User accounts - should users be able to request deletion of their accounts?

[Janet McDougall - Australian Data Archive]

hi All

This is a question about user rights - we have previously discussed how to manage user access to data if their business use changes, but  since GDPR we now wonder about user rights, and their rights override auditing requirements.

 Once a person has registered as a Dataverse user, should they be able to request their account be deleted at a later date?  How will this impact dataset/datafile persmissions granted to that user for auditing purposes?

Ideally, for auditing I would think that the Dataverse owner/manager would require records of all users which would include access they have had to data (tied to userID).   I have read issue https://github.com/IQSS/dataverse/issues/2419 on disabling/deactivating user accounts, but while this is about technical solutions, we are interested in whether users should be able to have their account details cleared.  It is sensible to be able to remove access/permissions to data for various reasons, but it seems there needs to be a way to record all access granted to data.

If we mean to maintain records of users data access, then they need to be aware of this when they register.  Or should they be able to be deleted entirely from the Dataverse, including all their use history?  I would not think this is a good idea but am open to hear what others think, or are doing.  

Has anyone anticipated this?  

I also looked at another post "Deleting a user":

https://groups.google.com/forum/?utm_source=digest&utm_medium=email#!searchin/dataverse-community/delete$20user$20account%7Csort:date/dataverse-community/NXnVDrh1-h8/1b8zYK2-DQAJ

thanks

Janet

[Mercè Crosas]

Janet, 

This is a very good question, and the reason I didn't answer earlier is because it's also a difficult question and I don't have yet a good answer. I'll consult with some legal folks, and think more about it.

Thanks for bringing this up.

Merce

----------

Mercè Crosas, Ph.D., Chief Data Science and Technology Officer, IQSS, Harvard University

@mercecrosas  scholar.harvard.edu/mercecrosas

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.
To post to this group, send email to dataverse-community@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/5e9b665e-2cd9-4ed4-aa6c-4e21293fe68c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Janet McDougall - Australian Data Archive]

Merce

I look forward to hearing what you learn.  As you say, there is a lot behind this question - although I imagine there may be Dataverse communities where this is not an issue.

Thanks

Janet

To post to this group, send email to dataverse...@googlegroups.com.

[Benjamin Peuch]

Hello Janet,

As far as EU member countries are concerned, the answer is unequivocally yes. This is guaranteed by the “right to be forgotten,” which already existed in European law since the late 1990s but was especially reinforced by article 17 of the General Data Privacy Rule (GDPR).

(However, this is likely limited to user account information, as shown by the grounds listed in paragraph 1 and the exceptions foreseen in paragraph 3.)

Good luck,

Ben