Recherche avancée

Médias (91)

Autres articles (92)

  • MediaSPIP 0.1 Beta version

    25 avril 2011, par

    MediaSPIP 0.1 beta is the first version of MediaSPIP proclaimed as "usable".
    The zip file provided here only contains the sources of MediaSPIP in its standalone version.
    To get a working installation, you must manually install all-software dependencies on the server.
    If you want to use this archive for an installation in "farm mode", you will also need to proceed to other manual (...)

  • Multilang : améliorer l’interface pour les blocs multilingues

    18 février 2011, par

    Multilang est un plugin supplémentaire qui n’est pas activé par défaut lors de l’initialisation de MediaSPIP.
    Après son activation, une préconfiguration est mise en place automatiquement par MediaSPIP init permettant à la nouvelle fonctionnalité d’être automatiquement opérationnelle. Il n’est donc pas obligatoire de passer par une étape de configuration pour cela.

  • HTML5 audio and video support

    13 avril 2011, par

    MediaSPIP uses HTML5 video and audio tags to play multimedia files, taking advantage of the latest W3C innovations supported by modern browsers.
    The MediaSPIP player used has been created specifically for MediaSPIP and can be easily adapted to fit in with a specific theme.
    For older browsers the Flowplayer flash fallback is used.
    MediaSPIP allows for media playback on major mobile platforms with the above (...)

Sur d’autres sites (4310)

  • Lawful basis for processing personal data under GDPR with Matomo

    30 avril 2018, par InnoCraft

    Disclaimer : this blog post has been written by digital analysts, not lawyers. The purpose of this article is to explain what is a lawful basis and which one you can use with Matomo in order to be GDPR compliant. This work comes from our interpretation of the following web page from the UK privacy commission : ICO. It cannot be considered as professional legal advice. So as GDPR, this information is subject to change. GDPR may be also known as DSGVO in German, BDAR in Lithuanian, RGPD in Spanish, French, Italian, Portuguese. This blog post contains public sector information licensed under the Open Government Licence v3.0.

    The golden rule under GDPR is that you need to have a lawful basis in order to process personal data. Note that it is possible to not process personal data with Matomo. When you do not collect any personal data, then you do not need to determine a lawful basis and this article wouldn’t apply to you.

    “If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle.“

    Source : ICO, based on article 6 of GDPR.

    As you may process personal data in Matomo, you have to :

    1. define a lawful basis.
    2. document your choice.
    3. inform your visitor about it in a privacy notice.

    Even if you think you don’t process personal data, we recommend reading this post about personal data in Matomo (personal data may be hidden in many ways).

    Note that if you are processing special category data (ethnic origin, politics, religion, trade union membership…) or criminal offence data ; extra responsibilities are applied, and we will not detail them in this blog post.

    1 – Define a lawful basis

    There are 6 different lawful bases all defined within article 6 of the GDPR official text :

    1. Consent : the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
    2. Contract : processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
    3. Legal obligation : processing is necessary for compliance with a legal obligation to which the controller is subject.
    4. Vital interests : processing is necessary in order to protect the vital interests of the data subject or of another natural person.
    5. Public task : processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller.
    6. Legitimate interests : processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party ; except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

    As you can see, most of them are not applicable to Matomo. As ICO is mentioning it within their documentation :

    “In many cases you are likely to have a choice between using legitimate interests or consent.”

    “Consent” or “Legitimate interests” : which lawful basis is the best when using Matomo ?

    Well, there is no right or wrong answer here.

    In order to make this choice, ICO listed on their website different questions you should keep in mind :

    • Who does the processing benefit ?
    • Would individuals expect this processing to take place ?
    • What is your relationship with the individual ?
    • