GDPR and OpenMRS - A conversation with Mozilla

Hi All -

Thanks to our BOD member Mitchell, a few of us from the S&O working group (strategy & operations) had a call this morning with the lead compliance officer at Mozilla to discuss GDPR for data privacy in open source communities. @darius and @terry, please add to this or correct anything I’ve overlooked from our call.

Summary of the call:

  • Many rights under GDPR are not absolutes, but are rather proposed as “if, then” scenarios - so the organization must decide what applies to itself. The reasons/purpose for gathering and legal basis for processing will determine what kinds of rights you need to provide to your users.
  • The collecting and use of data needs a legitimate business interest, and the right to delete data is not absolute
  • Any downloaded code becomes the responsibility of the person who takes the code to de-identify any references to identified persons in the codebase. Mozilla has not created any extra disclaimer or guidance around GDPR for the downloading of the codebase
  • Mozilla has created the ability for a user to go into their account and opt to make it “anonymous”. This is an all-or-nothing move, so it’s either all anonymous or no postings anonymous. It was a bit unclear if users could continue to post as this anonymous user, or whether that user became “anonymous-1234” to be able to still be identified throughout the forum (although without personally identifiable information publicly displayed).
  • They have added to their consent the clause about being able to become anonymous, but have stipulated that they will not delete the post by the user since it is important to their business to have discussion threads remain. In addition, they also clearly state that they will not modify the post content itself, even if any posts contain personally identifiable information. So users that choose to include those details in the post content will still see those details, even after they have made their account “anonymous”.

She gave us this link for additional understanding:

Our next steps are to:

  • Create ability to have user be anonymous (all or nothing)
  • Publish guidance- support articles around data protection (they said we could copy theirs)
  • Remodel our privacy based on Mozilla’s:

Notes from the call are here:

1 Like

Thanks @janflowers. If anyone is interested in helping with the steps that are noted above, please let us know. Mozilla was gracious to share their experience and insight with us. Thanks to the open source community!

Given we don’t do much data collection beyond creation of an OpenMRS ID (name, email) and posts (e.g., wiki, Talk, JIRA), I think our options will be driven by what we’re able to do with those tools. I believe GDPR support for Atlassian tools is a work in progress (ref). Our OpenMRS ID is overdue for a rehaul as well, so we could take GDPR into account there as well.

We can certainly change someone’s name (they can probably do that themselves today); however, you can’t have an account without a valid email address. A user could create a free email account and then change their email address to that account. However, I don’t know that we can change usernames across all our products and most usernames are based on the person’s name. While we may be able to eventually get to a place where we can change a username (a feature we’d like to have despite GDPR), it will likely depend on support being added to Atlassian tools, to OpenMRS ID, and having the time & resources to create the SOP & scripts to make it work.

Just want to make sure to link this topic to: