Ombuds commission/2019/CU Global Procedure on information disclosure

The Ombudsman Commission sent an email to all CheckUsers to clearly outline in what circumstances a CheckUser can disclose information they obtain from their privileged role as a CheckUser. Below is a redacted copy of that email. This is not a new policy, nor does it bring any change to existing policy, it is just a clarification of the Access to nonpublic personal data policy, the Privacy policy, and the CheckUser policy.

The Ombudsmen Commission have found that while Access to nonpublic personal data policy#Use and disclosure of nonpublic information lists appropriate disclosures, we find §(b)(v) unclear for the day-to-day operations of the CheckUser tool on all projects, especially in languages other than English.

The Ombudsmen Commission is creating this document to inform specifically what it deems to be an appropriate disclosure, and an inappropriate disclosure. If the Ombudsmen Commission receives a complaint that does not follow the procedure listed here, then it will be required to disclose the case to the WMF Board, recommending action against a CheckUser.

Requirements to disclose checkuser information:

• Any disclosure must be solely for preventing additional abuse to the project
• Where a disclosure is required to protect a project (like blocks, page protections, suppressions), there must be no one else who has access to the same or same type of information you do that you can disclose the information to in a timely manner (Example: ptwiki checkuser wishes to disclose an IP the arwiki should block to an arwiki sysop. If arwiki had checkusers, or stewards were around that can action on it, then you would have to inform them instead)
• You must not have a conflict of interest, or a perceived conflict of interest with the situation or users involved (Example: You cannot be involved in a dispute with the user). Note that simply taking administrative action against a user does not mean you have a conflict of interest.
• Disclose the minimal amount of information possible (Example: if a location needs to be disclosed, don't give the IP address, give a broad geographic location)
• Any disclosure must not occur in a public space, but only where a minimal amount of users can see the information, limiting exposure as much as possible. Examples of appropriate locations include: Email to one user, private chat with one user, or through Special:EmailUser to one user. Inappropriate examples include: Posting onwiki, sending in a public channel on IRC, and sending to a mailing list.

On behalf of the Ombudsman Commission, -- Amanda (aka DQ) 13:21, 3 September 2019 (UTC)[reply]

Any translation of this message that has a conflict with the English-language version, the English-language version will take precedence.