Training modules/Handling private information/drafting

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search


The Wikimedia Foundation (WMF) is committed to protecting people's privacy. The Wikimedia movement relies on functionaries like you -- stewards, checkusers, oversighters, bureaucrats, and other volunteer administrators -- to help make using the Wikimedia projects educational, fun, and safe. This quick reference guide will tell you what you need to know to make that happen. You’ll learn about:

  1. the main WMF Privacy Policy, which lays out important terms;
  2. the access to nonpublic information policy, which covers acceptable methods for functionaries to access, use, and share nonpublic personal information; and
  3. policies specific to your role in the community.

Please note that this document is intended as a summary for training and convenience purposes only. It is not a substitute for official WMF and Wikimedia community policies, and is not intended as legal advice. The WMF legal team can advise only WMF on legal matters, so if you feel that you need personal legal advice, please contact a lawyer.

Privacy policy basics[edit]

Please take time to review the WMF Privacy Policy. Although the Privacy Policy does not apply to volunteer functionaries directly—it applies to WMF[1]—several other policies rely upon the Privacy Policy’s definition of “personal information” (PI). Functionaries must understand this definition in order to know if and when they are handling PI. In addition, the Privacy Policy carries moral force, even for those not directly bound by it. It embodies the Wikimedia movement’s philosophical commitment to protecting user privacy, and establishes the expectations Wikimedia users will have regarding how their PI is handled.

Defining personal information[edit]

Nonpublic PI is defined as any information that can be used to personally identify a user. This includes, but isn’t limited to, any of the following that have not already been made public by the user themselves on the projects or elsewhere:

The most common types of nonpublic PI handled by functionaries are email addresses, IP addresses, user agent information, and names. However, functionaries should be aware of the other types of information that qualify. In addition, although not personally identifying by themselves, each of the following is considered nonpublic PI when associated with either the above or with a user’s account:

  • date of birth;
  • gender;
  • sexual orientation;
  • racial or ethnic origins;
  • marital or familial status;
  • medical conditions or disabilities;
  • political affiliations; and
  • religion.

Be sure to refer back to the Privacy Policy or contact if you have questions about whether specific information qualifies as PI.


  1. Because user:Rory publicly stated his real name, email address, address, and phone number on his user page, none of this is considered PI.
  2. However, if Rory had not disclosed his real name, email address, address, and phone number, these would be considered PI.
  3. Rory’s IP address and user agent information is PI.
  4. If Rory has not disclosed that he is unmarried, a statement that links his marital status with his username contains PI.

Access to nonpublic information policy & confidentiality agreement[edit]

The access to nonpublic information policy and its corresponding confidentiality agreement are the main sources of functionaries’ privacy responsibilities, so please review them carefully. They cover several important areas, including:

Accessing PI[edit]

As functionaries, you have tools that let you access nonpublic PI to protect Wikimedia sites from vandalism and illegal content, and to enforce Wikimedia policies. In order to access nonpublic PI, you must:

  • be at least 18 years old, or 16 years old for email response team members;
  • provide WMF the email address that is linked to your account;
  • agree to keep the information confidential[2]; and
  • use the information in a manner consistent with all of the policies related to your position, including the access to nonpublic information policy.

Keeping it confidential[edit]

The access to nonpublic information policy and the confidentiality agreement broadly prohibit disclosure of PI. Absent one of the below exceptions, PI that you access using special tools must be kept confidential and may not be disclosed to anyone.

  • Start by reading and signing the confidentiality agreement for nonpublic information.
  • Next, ensure that you are familiar with the Privacy Policy’s definition of PI, described above.
  • In addition, be sure to review policies specific to the tools you use, such as the CheckUser tool or Suppression tool. A few of these specific policies will be discussed further in another section.
  • Be careful to maintain the security of your account. Do not let others use your account. It is especially important for functionaries to use strong passwords. A helpful essay on personal security practices can be found here.
  • If you violate the policy, for example by improperly accessing, using, or disclosing nonpublic PI by mistake, you must:
    • Notify WMF immediately;
    • At WMF’s request, delete any nonpublic PI in your possession[3].


