Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Language on 7 #2

Merged
merged 3 commits into from
Oct 20, 2020
Merged

Update Language on 7 #2

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6574d43
Update standard.md
Lucyeoh Sep 21, 2020
0a25a21
Merge branch 'master' into Lucyeoh-patch-2-1
lacabra Oct 20, 2020
042d35c
DOC: version 1.0.4
lacabra Oct 20, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion standard.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ Indicator | Requirement
**4. Mandatory dependencies** | If the open source project has mandatory dependencies that create more restrictions than the original license the projects must be able to demonstrate independence from the closed component and/or indicate the existence of functional, open alternatives.
**5. Documentation** | The project must have some documentation of the source code, use cases, and/or functional requirements. For content, this should indicate any relevant compatible apps, software, hardware required to access the content and instructions about how to use it. For software projects, this should be present as technical documentation that would allow a technical person unfamiliar with the project to launch and run the software. For data projects, this should be present as documentation that describes all the fields in the set, and provides context on how the data was collected and how it should be interpreted.
**6. Mechanism for Extracting Data** | If this project has non personally identifiable information there must be a mechanism for extracting or importing non personally identifiable information (PII) data from the system in a non-proprietary format.
**7. Adherence to privacy and applicable laws** | The project must state that it complies with relevant privacy laws, and all applicable international and domestic laws.
**7. Adherence to privacy and applicable laws** | The project must state that to the best of its knowledge it complies with relevant privacy laws, and all applicable international and domestic laws.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that, in a globalized world its true that few organizations have the resources to even know if they are complying with the full scope of laws where the digital public good is used.

Perhaps the GDPR could be adopted as an exemplar to follow for the time being?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sgoggins: I like your suggestion about GDPR given that GDPR is a regulation in the European Union (EU) and the European Economic Area (EEA) and GDPR became a model for many national laws outside EU, including Chile, Japan, Brazil, South Korea, Argentina and Kenya. The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with the GDPR (ref).

In terms of the actual language of the standard, would something like this work?

**7. Adherence to privacy and applicable laws** | The project must state that
to the best of its knowledge it complies with relevant privacy laws (including 
the General Data Protection Regulation (GDPR)), and all applicable international 
and domestic laws.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we have defined GDPR as standard in Europe. GDPR actually sets "the bar" fairly high in some arias so we might want to take a bit more time to consider the language around this as the could exclude some very interesting startup-projects.

Copy link
Contributor

@nathanbaleeta nathanbaleeta Oct 9, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The GDPR is likely to force African countries, especially those with strong trade ties to the EU, to prioritise data privacy and to more decisively meet their duties and obligations to ensure compliance. But what of those countries without strong ties to the EU from which prospective DPGs could arise, what regulations would apply there?

Maybe considering to expand the list of other policies in addition to GDRP such as Framework for Cyber laws for the East African Community, Supplementary Act A/SA.1/01/10 on Personal Data Protection Within ECOWAS for the Economic Community of West African States (ECOWAS) et al.

Reference:
https://cipesa.org/2018/08/challenges-and-prospects-of-the-general-data-protection-regulation-gdpr-in-africa/

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The notion of adding a mention/requirement around GDPR is out of the scope of the proposed change around the small addition on to the best of its knowledge here. As a result, I have created a new PR to continue the conversation around GDPR and other privacy laws in #20, and unblocking this PR for merging and closing.

**8. Adherence to standards & best practices** | Projects must demonstrate some adherence to standards, best practices and/or principles. i.e. the principles for digital development
**9. Do No Harm** | All projects must demonstrate that they have taken steps to ensure that the project anticipates, prevents and does no harm.
**9a) Privacy & Freedom of Expression** | All projects must have strategies in place to anticipate, respond to and minimize adverse impacts on privacy and freedom of expression where governments are believed to be using the project’s product or services for illegitimate or political purposes.
Expand Down