I am the sponsor and support this request. My manager is @LSobanski

This ticket is about the process described at https://wikitech.wikimedia.org/wiki/Volunteer_NDA

At the end of it RhinosF1 should be added to https://phabricator.wikimedia.org/project/view/61/

in the past there was the need to first add to https://phabricator.wikimedia.org/project/view/974/

the "nda" LDAP group is not currently needed.

I support this request.

Can someone add to WMF-NDA-Requests

Added @RhinosF1 to WMF-NDA-Requests here on Phabricator (kind of suprised I could still do that, but done).

edit: Oh, wait, sorry. That was a bit early. Not yet. Actual signature not confirmed yet?

In T341272#8997374, @Dzahn wrote:

Added @RhinosF1 to WMF-NDA-Requests here on Phabricator (kind of suprised I could still do that, but done).

edit: Oh, wait, sorry. That was a bit early. Not yet. Actual signature not confirmed yet?

WMF-NDA-Requests is needed to sign. WMF-NDA is where you get added once signed + CTO approved.

Oh, of course. Added to the _Requests_ group. (https://phabricator.wikimedia.org/project/members/974/)

In T341272#8997627, @Dzahn wrote:

Oh, of course. Added to the _Requests_ group. (https://phabricator.wikimedia.org/project/members/974/)

Document singed. Please seek C-Level sign off.

Hi @KFrancis

we want to add RhinosF1 to private tasks on Phabricator. So non-public information that we want to share with a volunteer.

There is a process described at https://wikitech.wikimedia.org/wiki/Volunteer_NDA that says what is needed is signing "the NDA" (which links to the old "L2" document on Phabricator -> https://phabricator.wikimedia.org/L2) and then approval from a C-Level and then we could grant that access.

Then of course we also have _the other NDA_ process which we usually have been following lately, which includes adding you and then the users singing the document you provide to them etc, as is described at:

https://wikitech.wikimedia.org/wiki/SRE/Clinic_Duty/Access_requests#NDA_Group

This is usually done when user are added to the "LDAP group nda" (https://wikitech.wikimedia.org/wiki/SRE/LDAP/Groups#NDA_group), but in this case we don't need the additional access that this would grant.

When we hand out the equivalent access to WMF staff, we add them to the "LDAP group wmf" and then _a rule was added that we always ALSO add them to the "WMF-NDA" group on phabricator. (cc: @Aklapper who once requested that to simplify the process).

It is still unclear whether the same rule should apply to volunteers. To determine that is an unresolved ticket at https://phabricator.wikimedia.org/T299839.

Since this repeatedly has caused discussions how to handle the access requests the right way, here are some questions for you:

• Does signing https://phabricator.wikimedia.org/L2 nowadays have any meaning from the point of view of legal? Is a user singing that relevant for anything still?

• Would it be ok or wrong to grant access to private data only based on L2 and manager/c-level approval but without the volunteer ever signing anything directly with legal?

• When we share private tickets with volunteers, should they go through you and sign with you in general? If we do that, can we skip the C-level approvals?

• Does it matter to you if the sharing of information is limited to sharing private tickets vs handing our other logins via the LDAP group called "nda"?

Based on your responses I think we should maybe update https://wikitech.wikimedia.org/wiki/Volunteer_NDA and/or https://wikitech.wikimedia.org/wiki/SRE/Clinic_Duty/Access_requests#NDA_Group to make clear what applies where and is the currently valid one.

Sorry if this has been brought up before and I missed it.

cc: @LSobanski @Aklapper @RhinosF1

Agreeing with what Dzahn wrote in the previous comment. For historical context: It seems WMF Legal gave its OK in 2015 to using Legalpad in T655. However given fluctuation I'm not sure if everybody is still fully aware of it and the implications. I admit I am also confused when an NDA on file with WMF-Legal dept is required, and when signing L2 in Phabricator Legalpad is sufficient, and it also seems that either there is no consistent policy or public documentation is potentially outdated. Question: Should this get revised, preferably in a separate task?
(See also T111271 for a random example of using Legalpad in the past for [in my understanding] WMF-driven stuff - in this case, OTRS=Znuny.)

added "LDAP-Access-Requests" even though RhinosF1 says they don't need the LDAP group.. but simply for the reason that otherwise it's not seen on the clinic duty dashboard.. where access requests should be seen and normally are.

Hi all, Let me do some research and get back to you! Thanks!!!

In T341272#8998430, @KFrancis wrote:

Hi all, Let me do some research and get back to you! Thanks!!!

Was this done @KFrancis ?

I'm still working on this, but in the meantime, I can process an NDA for you so you can get the access you need. Please email the following to kfrancis@wikimedia.org:
-Full legal name
-Mailing address
-Email address
-Specifics about the type of sensitive data they will be accessing

In T341272#9087279, @KFrancis wrote:

I'm still working on this, but in the meantime, I can process an NDA for you so you can get the access you need. Please email the following to kfrancis@wikimedia.org:
-Full legal name
-Mailing address
-Email address
-Specifics about the type of sensitive data they will be accessing

I have sent

@KFrancis: signed

Hello all, the NDA has been signed. Please proceed to next steps for access.

Was this done @KFrancis ?

Let's move the general NDA workflow discussion to T349595: Clarify if NDAs (to access #WMF-NDA protected Phab tasks) are on paper or in Legalpad's L2 or both, as this specific request for RhinosF1 is resolved. Thanks!