Legal:Data retention guidelines: Difference between revisions

Add links
From Wikimedia Foundation Governance Wiki
Browse history interactively
← Older editNewer edit →
Content deleted Content added
VisualWikitext
1997kB (talk | contribs)
0 edits
Undo revision 18353263 by 82.114.168.158 (talk)
update per Legal department request
Line 1: Line 1:
<languages />
<languages />
{{info|The community consultation for the Data Retention Guidelines has closed as of 14 February 2014. We thank the community members who have participated in this discussion since the opening of the consultation on 09 January 2014 and have helped make the Guidelines better as a result. Although we are closing the community consultation, we welcome community members to continue the discussion. The Guidelines are intended to evolve and expand over time. You can read more about the consultation on the [//blog.wikimedia.org/2014/02/14/a-proposal-for-wikimedias-new-privacy-policy/ Wikimedia blog]. [[User:Mpaulson (WMF)|Mpaulson (WMF)]] ([[User talk:Mpaulson (WMF)|talk]]) 23:57, 14 February 2014 (UTC)}}

<translate>== Introduction == <!--T:1-->
<translate>== Introduction == <!--T:1-->


<!--T:2-->
<!--T:2-->
Data is important. It is one of the ways we can learn and grow as an organization and a movement, and how we can help make the projects better for those who use them to create, learn, and share. At the same time, we are committed to keeping your private data "for the shortest possible time that is consistent with the maintenance, understanding, and improvement of the Wikimedia Sites, and our obligations under applicable U.S. law" (quote from the Wikimedia Foundation [[<tvar|wmprivacypolicy>m:Special:MyLanguage/Privacy policy</>|Privacy Policy]]).
Data is important. It is one of the ways we can learn and grow as an organization and a movement, and how we can help make the projects better for those who use them to create, learn, and share. At the same time, we are committed to keeping your personal data "for the shortest possible time that is consistent with the maintenance, understanding, and improvement of the Wikimedia Sites, and our obligations under applicable U.S. law" (quote from the Wikimedia Foundation [[<tvar|wmprivacypolicy>m:Special:MyLanguage/Privacy policy</>|Privacy Policy]]).


<!--T:3-->
<!--T:3-->
This document helps explain how we fulfill this commitment, by describing our guidelines for data retention, system design, and ongoing auditing and maintenance. These guidelines are meant to be a living document — they will be updated over time to reflect current retention practices.
This document helps explain how we fulfill this commitment, by describing our guidelines for data retention, system design, and ongoing auditing and maintenance. These guidelines are meant to be a living document — they will be updated over time to reflect current retention practices.


== To what data do these guidelines apply? == <!--T:4-->
== To what data do these guidelines apply? == <!--T:4-->


<!--T:5-->
<!--T:5-->
These guidelines apply to all non-public data we collect from Wikimedia Sites covered by the [[<tvar|wmprivacypolicy>m:Special:MyLanguage/Privacy policy</>|Privacy Policy]].
These guidelines apply to all non-public data we collect from Wikimedia Sites covered by the [[<tvar|wmprivacypolicy>Special:MyLanguage/Privacy policy</>|Privacy Policy]] and [[<tvar|wmnonprivacy>wmf:Non-wiki privacy policy</>|Non-Wiki Privacy Policy]].
</translate>
</translate>
{{anchor|How long do we retain non-public data?}}{{anchor|retention periods}}
{{anchor|How long do we retain non-public data?}}{{anchor|retention periods}}
Line 22: Line 20:
Unless otherwise indicated, we retain the following types of data for no more than the following periods of time:</translate>
Unless otherwise indicated, we retain the following types of data for no more than the following periods of time:</translate>


{| class="wikitable sortable"
{| class="wikitable"
|+
|+
!<translate><!--T:8-->
!<translate><!--T:8-->
Line 34: Line 32:
|-
|-
| rowspan="2" |<translate><!--T:11-->
| rowspan="2" |<translate><!--T:11-->
Personal information</translate>
Non Public Personal information</translate>
|<translate><!--T:12-->
|<translate><!--T:12-->
Collected automatically from a user</translate>
Collected automatically from a user</translate>
|
| style="font-size:85%;" |
*<translate><!--T:13-->
*<translate><!--T:13-->
IP addresses of site visitors (operational data)</translate><br />
IP addresses of site visitors (operational data)</translate>
*<translate><!--T:14-->
*<translate><!--T:14-->
IP addresses of A/B test subjects (analytical data)</translate>
IP addresses of A/B test subjects (analytical data)</translate>
Line 46: Line 44:
Identifying user-agent information of site visitors</translate>
Identifying user-agent information of site visitors</translate>
|<translate><!--T:15-->
|<translate><!--T:15-->
After at most 90 days, it will be deleted, aggregated, or anonymized</translate>
After at most 90 days, it will be deleted, aggregated, or deidentified</translate>
|-
|-
|'''<translate><!--T:16-->
|<translate><!--T:16-->
Account settings</translate>'''
Account settings</translate>
|
| style="font-size:85%;" |
*<translate><!--T:17-->
*<translate><!--T:17-->
Email address</translate>
Email address</translate>
Line 56: Line 54:
Until user deletes/changes the account setting.</translate>
Until user deletes/changes the account setting.</translate>
|-
|-
| rowspan="3" |<translate><!--T:19-->
| rowspan="4" |<translate><!--T:19-->
Non-personal information associated with a user account*</translate>
Non-personal information</translate>
|<translate><!--T:20-->
| rowspan="2" |<translate><!--T:20-->
Collected automatically from a user</translate>
Collected automatically from a user</translate>
|
| style="font-size:85%;" |
*<translate><!--T:21-->
* <translate><!--T:21-->
Data collected by MediaWiki about a user account's activity (e.g., [[<tvar|emailauth>mw:Manual:User_table#user_email_authenticated</>|date and time that a user verifies their email address]])</translate>
Data collected by MediaWiki about a user account's activity (e.g., first time a user goes to an edit page, [[<tvar|emailauth>mw:Manual:User_table#user_email_authenticated</>|date and time that a user verifies their email address]])</translate>
*<translate><!--T:22-->
Data collected by EventLogging and associated with their user ID (e.g., [[<tvar|mobilereg>m:Schema:ServerSideAccountCreation</>|whether an account was created on mobile]], [[<tvar|abdata>m:Schema:GettingStarted</>|A/B test data for Getting Started]])</translate>
|<translate><!--T:24-->
|<translate><!--T:24-->
Indefinitely</translate>
Indefinitely</translate>
|-
|
* <translate><!--T:22-->
Data collected by EventLogging and associated with their user ID (e.g., [[<tvar|mobilereg>m:Schema:ServerSideAccountCreation</>|whether an account was created on mobile]], [[<tvar|abdata>m:Schema:GettingStarted</>|A/B test data for Getting Started]])</translate>
|<translate>After at most 90 days, it will be deleted, aggregated, or deidentified</translate>
|-
|-
|<translate><!--T:25-->
|<translate><!--T:25-->
Provided by a user</translate>
Provided by a user</translate>
|
| style="font-size:85%;" |
*<translate><!--T:26-->
* <translate><!--T:26-->
Logs of terms entered into the site's search box, or terms within prefilled links to the search engine that have been followed by user navigation</translate>
Logs of terms entered into the site's search box, or terms within prefilled links to the search engine that have been followed by user navigation</translate>
|<translate><!--T:27-->
| <translate><!--T:27-->
After at most 90 days, it will be deleted, aggregated, or anonymized</translate>
After at most 90 days, it will be deleted, aggregated, or deidentified</translate>
|-
|-
|<translate><!--T:70--> Provided by a user</translate>
|<translate><!--T:70--> Provided by a user</translate>
|
|
*<translate><!--T:71--> Language</translate>
* <translate><!--T:71--> Language</translate>
|<translate><!--T:72--> Until user deletes/changes the account setting.</translate>
|<translate><!--T:72--> Until user deletes/changes the account setting.</translate>
|-
|-
|<translate><!--T:28-->
|<translate><!--T:28-->
Non-personal information not associated with a user account*</translate>
Non-personal information not associated with a user account</translate><ref group="T"><translate><!--T:32--> For the purposes of this table, "user account" means username, user ID, or IP address; "reader" means visitor to a Wikimedia project.</translate></ref>
|<translate><!--T:29-->
|<translate><!--T:29-->
Collected automatically from various users</translate>
Collected automatically from various users</translate>
|
| style="font-size:85%;" |
*<translate><!--T:30-->
* <translate><!--T:30-->
Counts of how many times certain events have occurred (e.g. [[<tvar|httpsrequests>m:Schema:HttpsSupport</>|successful HTTPS requests]])</translate>
Counts of how many times certain events have occurred (e.g. [[<tvar|httpsrequests>m:Schema:HttpsSupport</>|successful HTTPS requests]])</translate>
|<translate><!--T:31-->
|<translate><!--T:31-->
Line 97: Line 98:
<!--T:66-->
<!--T:66-->
Collected automatically from a reader</translate>
Collected automatically from a reader</translate>
|
| style="font-size:85%;" |
*<translate>
* <translate>
<!--T:67-->
<!--T:67-->
A list of articles visited by readers</translate>
A list of articles visited by readers</translate>
Line 105: Line 106:
After at most 90 days, if retained at all, then only in aggregate form</translate>
After at most 90 days, if retained at all, then only in aggregate form</translate>
|}
|}
{{Reflist|group=T}}
: (*) <translate><!--T:32-->
<translate>
For the purposes of this table, "user account" means username, user ID, or IP address; "reader" means visitor to a Wikimedia project.
=== How long do we retain public data? ===

