Data Platform/Systems/EventLogging/Sensitive Fields
Scenario 1: Entering personal information by mistake
A user enters sensitive personal information (credit card number, or others) into a text field like username, pageTitle, imageTitle, summary, etc. by mistake. After a while they realize that and immediately ask WMF to delete this information. A risk exists, that in the meantime, after the sensitive data was submitted and before its records were deleted, an EventLogging event was stored featuring this data.
- Thus, all fields that store textual information potentially inputed by the user (username, pageTitle, etc.) should be auto-purged in events older than 90 days.
Scenario 2: Editing as anonymous by mistake
An editor usually edits logged in, because they don't like their IP being stored in the revision table. However, this day they edit as anonymous by mistake. After a while they realize that and immediately ask WMF to delete this information. A risk exists, that in the meantime, after the sensitive data was submitted and before its records were deleted, an EventLogging event was stored featuring this data.
- Thus, all fields that store the IP address of an anonymous editor should be auto-purged in events older than 90 days.