qpixel icon indicating copy to clipboard operation
qpixel copied to clipboard
verified publisher icon codidact

Compliance with regulatory requirements to delete personal data

Open trichoplax opened this issue 2 years ago • 3 comments

There was reference to permanently deleting user data in the partially completed #1009 but there was also discussion of not needing this as we are also introducing a "soft delete". As that pull request already includes other significant changes, I'm separating this out into its own issue so that neither needs to delay the other.

Is your feature request related to a problem? Please describe. Our users are located in many different countries. Some of those countries have a requirement that personal data be deleted on request. For example, GDPR.

I suspect that it is sufficient that someone with administrative access be available to delete data when required, but I do not have the legal knowledge to confirm this. Even if that is sufficient, manually deleting data introduces risks:

  • Accidentally deleting data for the wrong user
  • Not deleting enough data
  • Deleting data that affects the working of the site
  • Not deleting data in the required time if someone with administrative access is unavailable

Describe the solution you'd like Include in the user interface a way to delete personal data (but only available to admins).

Does this need input from someone with legal insight before a design is finalised?

trichoplax avatar Apr 18 '23 14:04 trichoplax

The button behavior (and the admin way to delete it with the console) should be as simple as user.destroy if all cascade deletion rules are set correctly (and we want to delete all associated data). Every has_many and has_one should have a dependent rule set.

Something to look into is the fact that users publish their posts under a license, which may mean it does not have to be deleted (it was made public domain). If it depends on the license, the deletion logic can get more complex, as cascade delete rules need to be adapted to the minimum required deletion.

Also, technically the deletion must also happen in backups. Different countries have different guidelines and it is legally a bit unclear, because this is quite expensive, poses security or continuity risks or is simply infeasible. I will check up with a friend of mine who studied IT Law regarding this.

Taeir avatar Apr 30 '23 13:04 Taeir

My understanding (I am not a lawyer!) is that regulations about personal data are concerned with actually personal data -- stuff that identifies the person or is otherwise sensitive. User-contributed content, to my understanding, would not be part of that even without the license considerations.

Whether we are allowed to normalize attribution to "user123", "user456", etc, which would allow a sufficiently-motivated person to aggregate everything posted by "user123", is something I don't know. Currently we show "deleted user" for all such cases and that should be fine; if we wanted to show the normalized names, which can make it easier to follow e.g. comment threads, we'd want to check that that's ok. (I do note that a much bigger player than us, SE, does this, but I don't know if they've done legal review on it.)

Thanks for checking into backups, @Taeir -- that hadn't occurred to me at all.

cellio avatar Apr 30 '23 17:04 cellio

This is on the Codidact board's list to investigate (legal and technical requirements).

cellio avatar May 07 '23 20:05 cellio