Wikimedia hosts Wikipedia and the associated projects as part of our mission to collect, document, and freely distribute the sum of human knowledge to the world. Accordingly, when you make a contribution to any Wikimedia Site, including on user or discussion pages, you are creating a permanent, public record of every piece of content added, removed, or altered by you.</translate> <translate>The page history will show when your contribution or deletion was made, as well as your username (if you are signed in) or your IP address (if you are not signed in). We may use your public contributions, either aggregated with the public contributions of others or individually, to create new features or data-related products for you, or to learn more about how the Wikimedia Sites are used.</translate> <translate>If you mistakenly included your personal information in a contribution to a Wikimedia Site and you would like to have it removed, please consult the community’s [[<tvar|oversight>Special:MyLanguage/Oversight_policy</>|oversight policy]].</translate> <translate>Keep in mind that the transparency and integrity of our sites’ revision histories is essential to our mission, and the Foundation supports our community’s right to reject oversight requests in order to protect the projects.

If you choose to register for an account with the Wikimedia projects, you will be asked to select a username. Usernames are retained until the user requests that the account be [[<tvar|renaming>Special:MyLanguage/Changing_username</>|renamed]], or goes through the community [[<tvar|vanishing>Special:MyLanguage/Courtesy_vanishing</>|courtesy vanishing]] process.

For more information, see our [[<tvar|PrivacyPolicy>wmf:Privacy_policy#use</>|Privacy Policy]].


== Definitions == <!--T:33-->
== Definitions == <!--T:33-->
Line 112: Line 120:
<!--T:34-->
<!--T:34-->
For the purposes of these guidelines:
For the purposes of these guidelines:
*<b> "Personal information" </b> means information you provide us or information we collect from you that could be used to personally identify you. To be clear, while we do not necessarily collect all of the following types of information, we consider at least the following to be "personal information" if it is otherwise nonpublic and can be used to identify you:</translate>
*'''"Personal information"''' means information you provide us or information we collect from you that identifies or could be used to personally identify you. For details, please see the Wikimedia Foundation [[<tvar|PrivacyPolicy>m:Privacy_policy</>|Privacy Policy]] and [[<tvar|PrivacyPolicy>wmf:Non-wiki_privacy_policy</>|Non-Wiki Privacy Policy]].
::<translate><!--T:35-->
(a) your real name, address, phone number, email address, password, identification number on your government-issued identification, IP address, user-agent information, and your credit card number;</translate>
::<translate><!--T:36-->
(b) when associated with one of the items in subsection (a), any sensitive data such as date of birth, gender, sexual orientation, racial or ethnic origins, marital or familial status, medical conditions or disabilities, political affiliation, and religion; or</translate>
::<translate><!--T:37-->
(c) any of the items in subsections (a) or (b) when associated with your user account.

