OASIS Statement of Privacy Practices
May 25, 2018
Table of Contents:
1. GENERAL STATEMENT AND OVERVIEW
2. USES OF YOUR PERSONAL DATA
Summary of the personal data we collect, and our purposes for doing so
Webcookies, similar technologies and DNT
E-mail lists and archives
Archival web content
3. RETENTION OF YOUR PERSONAL DATA
Summary of our reasons and practices for retaining personal data
4. YOUR ACCESS TO AND THE ACCURACY OF YOUR PERSONAL DATA
Log-in and self-help controls
Additional legal rights of European citizens and others
Help with accessing, correcting, updating, deleting, or suppressing your personal data
5. THE SECURITY OF YOUR PERSONAL DATA
Our security practices
6. SHARING YOUR PERSONAL DATA, AND LINKS TO THIRD PARTY RESOURCES
Who we share with
Third party links and resources
7. HOW TO CONTACT US
E-mail and postal addresses
OASIS is a nonprofit corporation whose mission is to drive the development, convergence and adoption of open standards and open source projects for the global information society. We host collaborative, open development projects run by our members and participants, including (we are proud to say) a number of privacy and data protection projects. We are committed to protecting your privacy and personal data; building and maintaining trust; sharing our examples and tools to help other organizations and communities do the same; and serving as a demonstration and testing ground for data protection open standards, particularly those developed by our members.
We’re doing this in a rapidly-changing technical and policy environment for data protection. This is a good thing. Our communities, participants and peers are learning as everyone gains experience, and new tools emerge in response. This statement is effective as of May 25, 2018. OASIS will continue to update this statement, and our practices. as additional requirements, issues and opportunities arise.
We collect, retain, and use information about you only for specific business purposes, and when we reasonably believe that it will help administer our business, communicate with you or provide products, services, and other information of value to you. This is explained in more detail below.
We may collect data, including personal data, about you as you use our websites and tools, interact with us and participate in our programs. “Personal data” is any information that can be used to identify an individual, and may include name, postal address, e-mail address, phone number, log-in data (account name or number, password), location and IP address data, marketing preferences, social media account data, or payment data (including card numbers). We also collect personal data from trusted third-party sources and may engage third parties to collect personal data to assist us.
We collect personal data for a variety of reasons, such as:
- Hosting collaborative projects, and providing access to materials and group communications for those projects.
- Providing standards- and code-related services such as interoperability tests and registries.
- Creating and maintaining an account with us.
- Documenting any license commitments you make to benefit our projects.
- Hosting technical events, registering and scheduling participants and speakers, and collecting requests for more information from visitors.
- Processing your order for participation, sponsorship or conference attendance, including payment transactions.
- Enabling the use of certain features of our services delivered over the Internet.
- Providing you with newsletter subscriptions.
- Sending marketing communications.
- Personalizing your experience.
- Providing customer service and responding to your inquiries.
- Managing a job application.
- Webcookie uses, as described below.
- Other legitimate purposes permitted or required by applicable law.
WEBCOOKIES, SIMILAR TECHNOLOGIES AND DNT. In some cases, OASIS and the third parties we engage may collect data by webcookies, web logs, web beacons, and other similar applications, for several purposes. First, we use traffic log webcookies to identify which pages are being used. This helps us analyze data about web page traffic, and improve our website in order to tailor it to customer needs. Our servers may log http requests to our site, including IP, Referrer and User-Agent for traffic analysis, and we use webcookies on some pages to maintain the state of sessions and understand usage patterns.
On our public web pages (those where no log-in is required), we make no effort to identify the readers or uses of those pages. Data that we collect is used only for site improvement, server administration and usage statistics. Our web pages may link to or embed content from other sources (like videos) which are governed by the privacy policies of their originating sources.
We also maintain some website pages that only are accessible via a log-in. Those pages use webcookies that allow the creation of an account or recognize you as a logged-in account. Logged-in accounts result in the creation of a user name, e-mail address, real name and affiliation, and may include other information that you choose to give us. This information is stored in our database, and is retained so long as it’s relevant or required, consistent with law.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you usually can modify your browser setting to decline cookies if you prefer. That may prevent you from taking full advantage of the website’s functions.
Some web browsers may give you the ability to enable a “do not track” (DNT) feature that sends signals to the websites you visit, indicating that you do not want your online activities tracked. This is different from blocking or deleting cookies, as browsers with a “do not track” feature enabled may still accept cookies. No consistently-implemented industry open standard currently exists on how companies should respond to “do not track” signals, although one may develop. OASIS websites do not currently recognize and respond to “do not track” signals. If we do so, we will describe what we do here.
E-MAIL LISTS AND ARCHIVES. Any OASIS e-mail lists to which you post also will retain an archived record of your e-mail address, and such other information as you choose to provide. That data also will be retained so long as it’s relevant or required, consistent with law. Please think about what information you want to include in these permanent e-mail records. Generally it is our policy not to delete any information from archived messages, especially where that message may form a technical contribution or a legal or licensing commitment. For more on our handling of e-mail list archives, and how to make any requests for removal, please see our mailing list policy at: https://www.oasis-open.org/policies-guidelines/mailing-lists
ARCHIVAL WEB CONTENT. We also collect, maintain and display official and publicly-transparent records of your technical contributions, such as group membership, group leadership, and contributions by mail list, document repository, collaboration platform or teleconference. Those practices are necessary to create the legal licensure and public policy obligations, and provenance records, that apply to OASIS technical work to which you contribute. Those records usually are retained perpetually.
As described above, we collect personal data for a variety of reasons, and retain it when necessary to lawfully perform those functions, most often to identify your contributions, to provide a legal record of your contributions and licensing obligations, and to maintain transparent provenance data regarding your inputs and contributing role. Usually technical contribution data will be retained so long as the technical work is available, and the identity of contributors will be publicly displayed with the work. This generally applies to our technical committees, open projects, and technical demonstration events, most of which we may retain perpetually.
We also retain the personal data necessary to administrate and enforce our contracts and mutual obligations with you (like an OASIS membership, conference registration or personal services contract). We will retain your identifying data so long as reasonably needed for our contract administration, subject to applicable laws and your rights described in this statement.
We also retain the personal data necessary to perform other services and fulfill the other roles described here, including in “Use of Your Personal Data” above. We will retain your identifying data so long as reasonably needed to perform the service or role, subject to applicable laws and your rights described here.
We need your help in keeping your personal data accurate and up to date. OASIS provides a number of options to access, correct, suppress, or delete your personal data.
LOG-IN FEATURES AND SELF-HELP. If you have a log-in account with us, for access to nonpublic web pages or collaborative tools, that account management system will have a “my account” or similar feature for collecting and updating the personal data that is used by that function, and any other personal data you choose to provide to it. The most important controls for most parties working with OASIS usually will be:
- Our member account management page at https://www.oasis-open.org/kws/my_account, which also controls your subscription to the OASIS general membership information e-mail list (firstname.lastname@example.org), and whether certain of the personal data for the account is displayed publicly; and
- Your election, within our members-only webpages, to join or leave specific OASIS committees or activities will control your subscriptions to those members-only e-mail lists; and
- Our e-mail list subscription manager for publicly-available lists at https://www.oasis-open.org/mlmanage/ Our contacts with you via e-mail or similar direct communications that use personal data (like addresses), will include “unsubscribe” links if they are not managed by the subscription manager or other members’ activity controls described above.
- Management of passwords is available either at this page when logged-in: https://www.oasis-open.org/kws/my_account, or by a password recovery feature accessible from our log-in page, or if help is needed, by contacting email@example.com.
You are encouraged to use these self-help controls, which are likely to satisfy most needs for personal data review, correction or maintenance. Additionally, the majority of the records of our technical and policy operations are posted to openly accessible public web pages, so a large part of our data about you also is readily available by using web search engines.
ADDITIONAL RIGHTS. Citizens of member states of the European Union and some other jurisdictions may have additional rights to copies of their personal data and to give us instructions to correct or delete that personal data. “Personal data” as used in this statement includes all personal information as defined by those legal rights. We will comply with those legal rights, and we will make good faith efforts to honor reasonable requests to access, correct, update, delete, or suppress that data, subject to any lawful basis for retention or other use as noted above.
GETTING HELP. If you need additional assistance, or help with accessing, correcting, updating, deleting, or suppressing your personal data, please feel free to contact us directly at firstname.lastname@example.org, or by postal mail to our contact address below. Please be sure to include your name, e-mail address, and specific, relevant information about the material you no longer wish to receive. We will respond to your requests within 30 days of receiving them. If we are unable to honor your request, we will give you an explanation.
We intend to protect the personal data entrusted to us and treat it securely in accordance with this statement. OASIS implements physical, administrative, and technical safeguards designed to protect your personal data from unauthorized access, use, or disclosure. OASIS also complies with its Information Security Policy regarding the classes of data defined in that document: https://www.oasis-open.org/policies-guidelines/information-security The Internet, however, cannot be guaranteed to be 100% secure, and we cannot ensure or warrant the security of any personal data you provide to us.
We may share your personal data with third parties for the purposes of operating our business, delivering, improving, and customizing our services, sending marketing and other communications related to our business, and for other legitimate purposes, but in each case only as permitted by applicable law or otherwise with your consent.
We may share personal data in the following ways:
- With service vendors or agents, business partners or contractors to provide a requested program, service or transaction. Examples include, but are not limited to: hosting websites, hosting Internet-based collaboration tools, meeting registration and management, processing of orders and credit card transactions, assisting with membership- and sales-related efforts or post-sales support, and providing customer support.
- With co-sponsors in cases where OASIS jointly administers a program or service with a disclosed co-sponsor. We do not otherwise provide our contact data or other personal data for you to anyone for their marketing purposes.
- In response to a request for information by law enforcement officials or other competent authorities, if we believe disclosure is required or otherwise is in accordance with applicable law and legal process; or when necessary to protect the rights, property, or safety of OASIS, you, or others; or as otherwise required by applicable law.
- In aggregated, anonymized, and/or de-identified form which cannot reasonably be used to identify you.
- If we otherwise notify you and you consent to the sharing.
We review our service vendors, agents, business partners, contractors and co-sponsors who receive personal data from OASIS to confirm their compliance with applicable laws.
THIRD PARTY LINKS AND RESOURCES. Our website and Internet tools may contain links to other websites or information resources. However, once you have used these links to leave our site, please note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide while visiting those sites, and they are not governed by this statement. You should exercise caution and look at the privacy statement or policy applicable to each website and tool you visit.
In addition to the specific self-help tools and contact addresses listed above, please contact us with your questions or comments about this statement email@example.com, or by postal mail to:
Data Privacy Team
35 Corporate Drive Suite 150
Burlington, MA 01803-4238
Scott McGrath is our Information Security Officer, and Jamie Clark is our Data Protection Officer.