wiki:GdprCompliance

Version 1 (modified by skwang, 6 years ago) (diff)

Add GDPR information, add consent to policy best practices.

GDPR Compliance

This document provides what are considered the best-practices for GDPR compliance. This is not a legal document nor should it be considered legal advice. It is up to each project to individually decide upon how GDPR affects them and what is to be configured for each project.

GDPR Introduction

A Presentation on GDPR and BOINC.

Brief Summary

  1. Projects should have a TermsOfUse.
  2. Users need to consent to a projects terms-of-use. And consent to other policies.
  3. Users have a 'right-of-access' in obtaining their own user's data.
  4. Users have a 'right-of-erasure', being able to delete their own accounts.
  5. Data protection by design and default. The initial settings for user accounts maximize their privacy.

This document discusses

  • Consent to policies,
  • User deletion,
  • Data protection by design and default.

Consent to policies

Usage information

There are two types of consent that come with all BOINC projects: ENROLL and STATSEXPORT: corresponding to a consent to the project's terms-of-use during enrollment and consent to statistics exports. To enable these policies, use the Manage consent types page accessible from the main OPS page.

Account creation

When ENROLL consent type is enabled, users must agree to the project's terms-of-use before creating an account. This must be an 'active' measure: clicking a checkbox. In order to by fully-compliant with GDPR, only allow users to create accounts through the Web site.

How may a user create an account?

  • A BOINC client. The GUI BOINC Manager is a client.
  • The BOINC CLI boinccmd is a client.
  • Project's Web site allows for account creation.
    • The config.xml option disable_web_account_creation must be set to false (0).
  • An account manager (AM) may create an account for a user.

Of these, only the Web site is guaranteed to have the user see and consent to the project's terms-of-use. To configure this:

  1. In config.xml, set disable_account_creation_rpc to true (1): <disable_account_creation_rpc>1</disable_account_creation_rpc>
    • If this is configured, account managers will not be able to create accounts for users. They are able to configure existing users' accounts.

Statistics Exports

STATSEXPORT, if enabled will only export statistics for users who have consented to having their statistics exported. This consent is disabled by default for each user.

  • The user must go to their project preferences page and then enable the corresponding checkbox.