<!--T:50-->
*Some examples of <b> "public information" </b> would include: (a) your IP address, if you edit without logging in; (b) your gender, if it is disclosed under your user profile; (c) any personal information you disclose publicly on the Wikimedia Sites, such as your real name or age. Some examples of types of information that are considered to be <b>"nonpublic information"</b> include: (a) your IP address, if you edit while logged in; (b) your email address, if you provided one to us during a registration (but didn’t post it publicly); and (c) your location information, if you have not posted it publicly. The types of information that are considered "nonpublic" as opposed to "public" are more fully explained in our [[<tvar|wmprivacypolicy>m:Special:MyLanguage/Privacy policy</>|Privacy Policy]].


*Some examples of "public information" would include:
<!--T:55-->
**(a) your IP address, if you edit without logging in;
*Data is <b> "anonymized" </b> when (1) information that can be used to identify a specific user has been removed or otherwise been changed so that it can no longer be used to identify the user directly, and (2) best efforts have been made to remove, or otherwise make non-re-identifying, information that could be used to re-identify the user.</translate>
**(b) your gender, if it is disclosed under your user profile;
**(c) any personal information you disclose publicly on the Wikimedia Sites, such as your real name or age.


*Some examples of types of information that are considered to be "nonpublic information" include:
:<translate><!--T:56-->
** (a) your IP address, if you edit while logged in;
Examples of identifying information that could be removed in order to anonymize data would include:</translate>
** (b) your email address, if you provided one to us during account registration (but didn’t post it publicly); and
::*<translate><!--T:57-->
** (c) your general location information as might be derived from your IP address, if you have not posted it publicly. The types of information that are considered "nonpublic" as opposed to "public" are more fully explained in our [[<tvar|PrivacyPolicy>m:Privacy_policy</>|Privacy Policy]].
Real names, addresses, phone numbers, email addresses, password, identification number on government-issued ID, IP address, user-agent string, credit card number, unique device identifiers</translate>


* Data is '''"de-identified"''' when when it has been aggregated or otherwise retained in a manner such that it can no longer be used to identify the user.
:<translate><!--T:58-->
Examples of changes that could be made to data so that it no longer directly identifies the user:</translate>
::*<translate><!--T:59-->
Encrypting or removing/masking the most specific portion of IP addresses</translate>
::*<translate><!--T:60-->
Sanitizing user-agent strings


<!--T:61-->
<!--T:61-->
*Data is <b> "aggregated" </b> when the data associated with a specific user has been combined with data from others to show general trends or values without identifying specific users. </translate>
* Data is <b> "aggregated" </b> when the data associated with a specific user has been combined with data from others to show general trends or values without identifying specific users.


:<translate><!--T:62-->
<!--T:62-->
An example of how data can be aggregated includes:</translate>
An example of how data can be aggregated includes: </translate>
::*<translate><!--T:63-->
:<translate><!--T:63-->
Using ranges rather than specific numbers, such as recording that there are "between 1 and 10 editors in language X in country Y" rather than recording that there are 4 editors.
Using ranges rather than specific numbers, such as recording that there are "between 1 and 10 editors in language X in country Y" rather than recording that there are 4 editors.


Terms that are not defined in this document have the same meaning given to them in the [[<tvar|PrivacyPolicy>m:Privacy_policy</>|Privacy Policy]].
<!--T:64-->
While we make our best effort to anonymize or aggregate information to the point that an individual cannot be identified, we cannot completely eliminate the risk of re-identification. For more info about re-identification, please see the [[<tvar|faq>m:Special:MyLanguage/Privacy policy/FAQ#reidentifiationFAQ</>|FAQ section]] of the Privacy Policy.

<!--T:51-->
Terms that are not defined in this document have the same meaning given to them in the [[<tvar|wmprivacypolicy>m:Special:MyLanguage/Privacy policy#Definitions</>|Privacy Policy]].


== Exceptions to these guidelines == <!--T:38-->
== Exceptions to these guidelines == <!--T:38-->
Line 158: Line 150:


<!--T:40-->
<!--T:40-->
* Data may be retained in system backups for longer periods of time, not to exceed 5 years.
* Data may be retained in system backups for longer periods of time, not to exceed 5 years.</translate>
<translate>
* Information (including personal information) collected through participation in a survey or other research conducted by the Wikimedia Foundation will be retained indefinitely for educational, development, or other related purposes, unless otherwise indicated in the privacy policy or statement of such survey or research. Such information may be retained in raw, aggregated, or anonymized form until we receive a request from the participant to be removed from our research database.
* When we conduct a survey or other research, we will provide you with a privacy statement specifying the term of retention for information (including personal information) collected through your participation in such research. In certain cases, information may be retained indefinitely for educational, development, or other related purposes, unless otherwise indicated in the relevant privacy statement. Such information may be retained in raw, aggregated, or de-identified form until we receive a request from the participant to delete the information.</translate>
* In rare cases, we, or particular users with certain administrative rights as described in our Privacy Policy, may need to retain your personal information, including your IP address and user agent information, for as long as reasonably necessary (which may be longer than the period described in the table above) to:
<translate>
:* enforce or investigate potential violations of our Terms of Use, this [[<tvar|wmprivacypolicy>m:Special:MyLanguage/Privacy policy#sharing</>|Privacy Policy]], or any Foundation or user community-based policies;
* In rare cases, we, or particular users with certain administrative rights as described in our Privacy Policy, may need to retain your personal information, including your IP address and user agent information, for as long as reasonably necessary (which may be longer than the period described in the table above) to:</translate>
:* investigate and defend ourselves against legal threats or actions;
<translate>
:* help protect against vandalism and abuse, fight harassment of other users, and generally try to minimize disruptive behavior on the Wikimedia Sites;
** enforce or investigate potential violations of our Terms of Use, this [[<tvar|wmprivacypolicy>m:Special:MyLanguage/Privacy policy#sharing</>|Privacy Policy]], or any Foundation or user community-based policies;</translate>
:* prevent imminent and serious bodily harm or death to a person, or to protect our organization, employees, contractors, users, or the public; or
<translate>
:* detect, prevent, or otherwise assess and address potential spam, malware, fraud, abuse, unlawful activity, and security or technical concerns.
** investigate and defend ourselves against legal threats or actions;</translate>
<translate>
** help protect against vandalism and abuse, fight harassment of other users, and generally try to minimize disruptive behavior on the Wikimedia Sites;</translate>
<translate>
** prevent imminent and serious bodily harm or death to a person, or to protect our organization, employees, contractors, users, or the public; or</translate>
<translate>
** detect, prevent, or otherwise assess and address potential spam, malware, fraud, abuse, unlawful activity, and security or technical concerns.


== Audits for existing systems== <!--T:41-->
== Audits and improvements ==


The Foundation is committed to continuous evaluation and improvement of these guidelines, and to periodic audits in order to identify such improvements. As we make changes to existing and systems, we will update these guidelines to reflect our changing practices.
<!--T:42-->
These guidelines are based on practices that the Foundation has generally followed for many years, particularly the 90-day rule for IP addresses and similar personal information in our server logs. However, our older systems may not always comply with these new guidelines, particularly for personal information other than IP addresses. As a result, once these guidelines are adopted, WMF’s technology teams plan to audit our existing systems and bring them into compliance. Because of the size and scope of these systems, this audit will necessarily occur in a gradual fashion.


== Design of new systems == <!--T:43-->
== Design of new systems == <!--T:43-->
Line 186: Line 184:


<!--T:49-->
<!--T:49-->
Despite our best efforts in designing and deploying new systems, we may occasionally record personal information in a way that does not comply with these guidelines. When we discover such an oversight, we will promptly comply with the guidelines by deleting, aggregating, or anonymizing the information as appropriate.
Despite our best efforts in designing and deploying new systems, we may occasionally record personal information in a way that does not comply with these guidelines. When we discover such an oversight, we will promptly comply with the guidelines by deleting, aggregating, or deidentifying the information as appropriate.


== Contact us == <!--T:52-->
== Contact us == <!--T:52-->


<!--T:53-->
<!--T:53-->
If you think that these guidelines have potentially been breached, or if you have questions or comments about compliance with the guidelines, please contact us at privacy{{@}}wikimedia.org.</translate>
If you think that these guidelines have potentially been breached, or if you have questions or comments about compliance with the guidelines, please contact us at privacy{{@}}wikimedia.org.
</translate>


{{TNT|Privacy policy navigation 2|nocat=1}}
{{TNT|Privacy policy navigation 2|nocat=1}}

Revision as of 13:15, 4 September 2018

Other languages:

Introduction

Data is important. It is one of the ways we can learn and grow as an organization and a movement, and how we can help make the projects better for those who use them to create, learn, and share. At the same time, we are committed to keeping your personal data "for the shortest possible time that is consistent with the maintenance, understanding, and improvement of the Wikimedia Sites, and our obligations under applicable U.S. law" (quote from the Wikimedia Foundation Privacy Policy).

This document helps explain how we fulfill this commitment, by describing our guidelines for data retention, system design, and ongoing auditing and maintenance. These guidelines are meant to be a living document — they will be updated over time to reflect current retention practices.

To what data do these guidelines apply?

These guidelines apply to all non-public data we collect from Wikimedia Sites covered by the Privacy Policy and Non-Wiki Privacy Policy.

How long do we retain non-public data?

Unless otherwise indicated, we retain the following types of data for no more than the following periods of time:

Data type Origin Examples Maximum Retention Period
Non Public Personal information Collected automatically from a user
  • IP addresses of site visitors (operational data)
  • IP addresses of A/B test subjects (analytical data)
  • Identifying user-agent information of site visitors
 After at most 90 days, it will be deleted, aggregated, or deidentified
Account settings
  • Email address
 Until user deletes/changes the account setting.
Non-personal information Collected automatically from a user Indefinitely
After at most 90 days, it will be deleted, aggregated, or deidentified
Provided by a user
  • Logs of terms entered into the site's search box, or terms within prefilled links to the search engine that have been followed by user navigation
 After at most 90 days, it will be deleted, aggregated, or deidentified
Provided by a user
  • Language
 Until user deletes/changes the account setting.
Non-personal information not associated with a user account[T 1] Collected automatically from various users Indefinitely
Articles browsed by readers Collected automatically from a reader
  • A list of articles visited by readers
 After at most 90 days, if retained at all, then only in aggregate form
  1. For the purposes of this table, "user account" means username, user ID, or IP address; "reader" means visitor to a Wikimedia project.

How long do we retain public data?

Wikimedia hosts Wikipedia and the associated projects as part of our mission to collect, document, and freely distribute the sum of human knowledge to the world. Accordingly, when you make a contribution to any Wikimedia Site, including on user or discussion pages, you are creating a permanent, public record of every piece of content added, removed, or altered by you. The page history will show when your contribution or deletion was made, as well as your username (if you are signed in) or your IP address (if you are not signed in). We may use your public contributions, either aggregated with the public contributions of others or individually, to create new features or data-related products for you, or to learn more about how the Wikimedia Sites are used. If you mistakenly included your personal information in a contribution to a Wikimedia Site and you would like to have it removed, please consult the community’s oversight policy. Keep in mind that the transparency and integrity of our sites’ revision histories is essential to our mission, and the Foundation supports our community’s right to reject oversight requests in order to protect the projects.

