Table of Contents

Tasks and privacy

Max Dana Updated by Max Dana

ArtsPool's security and privacy practices are based on the principle of least privilege, which just means that people are granted access to things that they need to accomplish their work. In the context of the ArtsPool app, it means that a member user has access to the tasks that they have been added to but they do not have access to every task in the system for that member.

Privacy by default

Because tasks that are submitted to ArtsPool can contain anything under the sun, we have no way of knowing if something new that is submitted should be kept private. Because of this, we default to privacy and leave it to the person who submitted the task or an ArtsPooler to add other people to the task. Until new people are added to the task, the task is only searchable by the person who submitted it and ArtsPool.

An assumption of privacy

When an employee at a member organization submits a task to ArtsPool, they also have a tacit assumption that the conversation on that task is just between themselves and the other people on that task team and is not visible to everyone at the organization. Because tasks can contain sensitive information (see above), this is an assumption that we should honor.

Requests for access to historical tasks

When an employee leaves a member organization, we sometimes receive requests to grant their successor access to every task in the system that they had access to. Because we can't make an assumption that these tasks -- which can be in the hundreds or thousands depending on the length of the person's tenure -- do not contain information or conversations that should be kept private, we cannot grant this type of blanket access. Instead, if the new employee or their manager asks us about specific issues and there is a current or historical task on that topic, we can review the task and add the new employee to those particular tasks.

We understand that this policy may not always be popular or convenient. Security and privacy are critically important to the health of the cooperative, so we sometimes have to implement strict policies to ensure that we are operating in a safe way. Our Technology Lead reviews our security and privacy practices each year in collaboration with our management team, so if you have feedback on this or any of our other policies you are welcome to reach out to your Steering Committee representatives.

How did we do?

Reassigning requests

Approving a batch of requests