Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GDPR Discussion #14

Open
georgestephanis opened this issue Mar 26, 2020 · 1 comment
Open

GDPR Discussion #14

georgestephanis opened this issue Mar 26, 2020 · 1 comment

Comments

@georgestephanis
Copy link

As a follow up to

https://wordpress.slack.com/archives/C02RQC26G/p1585246415044800

@garretthyder
Copy link

I'll drop this into #core-privacy next week for discussion.

My inclination here is passwords themselves aren't PII (Personally-Identifiable-Information) but in combination with a username or email can be used to access personal data either on the site or across other networks users have re-used their credentials for. If a token can be stored instead of a password then this mitigates a hack/leak from then re-using credentials to test other external services to gain further access to their personal data.
*I know several people who use the same email/user/pass combo for every site they signup for.

Specific to GDPR & passwords the ICO website has a great guide/overview;
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/

For further reference here's what GDPR specifically includes in online identifiers which passwords aren't part of;
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/what-are-identifiers-and-related-factors/

If passwords or other data is stored and 'processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damanage, using appropriate technical or organizational measures.' (Article 5(1)(f) of the GDPR) then as long as it's being disclosed (maybe through the Privacy Policy Guide) that should comply with the legislation.

*If any discussion ensues in a future privacy team meeting I'll post the archive link here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants