Data Safety Consultation Questionnaire

So as to make the Data Safety Consultation as quick and efficient as possible, we ask that every project fill in an pre-consultation questionnaire.

The goal of this questionnaire is to extract knowledge out of your teams' collective heads specifically around data-related issues such as privacy, security, legal complaints, user control, etc.

You may need to create documentation to answer the questions, but most likely you already have existing documents that can be reused; also, hopefully answering these questions will help you with subsequent steps like writing privacy policies.

Do not edit this page -- instead please email [Alina Hua] and she'll create an etherpad version of the questionnaire for your team to fill in. (We'll create a bugform to initiate this process and handle the first few question in the future).

Here are the questions that you'll be asked to fill in the etherpad.

About Your Project

Project Name:

Contact(s) (name(s) / email(s)):

Brief description of your project. (Don't be too brief: We should be able to understand the goals of the project as well as the architecture and the data flows.)

Links to your project documentation (both internal and external).

What is the current state of your project?

What are your key release / launch dates?

What are the core technical components and features?

Who are the stakeholders involved with your project (internal and external)?

Security

Does your project deploy new or modify web application code that runs on Mozilla infrastructure? Does your project deploy or modify client-run software (such as Firefox or Android applications)? If YES to either of the above, please file a security review bug

Privacy Engineering

Does your project change how we generate, store, share or collect information from users? If YES, please file a Privacy Review bug XXX

Policy and Legal

Do you have a privacy policy for your project / site? If YES, Please provide a link to it: ____

Will user data be collected from global locations (outside the U.S.) and stored in those locations? If YES, please provide the names of the countries where data is collected and stored. If you're collecting data only from the US, will all user data be stored in the US?

Data

Does your project collect data from users? If YES, then someone from Data Safety will look at this bug, find out how many users' data to be involved, determine priority level (L / M / H).

Please provide list of data elements (e.g., email, name, location, log data, URLs, browser history, etc.).

Why do you need to collect user data?

How is this data being collected? (e.g., forms on web site, provided directly by user, observed data collection, etc.) (Consider that you may be collecting data unintentionally such as automatic logging by web servers)

Will your project / team members need to retain user data? If YES, for how long?

Will any user data be shared or accessed by third party partners, customers or providers? If YES, see additional questions below.

• What is the data being shared or accessed?
• How would the data be communicated / transferred to the third parties?
• Who are the third party vendors and in what countries are they based?

User Benefit

In particular, please list the user benefits that result from this data. A possible way of describing the benefits that flow from the data is:

User Benefits: (sample!)

A - users find applications that have their photos are more friendly/fun
B - users want to be able to access this project from computers where they just have web access
C - users want to be informed of updates from specific other users of the site
D - users want notices when important changes happen

Data collected (sample!)

A - profile picture; user submitted image (doesn't have to be their face); meets benefit A; optional
B - pseudonym: users get to pick a screen name (mostly anything goes - see name policy [..] - meets benefit C.
C - browserid-based authentication means we store email identifiers - meets benefit D, B. ...etc...

Community Visibility and Input

Has your proposal been shared publicly, including requirements for Mozilla to collect and host user data? If YES, what communication channels are you using and what kind of input have you received thus far?