manifold
manifold copied to clipboard
ManifoldScholar
Make Manifold GDPR compliant
We need to flesh out what's entailed in reaching compliance here (both within Manifold and on the part of the installing organization).
Manifold Responsibilities:
- [x] Rendering a view that clearly describes what data Manifold stores about its users based on settings.
- [x] Allowing a user to delete her account from the Manifold instance.
- [ ] Allowing a user to download all data that Manifold has stored about her.
- [x] Show the user a cookie consent form. None of Manifold's long-term cookie values are strictly speaking, necessary. Manifold currently can set the following cookies: 1) authToken, which allows the user to be logged in on return visits; 2) VISIT_TOKEN & VISITOR_TOKEN, which are used for Manifold's anonymous internal analytics, and 3) Google Analytics cookies. I believe we can call #1 a necessary cookie under GDPR, and we can ask the user to opt in to #2 and #3.
- [x] Clearing showing the user the T&C and privacy policy when the user signs up
Publisher Responsibilities:
- [x] Providing T&C content
- [x] Providing data privacy content
- [x] Customizing the cookie consent policy as needed
I very much welcome this effort, though I still would argue that the whish to use Manifold as a simple publication layer without its user-interaction capabilities (and deactivate user-driven registration) and the compliance of the software with Europe's GDPR are two completely different things. In our case, of cause, one caused the other but generally speaking you may reasonably want one without the other. However, that is just meant as a statement on the origin of this issue.
Regarding the task itself, as having to deal with this on account of an institution in Europe, I have to say it is really crucial, even more to be able to advertise the software internally.
Since I have to deal with these issues at the moment. I wanted to propose to collaborate on this for mutual benefit. I think what we could provide is some kind of template or reference document for GDPR declarations on Manifold instances. I am in contact with in-house counsel so I think it could be useful orientation for others.
What would be useful for us is the precise description of the different types of data that Manifold obligatorily or optionally stores, in which form it is stored, what kind of external services are obligatorily or optionally used to which user data is passed and so forth... I think it would be much faster and more secure and comprehensive when you would compile such a list. Suggestions you made at the end of #1581 are of course also of great help.
If you are interested in working together on this, please give a short note and we should move communication to Slack or, maybe more efficient, have a Telko.
PS: also very important is a list of API calls to external services, to list them in the declaration, but more importantly, to evaluate if these API calls are GDPR compliant. Google Fonts calls for instance are not GDPR compliant which is really a pain in the ass for theme developer.
Thank you for taking the time to open this feature request. The Manifold team reviewed this issue during our bi-weekly meeting and the consensus is that this feature makes sense and is in keeping with our overall vision for the platform. Moreover, we see this request as a viable candidate for development under our current available funding. We’re adding a “planned” label to this feature to indicate that we plan on completing it within our current funding cycle.
This was an automated message, but please don't hesitate to reply. Our team watches these issues closely and will respond as soon as we're able to!