[openstreetmap/openstreetmap-website] Show a list of previous usernames of a user (Issue #3559)

Sun Aug 7 08:53:58 UTC 2022

> Definitely tracking previous names is a violation of both the GDPR and the OSMF ToSs outside of internal use by the DWG.

(the usual caveat - I am not a lawyer; this is just my interpretation of the [ICO](https://ico.org.uk/)'s** advice here)

I suspect you'd need to make a specific case for both of those.  For the avoidance of doubt [the OSMF policy](https://wiki.osmfoundation.org/wiki/Privacy_Policy#How_can_you_control_the_processing_of_your_data_and_reduce_privacy_related_issues) says, in a subsection entitled "How can you control the processing of your data and reduce privacy related issues", "you can select a non identifying login name and change it at any time you want".

Do the OSMF ToSs even link to that policy at user signup?  I certainly don't remember seeing it the last time I created a test user, and I do look out for this stuff.

With regard to the GDPR, I'm sure a case for "making more use of userids across the site" could be made under several of the 6 [lawful bases for processing](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/#what).  Obviously the GDPR has no concept of what the DWG is, and I suspect that the OSMF could argue that other logged in OSM users for part of the "you" used in the GPDR "lawful bases for processing" wording, and that they are a vital part of some of the functions mentioned (for example, by noticing data copied from third-party sources with incompatible licences and reporting it.  At a stretch you could also make a case that "showing a list of previous usernames of a user" to logged-in OSM users is supported by the GDPR because they're part of the "you" mentioned there.

I don't think that you could make a case for "showing a list of previous usernames of a user to non-logged in users" was covered by one of the 6 legal bases for process.

For the avoidance of doubt "could make a case for" does not mean "must do immediately" - it just means that it might not be a violation of the GDPR (subject to interpretation - see above) and discussion of whether it's actually a good idea or not should continue.

** the data authority in the jurisdiction in which the OSMF currently resides.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/3559#issuecomment-1207361148
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/3559/1207361148 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20220807/b0eef886/attachment-0001.htm>