concerning the NDA issue

[Joe Dehn]

On the agenda for this Saturday's meeting is the item "NDA resolution (data management) (30 minutes)". This is presumably supposed to be a time to discuss the question of whether to somehow create a new "NDA" (non-disclosure agreement) for the LPC, to continue using the one that has apparently been used in the recent past -- or perhaps scrap the idea altogether.

There is no doubt that there is a need to address disclosure / misuse of certain kinds of information somehow. There is certainly potential harm to any organization if certain kinds of information get disclosed, especially to "adversaries". There are also expectations in the larger society about treatment of certain kinds of information, especially "personal" information, that have nothing to do with the interests of a particular organization. But an "NDA" is not necessarily either required or sufficient to do what needs to be done to address these issues.

What else could do it?  Lots of things. As human beings living in a particular culture we are all expected to exercise a certain amount of "common sense". As officers of an organization we are all expected to take the interests of that organization seriously, and to apply our knowledge and discretion accordingly. If things aren't obvious enough, there can be formal expressions of policy promulgated, e.g., in bylaws.  If all of these things fail -- and every one of them can fail -- and somebody does something that clearly hurts either the organization or an individual, in a way they should have understood would cause harm, that can be addressed after the fact with some sort of punishment or compensation.

Yes, the specific type of contract known as an "NDA" may be useful to some degree, but even if it can be useful it's only one part of the total picture.  And just because some kinds of organizations find it useful for protecting certain kinds of information, that doesn't mean every organization needs one, for everything.

My basic reaction to the document that has, apparently, been used by the LPC in recent years is that it is a case of extreme overkill. It looks like boilerplate created for a generic organization, by somebody who considered every use of information to be dangerous until proven otherwise. I don't think we need this. I don't think it's good for us. Could some other version be useful for our purposes?  Maybe.  But to answer that I think we need to step way back and consider some more basic questions, about how we actually make use of information in our organization.

The existing document fails to take into account at least three different variables. It doesn't distinguish among different actors (users and potential disseminators of information), it doesn't distinguish among different categories and sources of information, and it doesn't consider in any way quantity of information.

In an attempt to be general and to apply the same rules to everybody, the existing document takes the approach of labeling a "Disclosing Party" and a "Receiving Party". But the relationship of different people to the organization and to other people makes a big practical difference.  Information in our type of organization doesn't just flow in one direction. And framing things that way is in fundamental conflict with other structural aspects of our organization. How can the "Libertarian Party of California" enter into any kind of contractual relationship with its own officers or Executive Committee, with respect to matters that are intrinsically their function?  They are in that context not two different "parties", one "disclosing" and the other "receiving"  -- they are just two different ways of looking at the same group of people. Yes, you could "legally" make the distinction, and it might make sense to divide things up that way for certain specific kinds of information, but it's not a useful way of looking at things in general.

I believe that, historically, in the context of the LPC the idea of requiring an NDA first arose in connection with use of our membership data for mailings by outside parties, or for uses that were at least clearly distinguishable from our core functions, such as by a particular campaign committee. And then this idea somehow spread to the case of people using party information for party purposes, and even to the point that EC members are supposed to be bound by it. Hmmm... how does it apply to the Chair?  Does he sign both sides of this "contract", with himself?

Whatever form we want our documents regarding information flow to take, whether a "policy" or a "contract", they need to at least distinguish among the members of the top governing body, other party members doing party business, and the rest of the world.

With respect to types and sources of information, different kinds of information need more or less "protection". In particular, not all information concerning people is the same. A name is not the same thing as an address, or a credit card number, and the fact that they may be all stored in the same database does not make them the same. And calling all this "Proprietary Information" masks the fact that it is just as much the individual who needs protection as the organization. When somebody joins and gives us their name and address, maybe they should be asking the LPC to sign an NDA, with respect to their own "Proprietary Information"?

Also the "same kind" of "personal nformation" may have different significance depending on who the people are. Dues-paying members are not the same as registered Libertarian voters are not the same as the general public. Big donors are not the same as small donors.

Also note that some of the collections of data to which this NDA is presumably intended to apply don't even "belong" to the LPC in the first place, because they were created by somebody else -- the LPC is, in the sense that terms are being used in this NDA, the "receiving party".  Specifically the voter file -- use of that information is subject to restrictions set by statute.

And it's just plain silly to ignore the difference between a single record and an entire database. Sure, at some level they are the same, but as a practical matter, in terms of how we actually do our jobs, applying the same rules to them makes no sense.  If I were to sign this NDA and take its provisions seriously, there are many things that would be considered ordinary uses of information that would be prohibited.  If somebody were trying to set up an outreach booth in his city and wanted to know if there were any other members in the same city who might be willing to help, I could not tell him, I could not give him anybody's phone number or e-mail address or even another member's name, because all of that is explicitly defined as "Proprietary Information" which I am not allowed to "disclose". I would have to demand that every such volunteer also sign this scary-looking NDA, even to allow him to get in contact with one other person to ask for help! Similarly, as NAC it is a central part of my job to encourage and assist the formation of county organizations. I don't see how I can do that without knowing who lives in that county and being able to share that information with the people actively trying to get things started. "Oh, you are interested in getting a county organization started here -- that's great! There might or might not be somebody else in your county who would be interested but I can't tell you anything about them until you sign this four-page legal document."

We have to be able to trust people to do their jobs. If a party officer doesn't have common sense and doesn't understand or care enough about the interests of the party to follow explicit policies, then he shouldn't be a party officer in the first place -- and making him sign a "contact" on top of that isn't likely to solve any actual problem.

Rather than trying to fix this generic NDA that doesn't actually fit anything we do, I suggest we look at the specific situations where an NDA probably does make sense, e.g., in working with an outside contractor on a task that involves a significant fraction of our database, and come up with documents structured and worded to fit those situations.

[Mimi Robson]

I tend to agree with Joe.  When I first became Secretary in 2017 and then chair in 2018 we didn't have an NDA at all.  When we started getting the voter data from L2 we began asking for a very general NDA just for that data if we gave it to a candidate (see attached example). However, we didn't ask the counties to sign an NDA for the voter registration information because that data belongs to the LPC.  We Also asked for NDAs from candidates or others that requested membership information, but of course didn't ask county affiliates for NDAs because it's in the bylaws that the state party is required to give each county their membership records.

Same with officers. . .the bylaws state that certain officers are responsible for maintaining the membership database, so why would they be asked to sign an NDA for something they are creating and updating?  Plus, if we were to ask them to sign the NDA and they say no, then what?  The Bylaws state they have access to that information with no mention of an NDA.

I would fine going back to just having candidates, or other organizations, sign a NDA similar to the one attached, so long as the information is only being provided per the bylaws.

In Liberty.

So I was a bit confused with 

Mimi Robson

Treasurer, Libertarian Party of California

ca.lp.org | trea...@ca.lp.org

--
You received this message because you are subscribed to the Google Groups "LPCalifornia-ExCom-Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lpcalifornia-excom-...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/lpcalifornia-excom-discuss/e17c014167fe0525c29087cf536f249e%40dehnbase.org.