Wikimedia Security Team/Privacy roadmap

The Privacy Roadmap is a joint roadmap by members of the WMF Legal and Security Teams to improve the privacy of users on WMF sites. Lack of hiring and reduced funding plans have eliminated or delayed some aspects of the initial roadmap, however the milestones for FY15-16/16-17 are listed below.

Need for a roadmap
As the WMF places more importance on data-driven decision making, teams are collecting significantly more data about users. The WMF desires to not just meet industry standards, but exceed them and lead industry thinking on protecting user privacy.

FY15-16

 * Map general data repositories and flows for each team, so that the WMF understands what private data it retains, who has access to the data, and how the data is processed.
 * Train staff on protecting users' privacy, so that all staff understand basic issues, and how to improve privacy protection in their work.
 * Prepare Privacy by Design policy so that privacy is considered throughout the WMF software development process.
 * Coordinate an external audit of WMF systems and facility for security weaknesses.

FY16-17

 * Continue data mapping project.
 * Achieve basic PCI compliance, to give the WMF more options for protecting donor privacy.
 * Begin defining data management processes, so that private data across the organization is uniformly protected, governed by appropriate access policies, and removed in a timely manner.
 * Will there be an audit on which personally identifying information (such as IP addresses, detailed user agents etc.) is kept unnecessarily? See also Logs. Nemo 12:20, 31 January 2017 (UTC)
 * Begin defining data access guidelines, so that all users will access to private data are covered by data access guidelines, and handle data appropriately.
 * Better protect critical staff devices, so users and devices with access to private data are better secured against likely threats.
 * Coordinate followup security audit, ensuring identified issues have been mitigated.