datenschutzzentrum.de/material/recht/bdsg2001/bdsg2001.htm

= Austria =

 * http://www.dsk.gv.at/dsg2000d.htm
  }}}

----

 . 20090921-[[hugi]]

 . {{{
https://svn.cacert.org/CAcert/Policies/PrivacyPolicy.php

<?php
include_once('PrivacyPolicy.txt');
?>
  }}}

----

 . 20090921-[[hugi]]

 . {{{
https://svn.cacert.org/CAcert/Policies/PrivacyPolicy.txt

<h3><?=_("Privacy Policy")?></h3>

<p>
<?=_("This policy discloses what information we gather about you when you visit any of our Web site, and when you issue or use our certificates. It describes how we use that information and how you can control it.")?>
</p>

<h4>1. <?=_("Website information")?></h4>
<p>
<?=_("We collect two kinds of information about website users: 1) data that users volunteer by signing up to our website or when you send us an email via our contact form; and 2) aggregated tracking data we collect when users interact with our site.")?>
</p>

<h4>2. <?=_("Personal information")?></h4>
<p>
<?=_("When you post to the contact form, you must provide your name and email address. When you sign up to the website, you must provide your name, email address, date of birth and some lost pass phrase question and answers.")?>
</p>
<p>
<?=_("We only share your information with any other organisation when so instructed by a CAcert arbitrator.")?>
</p>

<h4>3. <?=_("Aggregated tracking information")?></h4>
<p>
<?=_("We analyse visitors' use of our sites by tracking information such as page views, traffic flow, search terms, and click through. We use this information to improve our sites. We also share this anonymous traffic and demographic information in aggregate form with advertisers and other business partners. We do not share any information with advertisers that can identify an individual user.")?>
</p>

<h4>4. <?=_("Cookies")?></h4>
<p>
<?=_("Some of our advertisers use a third-party ad server to display ads. These ads may contain cookies. The ad server receives these cookies, and we don't have access to them.")?>
</p>
<p>
<?=_("We don't use cookies to store personal information, we do use sessions, and if cookies are enabled, the session will be stored in a cookie, and we do not look for cookies, apart from the session id. However if cookies are disabled then no information will be stored on or looked for on your computer.")?>
</p>

<h4>5. <?=_("Notification of changes")?></h4>
<p>
<?=_("If we change our Privacy Policy, we will post those changes on www.CAcert.org. If we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users via email. Users will be able to opt out of any new use of their personal information.")?>
</p>

<h4>6. <?=_("How to update, correct, or delete your information")?></h4>
<p>
<?=_("You are able to update, add and remove your information at any time via our web interface, log into the 'My Account' and then click on the 'My Details' section, and then click the relevant link")?>
</p>

<h4>7. <?=_("Privacy of certificates")?></h4>
<p>
<?=_("CAcert does not automatically publish the certificates through a directory 
service or the website to other people than the user who requested the 
certificate. In the future, the user might be able to opt-in for publication 
of the certificates through a directory server by CAcert.")?>
</p>

<h4>8. <?=_("Privacy of user data")?></h4>
<p>
<?=_("CAcert Assurers can see the name, birthday and the number of points by looking up the correct email address.
No other person related data is published by CAcert.
")?>
</p>

<h4>9. <?=_("Exceptions")?></h4>
<p>
<?=_("A CAcert arbitrator may override this policy in a dispute.")?>
<?=_("To obtain access to confidential data, a dispute has to be filed.")?>
</p>

<h4>10. <?=_("Legal mandates")?></h4>
<p>
<?=_("CAcert adopts the Australian privacy regulations.")?>
<?=_("Please see <a href=\"http://www.privacy.gov.au/\">http://www.privacy.gov.au/</a> for further details.")?>
<?=_("Governmental warrants and civil supoenas will be processed through the dispute resolution system, which 
ensures that valid authority is given to whoever complies with the supoena or the warrant.")?>
</p>

<p><?=_("If you need to contact us in writing, address your mail to:")?></p>
<p>
CAcert Inc.<br>
P.O. Box 81<br>
Banksia NSW 2216<br>
Australia
</p>
  }}}

----

 . 20090921-[[hugi]]

 . {{{

CAcert CPS and CP

https://www.cacert.org/policy/CertificationPracticeStatement.php#p9.4

9.4. Privacy of personal information

Privacy is covered by the CCA (COD9) and the Privacy Policy (COD5).
9.4.1. Privacy plan

No stipulation.
9.4.2. Information treated as private

Member's Date of Birth and "Lost Password" questions are treated as fully private.
9.4.3. Information not deemed private

To the extent that information is put into an issued certificate, that information is not deemed private, as it is expected to be published by the Member as part of routine use of the certificate. Such information generally includes Names, domains, email addresses, and certificate serial numbers.

Under Assurance Policy (COD13) the Member's status (as Assured, Assurer, etc) is available to other Members.

Information placed in forums outside the online system (wiki, blogs, policies, etc) is not deemed private, and is generally deemed to be published as contributions by Members. See CCA1.3 (COD9).
9.4.4. Responsibility to protect private information

CAcert is a privacy organisation and takes privacy more seriously. Any privacy issue may be referred to dispute resolution.
9.4.5. Notice and consent to use private information

Members are permitted to rely on certificates of other Members. As a direct consequence of the general right to rely, Members may read and store the certificates and/or the information within them, where duly presented in a relationship, and to the extent necessary for the agreed relationship.
9.4.6. Disclosure pursuant to judicial or administrative process

Any disclosure pursuant to process from foreign courts (or similar) is controlled by the Arbitrator.
9.4.7. Other information disclosure circumstances

None.
 }}}

----

 . YYYYMMDD-YourName

 . {{{
Text / Your Statements, thoughts and e-mail snippets, Please
  }}}

----

 . YYYYMMDD-YourName

 . {{{
Text / Your Statements, thoughts and e-mail snippets, Please
  }}}

----
<<BR>>
'''Category''' or '''Categories'''<<BR>>

CategoryPolicy