If you choose to register for an account with the Wikimedia projects, you will be asked to select a username. Usernames are retained until the user requests that the account be renamed, or goes through the community courtesy vanishing process.

For more information, see our Privacy Policy.

Definitions

For the purposes of these guidelines:

  • "Personal information" means information you provide us or information we collect from you that identifies or could be used to personally identify you. For details, please see the Wikimedia Foundation Privacy Policy and Non-Wiki Privacy Policy.
  • Some examples of "public information" would include:
    • (a) your IP address, if you edit without logging in;
    • (b) your gender, if it is disclosed under your user profile;
    • (c) any personal information you disclose publicly on the Wikimedia Sites, such as your real name or age.
  • Some examples of types of information that are considered to be "nonpublic information" include:
    • (a) your IP address, if you edit while logged in;
    • (b) your email address, if you provided one to us during account registration (but didn’t post it publicly); and
    • (c) your general location information as might be derived from your IP address, if you have not posted it publicly. The types of information that are considered "nonpublic" as opposed to "public" are more fully explained in our Privacy Policy.
  • Data is "de-identified" when when it has been aggregated or otherwise retained in a manner such that it can no longer be used to identify the user.
  • Data is "aggregated" when the data associated with a specific user has been combined with data from others to show general trends or values without identifying specific users.

An example of how data can be aggregated includes:

Using ranges rather than specific numbers, such as recording that there are "between 1 and 10 editors in language X in country Y" rather than recording that there are 4 editors.

Terms that are not defined in this document have the same meaning given to them in the Privacy Policy.

Exceptions to these guidelines

If we make exceptions to these guidelines, we will notify the community by describing the exception on this page.

  • Data may be retained in system backups for longer periods of time, not to exceed 5 years.
  • When we conduct a survey or other research, we will provide you with a privacy statement specifying the term of retention for information (including personal information) collected through your participation in such research. In certain cases, information may be retained indefinitely for educational, development, or other related purposes, unless otherwise indicated in the relevant privacy statement. Such information may be retained in raw, aggregated, or de-identified form until we receive a request from the participant to delete the information.
  • In rare cases, we, or particular users with certain administrative rights as described in our Privacy Policy, may need to retain your personal information, including your IP address and user agent information, for as long as reasonably necessary (which may be longer than the period described in the table above) to:
    • enforce or investigate potential violations of our Terms of Use, this Privacy Policy, or any Foundation or user community-based policies;
    • investigate and defend ourselves against legal threats or actions;
    • help protect against vandalism and abuse, fight harassment of other users, and generally try to minimize disruptive behavior on the Wikimedia Sites;
    • prevent imminent and serious bodily harm or death to a person, or to protect our organization, employees, contractors, users, or the public; or
    • detect, prevent, or otherwise assess and address potential spam, malware, fraud, abuse, unlawful activity, and security or technical concerns.

Audits and improvements

The Foundation is committed to continuous evaluation and improvement of these guidelines, and to periodic audits in order to identify such improvements. As we make changes to existing and systems, we will update these guidelines to reflect our changing practices.

Design of new systems

In order to support these data retention periods and our overall privacy policy, new tools and systems implemented by the Foundation will be designed with privacy in mind. This will include:

  • inclusion of these data retention guidelines as requirements during the design process;
  • legal consultation during the design and development process; and
  • inclusion of privacy considerations in the code review process.

Ongoing handling of new information

Despite our best efforts in designing and deploying new systems, we may occasionally record personal information in a way that does not comply with these guidelines. When we discover such an oversight, we will promptly comply with the guidelines by deleting, aggregating, or deidentifying the information as appropriate.

Contact us

If you think that these guidelines have potentially been breached, or if you have questions or comments about compliance with the guidelines, please contact us at privacy@wikimedia.org.

+/-
translate
Privacy-related pages
Retrieved from "https://foundation.wikimedia.org/w/index.php?title=Legal:Data_retention_guidelines&oldid=172692"