Training modules/Handling private information/drafting
This page is currently a draft. More information pertaining to this may be available on the talk page.Translation admins: Normally, drafts should not be marked for translation.
The Wikimedia Foundation (WMF) is committed to protecting people's privacy. The Wikimedia movement relies on functionaries like you -- stewards, checkusers, oversighters, bureaucrats, and other volunteer administrators -- to help make using the Wikimedia projects educational, fun, and safe. This quick reference guide will tell you what you need to know to make that happen. You’ll learn about:
- the access to nonpublic information policy, which covers acceptable methods for functionaries to access, use, and share nonpublic personal information; and
- policies specific to your role in the community.
Please note that this document is intended as a summary for training and convenience purposes only. It is not a substitute for official WMF and Wikimedia community policies, and is not intended as legal advice. The WMF legal team can advise only WMF on legal matters, so if you feel that you need personal legal advice, please contact a lawyer.
Defining personal informationEdit
Nonpublic PI is defined as any information that can be used to personally identify a user. This includes, but isn’t limited to, any of the following that have not already been made public by the user themselves on the projects or elsewhere:
- phone numbers;
- email addresses;
- government ID numbers;
- IP addresses; and
- user agent information.
The most common types of nonpublic PI handled by functionaries are email addresses, IP addresses, user agent information, and names. However, functionaries should be aware of the other types of information that qualify. In addition, although not personally identifying by themselves, each of the following is considered nonpublic PI when associated with either the above or with a user’s account:
- date of birth;
- sexual orientation;
- racial or ethnic origins;
- marital or familial status;
- medical conditions or disabilities;
- political affiliations; and
- Because user:Rory publicly stated his real name, email address, address, and phone number on his user page, none of this is considered PI.
- However, if Rory had not disclosed his real name, email address, address, and phone number, these would be considered PI.
- Rory’s IP address and user agent information is PI.
- If Rory has not disclosed that he is unmarried, a statement that links his marital status with his username contains PI.
Access to nonpublic information policy & confidentiality agreementEdit
The access to nonpublic information policy and its corresponding confidentiality agreement are the main sources of functionaries’ privacy responsibilities, so please review them carefully. They cover several important areas, including:
As functionaries, you have tools that let you access nonpublic PI to protect Wikimedia sites from vandalism and illegal content, and to enforce Wikimedia policies. In order to access nonpublic PI, you must:
- be at least 18 years old, or 16 years old for email response team members;
- provide WMF the email address that is linked to your account;
- agree to keep the information confidential; and
- use the information in a manner consistent with all of the policies related to your position, including the access to nonpublic information policy.
Keeping it confidentialEdit
The access to nonpublic information policy and the confidentiality agreement broadly prohibit disclosure of PI. Absent one of the below exceptions, PI that you access using special tools must be kept confidential and may not be disclosed to anyone.
- Start by reading and signing the confidentiality agreement for nonpublic information.
- In addition, be sure to review policies specific to the tools you use, such as the CheckUser tool or Suppression tool. A few of these specific policies will be discussed further in another section.
- Be careful to maintain the security of your account. Do not let others use your account. It is especially important for functionaries to use strong passwords. A helpful essay on personal security practices can be found here.
- If you violate the policy, for example by improperly accessing, using, or disclosing nonpublic PI by mistake, you must:
- Notify WMF immediately;
- At WMF’s request, delete any nonpublic PI in your possession.
Under the access to nonpublic information policy, functionaries are permitted at their discretion, but not required, to disclose PI in certain defined circumstances. These exceptions are summarized below.
If you disclose nonpublic information under exceptions (ii), (iii), (iv), or (v) below, tell WMF at email@example.com within 10 days. In addition, in the event of an emergency, such as a threat of violence, we strongly advise contacting firstname.lastname@example.org and email@example.com immediately.
(i) Between functionaries to fulfill functionary dutiesEdit
Functionaries may disclose PI to other community members with the same access rights in order to fulfill duties outlined in an applicable policy.
You do not need to inform firstname.lastname@example.org within 10 days if you disclose PI under this exception.
User:Rory, an oversighter on English Wikipedia, shares a small amount of PI on a private wiki that is restricted to oversighters, in order to get help with a request he received.
(ii) To service providers in order to enforce blocksEdit
Functionaries may disclose PI to service providers, carriers, or other third parties to assist in either:
- the targeting of IP blocks; or
- the formulation of a complaint to relevant internet service providers.
You do need to inform email@example.com within 10 days if you disclose PI under this exception.
(iii) To law enforcement, in cases where there is an immediate and credible threat to life or limbEdit
WMF’s Support & Safety team recommends immediately forwarding serious threats to firstname.lastname@example.org and email@example.com. Our trained Support & Safety team can then make its own evaluation and determine whether to disclose PI to law enforcement.
However, if you wish to disclose PI to law enforcement yourself, please note that there are three requirements in such cases. A threat must be:
- to life or limb;
- immediate; and
You do need to inform firstname.lastname@example.org within 10 days if you disclose PI under this exception, and we strongly suggest informing email@example.com and firstname.lastname@example.org immediately.
User:Rory, a steward, discovers that a user made a bomb threat on a talk page. He immediately notifies email@example.com and firstname.lastname@example.org about the situation. WMF’s Support & Safety team takes things from there. Rory did not need to personally contact law enforcement or disclose PI.
