Clarify requirements around CoC violation

[tobie]

Currently there are no requirements beyond adopting the Foundation's CoC for projects.

It seems we would need additional requirements for projects who wish to handle CoC violations themselves. For example, having a clear process for raising a violation, certain guarantees around privacy, etc.

---

Next steps:

• open a pull request against FOUNDATION_CODE_OF_CONDUCT_REQUIREMENTS that adds a section listing the requirements outlined above (see Update and refactor CoC policy and processes #1135).
• open a pull request against the onboarding checklist that includes implementing those requirements.
  • have an email reporting address
  • (required for impact and at-large) have at least more than one person selected by the project maintainership (through a process defined by the project) on that email address
  • publicly list who is on that email address
  • publicly document the decision-making process
  • confidentiality of reporter and victim
  • basic rules around data retention to meet legal requirements (e.g. GDPR)
• following up on the audit @rginn is running to make sure that the projects that have opted in to run their own CoC enforcement have implemented those requirements.

[ljharb]

If a project doesn't have those things, then I'd argue it doesn't actually have a CoC.

[bnb]

• have an email reporting address
• (required for impact and at-large) have at least more than one person selected by the project maintainership (through a process defined by the project) on that email address
• publicly list who is on that email address
• publicly document the decision-making process

[tobie]

Building on @bnb's comment above, we'd like to focus on the minimum set of requirements as a first step and leave broader conversations (e.g. training) to a later conversation. In addition to the list mentioned above, it seems the following should be listed in an initial set of requirements:

• confidentiality of reporter and victim
• basic rules around data retention to meet legal requirements (e.g. GDPR)

[tobie]

Next steps here would be to:

[EDIT: next steps moved to the opening comment].

[Relequestual]

@tobie You added a "waiting for PR" label to this repo, and you detailed some requirements in your comment. However, who has the knowledge with which to fill the content for the titles/sections you say are needed?

Which of them can we (the CPC) answer, and for which of them do we need to involve legal?

[tobie]

Which of them can we (the CPC) answer, and for which of them do we need to involve legal?

I'd say everything until outside of the data retention rules (though there probably might be enough in the org's privacy policy to just reference). Come to the next working session if you're interested in helping out, here.

[Relequestual]

Come to the next working session if you're interested in helping out, here.

I'm interested, but the time makes it almost impossible if I want to keep a good work/life balance. I already have after hours meetings on a regular basis multiple times a week.

[tobie]

I get it.

[Relequestual]

If the CPC are largley in agreement with your list of next steps, copying them to the opening comment of the issue will allow us to track them better and try to move forward discussions on individual items (as they can then be convereted into individual issues too)

[tobie]

Good call. Done.

[benjagm]

• basic rules around data retention to meet legal requirements (e.g. GDPR)

Does the Foundation have a formal line on GDPR compliance requirements for the management of the CoC violation reports?

[tobie]

Closing as duplicate of #1255.