Under the access to nonpublic information policy, functionaries are permitted at their discretion, but not required, to disclose PI in certain defined circumstances. These exceptions are summarized below.

If you disclose nonpublic information under exceptions (ii), (iii), (iv), or (v) below, tell WMF at within 10 days. In addition, in the event of an emergency, such as a threat of violence, we strongly advise contacting and immediately.

(i) Between functionaries to fulfill functionary duties[edit]

Functionaries may disclose PI to other community members with the same access rights in order to fulfill duties outlined in an applicable policy.

You do not need to inform within 10 days if you disclose PI under this exception.


User:Rory, an oversighter on English Wikipedia, shares a small amount of PI on a private wiki that is restricted to oversighters, in order to get help with a request he received.

(ii) To service providers in order to enforce blocks[edit]

Functionaries may disclose PI to service providers, carriers, or other third parties to assist in either:

  1. the targeting of IP blocks; or
  2. the formulation of a complaint to relevant internet service providers.

You do need to inform within 10 days if you disclose PI under this exception.


User:Rory, a steward, confirms that a site-banned user is evading her block and continuing to violate community policies and the Wikimedia Terms of Use. Rory discloses the user’s IP address in a complaint to the relevant internet service provider and informs of the disclosure within 10 days.

(iii) To law enforcement, in cases where there is an immediate and credible threat to life or limb[edit]

WMF’s Support & Safety team recommends immediately forwarding serious threats to and Our trained Support & Safety team can then make its own evaluation and determine whether to disclose PI to law enforcement.

However, if you wish to disclose PI to law enforcement yourself, please note that there are three requirements in such cases. A threat must be:

  1. to life or limb;
  2. immediate; and
  3. credible.

You do need to inform within 10 days if you disclose PI under this exception, and we strongly suggest informing and immediately.

Example 1[edit]

User:Rory, a steward, discovers that a user made a bomb threat on a talk page. He immediately notifies and about the situation. WMF’s Support & Safety team takes things from there. Rory did not need to personally contact law enforcement or disclose PI.

Example 2[edit]

Rory discovers a user page on which the owner recently posted that they intend to commit suicide. Rory believes the threat is credible. He discloses the user’s IP address, email address, and real name (if available) to law enforcement. He also immediately notifies and about the situation and the action he has taken.

Example 3[edit]

Rory discovers that a user on a talk page has threatened to throw eggs at another user’s house. Rory does not disclose the user’s IP address, email, or real name to law enforcement because the user has not threatened anybody’s life or limb. Instead, Rory chooses to warn the user or block them for harassment. Depending on the circumstances, Rory may want to report the incident to local law enforcement without disclosing the threat-maker’s IP address, email address, name, or any other PI.

(iv) To authorized parties, with the express permission of the user whose nonpublic information is to be disclosed[edit]

In these cases, we recommend obtaining a message or email from the user explaining who they authorize to disclose information (the specific functionary), what information will be disclosed and why, and to whom the disclosure will be made. This ensures good documentation and that the user is fully aware of how their PI will be shared.

You do need to inform within 10 days if you disclose PI under this exception.


User:Rory, a steward, acts on a user’s request to disclose their PI on their behalf. Before doing so, Rory obtains documentation of the user’s permission, which specifically authorizes Rory to do so and explains the what, the why, and the to whom of the disclosure.

(v) When required by law[edit]

Functionaries may disclose PI to law enforcement, administrative bodies, or other governmental agencies, if required by law, provided that the functionary notifies the Wikimedia Foundation unless restricted by law from doing so. The WMF legal team can only advise WMF on legal matters, so if you have questions about the legal validity or enforceability of an order or request you receive, please contact a lawyer.

You do need to inform within 10 days if you disclose PI under this exception, unless restricted by law from doing so.