Rory discovers a user page on which the owner recently posted that they intend to commit suicide. Rory believes the threat is credible. He discloses the user’s IP address, email address, and real name (if available) to law enforcement. He also immediately notifies email@example.com and firstname.lastname@example.org about the situation and the action he has taken.
Rory discovers that a user on a talk page has threatened to throw eggs at another user’s house. Rory does not disclose the user’s IP address, email, or real name to law enforcement because the user has not threatened anybody’s life or limb. Instead, Rory chooses to warn the user or block them for harassment. Depending on the circumstances, Rory may want to report the incident to local law enforcement without disclosing the threat-maker’s IP address, email address, name, or any other PI.
In these cases, we recommend obtaining a message or email from the user explaining who they authorize to disclose information (the specific functionary), what information will be disclosed and why, and to whom the disclosure will be made. This ensures good documentation and that the user is fully aware of how their PI will be shared.
You do need to inform email@example.com within 10 days if you disclose PI under this exception.
User:Rory, a steward, acts on a user’s request to disclose their PI on their behalf. Before doing so, Rory obtains documentation of the user’s permission, which specifically authorizes Rory to do so and explains the what, the why, and the to whom of the disclosure.
(v) When required by lawEdit
Functionaries may disclose PI to law enforcement, administrative bodies, or other governmental agencies, if required by law, provided that the functionary notifies the Wikimedia Foundation unless restricted by law from doing so. The WMF legal team can only advise WMF on legal matters, so if you have questions about the legal validity or enforceability of an order or request you receive, please contact a lawyer.
You do need to inform firstname.lastname@example.org within 10 days if you disclose PI under this exception, unless restricted by law from doing so.
User:Rory, a steward, receives a request from his government to hand over a user's PI. Rory finds and consults with a local lawyer to determine whether he has to provide the information and, if he does so, whether he can notify WMF.
(vi) To the public, in order to block a sockpuppet or other abusive accountEdit
Functionaries may disclose PI to the public when it is a necessary and incidental consequence of blocking a sockpuppet or other abusive account.
You do not need to inform email@example.com if you disclose PI under this exception.
Information specific to your roleEdit
As you likely know, the CheckUser policy applies to users with CheckUser permission. This permission is mainly limited to stewards, ombudsmen, and WMF staff. Wikimedia projects may also have local, stand-alone CheckUsers.
Broadly speaking, CheckUsers can view certain PI such as user IP addresses and user agent information. Pursuant to WMFs Data Retention Guidelines, such checks may generally be conducted for the previous 90 days of site history before the relevant data is deleted from WMF’s servers.
The tool exists to fight vandalism, check for sockpuppet abuse, and to limit disruption of the Wikimedia projects. It should not be used for any other reason. Examples of unacceptable reasons include:
- political control;
- applying pressure on editors; or
- threats against editors in content disputes.
Consistent with the access to nonpublic information policy and confidentiality agreement, nonpublic PI obtained via CheckUser permission, such as IP addresses or user agent information, should not be disclosed unless a valid exception applies.
Please also note that the CheckUser policy cautions against revealing PI even where a valid exception does apply. Where possible, it recommends revealing information such as “same network/different network” rather than a specific IP address.
Notifying a checked user that their information has been checked is optional. You also have the option of notifying the communities that user information has been checked, in cases where you do not disclose PI or a valid exception applies.
Also known as the suppression policy, the oversight policy applies to users with access to the oversight feature. This feature is mostly limited to oversighters, stewards, and WMF staff.
The oversight feature may be used in four specific cases. One of these cases is relevant to user privacy: when the feature is used to suppress nonpublic PI from the projects.
Suppressed information, including nonpublic PI, remains visible to functionaries with access to the oversight feature. Functionaries subject to the oversight policy may also encounter nonpublic PI via requests for suppression, which may be made via IRC or email.
Consistent with the access to nonpublic information policy and confidentiality agreement, nonpublic PI that has been obtained by a user with access to the oversight feature should not be shared with anybody unless a valid exception applies.
OTRS policies apply to certain volunteers who receive OTRS access to community, chapter, user group, staff, role, and/or temporary queues. Community queues are limited to users who have applied and been accepted as OTRS volunteers.
Access to community queues is for responding to emails and inquiries sent to the general information addresses of the Wikimedia projects. Under the OTRS Activity policy, access to the community queues solely for viewing inquiries or verifying existing permissions is not an acceptable reason to hold an account. As a result, inactive accounts may be disabled after six months of inactivity.
OTRS volunteers encounter nonpublic PI—names and email addresses—in the “from” line of emails they receive. The content of emails they receive may also contain additional PI.
Consistent with the access to nonpublic information policy and confidentiality agreement, nonpublic PI that has been obtained by an OTRS volunteer should not be shared with anybody unless a valid exception applies.
We hope this guide was helpful in summarizing and cross-linking the various privacy, confidentiality, and data access policies applicable to functionaries. Please feel free to refer back to it as a reference. Thanks so much for all you do to support the Wikimedia movement. If you have any questions, please don’t hesitate to contact firstname.lastname@example.org or email@example.com.
- Open Ticket Response System (OTRS) volunteers sign a separate, but similar confidentiality agreement available here.
- Depending on the circumstances, in the event of a violation of the access to nonpublic information policy and agreement, your access may be revoked. Additionally, in exceptional cases, WMF may potentially pursue available legal remedies such as injunctive relief or even damages.