有一群人叫“青岛企业家”，专注一件事就干一辈子！

This policy or procedure is maintained by the Wikimedia Foundation. Please note that in the event of any differences in meaning or interpretation between the original English version of this content and a translation, the original English version takes precedence.

Wikimedia policies
Wikimedia projects
Access to nonpublic personal data Access to temporary account IP addresses API usage guidelines Code of conduct for Wikimedia technical spaces, including events Combating online child exploitation Commercial sales and contracts Cookie statement Data collection guidelines Data publication guidelines Data retention guidelines Digital Millennium Copyright Act (DMCA) Donor privacy SMS supplementary terms General disclaimer Human rights IP Information Tool Licensing Office actions Privacy Terms of Use Wikimedia Maps Terrorist and violent extremist content procedures and guidelines Trademarks Universal code of conduct Enforcement guidelines
Foundation Board and staff
Code of Conduct Code of conduct of the Board of Trustees Conflict of interest Confidentiality agreement of the Board of Trustees Credit card usage Delegation of authority Duty entertainment Foreign corrupt practices act policy Gifts Non-discrimination Policy and political association guideline Staff Userrights Travel and expense Travel approval Whistleblower
Other
Expense reimbursement Feedback privacy statement Friendly space policy Investment policy Legal policies Non-wiki privacy policy Open access policy Peering policy Phabricator Terms of Use Purchasing and disbursements procedures Requests for user information Scholarship travel policy Service provider travel guidance
v t e

The right to privacy is at the core of how communities contribute to Wikimedia projects — upholding this right is a central aspect of WMF’s human rights commitments. These data collection guidelines outline best practices at the Wikimedia Foundation for managing privacy risk in data collection. They complement WMF’s data retention and data publication guidelines, providing guidance about how to handle potentially sensitive data through the entirety of its life cycle at WMF. Taken together, these guidelines contribute to our commitment to protect users' data as elaborated in our privacy policy.

The breadth of what constitutes data collection can vary widely as many teams at the Foundation engage in some kind of data collection behavior. To provide guidance in meaningfully evaluating a potential data collection activity, we primarily look to understand information pertaining to five general categories:

• Data subjects (e.g. readers, editors, app users, donors)
• Data senders (e.g. WMF tools like a browser, app, or extension; or third-party software providers)
• Data recipients (e.g. WMF, WME, affiliates, third-party software providers, the public)
• Type of data (e.g. user account information, page information, telemetry data, demographic information, attitudinal or behavioral information, geographic information, event information)
• Data usage and changes to data usage (e.g. published in raw format, published anonymously, not published; de-identified, aggregated, and kept in perpetuity)

The following Data Collection Risk Tiering Grid presents those categories as criteria to help staff assess the risk tier of their data collection activity.

If a data collection activity is recurring,^[8] subsequent reviews will be of a known risk, and will require less stringent review standards. For example:

• A high risk one-off survey in the first quarter would be deemed a known high risk (faster response and decision cadence) in later quarters if the information collected is the same.
• A medium risk ongoing data collection activity on iOS would be deemed a known medium risk (only requiring entry into the log form) if an identical schema had already been reviewed for Android.

Proposed changes to existing ongoing data collection activities should be considered to involve a change in the type of data collected, and should be considered a new entry in the data collection activity log form/a new data collection to review.

Here are a list of example mitigation measures you can take to lower the risk of your data collection activity:

• Because it is trivially easy for a bad actor to derive granular geographic data from a full IP address, for the purposes of these guidelines, collecting complete versions of IP addresses are considered to be both a unique identifier^[3] and to leak granular geographic data — therefore, collecting IP address is a medium risk data collection activity. Relevant mitigations include:
  • dropping the last two octets of IP addresses (e.g. 192.168.xxx.xxx)
  • hashing IP address + user-agent (similarly to actor signature)
• For circumstances in which granular geographic data is critical, consider collecting sub-national geographic data and then dropping all unique IDs.
• To collect riskier unique IDs (like IP address) and maintain a low-risk status, it may be necessary to hash them.

1. ↑ Personal information: (from the Wikimedia Foundation Privacy Policy): Information you provide us or information we collect that could be used to personally identify you. To be clear, while we do not necessarily collect all of the following types of information, we consider at least the following to be "personal information" if it is otherwise nonpublic and can be used to identify you:
   1. your real name, address, phone number, email address, password, identification number on government-issued ID, IP address, user-agent information, payment account number;
   2. when associated with one of the items in subsection (1), any sensitive data such as date of birth, gender, sexual orientation, racial or ethnic origins, marital or familial status, medical conditions or disabilities, political affiliation, and religion.
2. ↑ Long-term viewing history data: Data that logs pageview histories >90 days for logged-out users or >1 pageview for logged-in users.
3. ↑ ^{3.0 3.1 3.2} Unique identifier (ID): An expansion of "Personal Information" as defined in the WMF Privacy Policy. To this list we add username/user ID, and app install ID. Hashed versions of plaintext unique IDs are still considered to be unique IDs, since they may still uniquely identify a user.
4. ↑ Granular geographic data: Data that identifies the location of a user at a sub-national resolution.
5. ↑ Sensitive data: (from the Wikimedia Foundation Privacy Policy): date of birth, gender, sexual orientation, racial or ethnic origins, marital or familial status, medical conditions or disabilities, political affiliation, and religion.
6. ↑ ^{6.0 6.1 6.2} Ongoing data collection: Data collected in an ongoing manner, typically through automated means. This covers telemetry data from app/web interactions. Importantly, it is data collected through implicit consent just by using WMF projects. It can be long term (for monitoring usage over an indefinite amount of time) or short term (for conducting experiments that have a definite end).
7. ↑ ^{7.0 7.1 7.2} One-off data collection: Data collected in a single instance, typically through a survey. Data subjects in this context may explicitly consent to sharing data by acknowledging a privacy statement, filling out a survey, and clicking a "Submit" button.
8. ↑ Recurring data collection: Instances of data collection that either:
   • recur after some time period (e.g. each month, quarter, or year) or
   • have equivalent data collection schemas across some set of contexts (e.g. iOS and Android).