User:Rory, a steward, receives a request from his government to hand over a user's PI. Rory finds and consults with a local lawyer to determine whether he has to provide the information and, if he does so, whether he can notify WMF.

(vi) To the public, in order to block a sockpuppet or other abusive account[edit]

Functionaries may disclose PI to the public when it is a necessary and incidental consequence of blocking a sockpuppet or other abusive account.

You do not need to inform if you disclose PI under this exception.

Information specific to your role[edit]

CheckUser policy[edit]

As you likely know, the CheckUser policy applies to users with CheckUser permission. This permission is mainly limited to stewards, ombudsmen, and WMF staff. Wikimedia projects may also have local, stand-alone CheckUsers.

Broadly speaking, CheckUsers can view certain PI such as user IP addresses and user agent information. Pursuant to WMFs Data Retention Guidelines, such checks may generally be conducted for the previous 90 days of site history before the relevant data is deleted from WMF’s servers.

The tool exists to fight vandalism, check for sockpuppet abuse, and to limit disruption of the Wikimedia projects. It should not be used for any other reason. Examples of unacceptable reasons include:

  • political control;
  • applying pressure on editors; or
  • threats against editors in content disputes.

Consistent with the access to nonpublic information policy and confidentiality agreement, nonpublic PI obtained via CheckUser permission, such as IP addresses or user agent information, should not be disclosed unless a valid exception applies.

Please also note that the CheckUser policy cautions against revealing PI even where a valid exception does apply. Where possible, it recommends revealing information such as “same network/different network” rather than a specific IP address.

Notifying a checked user that their information has been checked is optional. You also have the option of notifying the communities that user information has been checked, in cases where you do not disclose PI or a valid exception applies.

Oversight Policy[edit]

Also known as the suppression policy, the oversight policy applies to users with access to the oversight feature. This feature is mostly limited to oversighters, stewards, and WMF staff.

The oversight feature may be used in four specific cases. One of these cases is relevant to user privacy: when the feature is used to suppress nonpublic PI from the projects.

Suppressed information, including nonpublic PI, remains visible to functionaries with access to the oversight feature. Functionaries subject to the oversight policy may also encounter nonpublic PI via requests for suppression, which may be made via IRC or email.

Consistent with the access to nonpublic information policy and confidentiality agreement, nonpublic PI that has been obtained by a user with access to the oversight feature should not be shared with anybody unless a valid exception applies.

OTRS access & activity policies[edit]

OTRS policies apply to certain volunteers who receive OTRS access to community, chapter, user group, staff, role, and/or temporary queues. Community queues are limited to users who have applied and been accepted as OTRS volunteers.

Access to community queues is for responding to emails and inquiries sent to the general information addresses of the Wikimedia projects. Under the OTRS Activity policy, access to the community queues solely for viewing inquiries or verifying existing permissions is not an acceptable reason to hold an account. As a result, inactive accounts may be disabled after six months of inactivity.

OTRS volunteers encounter nonpublic PI—names and email addresses—in the “from” line of emails they receive. The content of emails they receive may also contain additional PI.

Consistent with the access to nonpublic information policy and confidentiality agreement, nonpublic PI that has been obtained by an OTRS volunteer should not be shared with anybody unless a valid exception applies.


We hope this guide was helpful in summarizing and cross-linking the various privacy, confidentiality, and data access policies applicable to functionaries. Please feel free to refer back to it as a reference. Thanks so much for all you do to support the Wikimedia movement. If you have any questions, please don’t hesitate to contact or


  1. What this policy does and doesn’t cover, WMF Privacy Policy.
  2. Open Ticket Response System (OTRS) volunteers sign a separate, but similar confidentiality agreement available here.
  3. Depending on the circumstances, in the event of a violation of the access to nonpublic information policy and agreement, your access may be revoked. Additionally, in exceptional cases, WMF may potentially pursue available legal remedies such as injunctive relief or even damages.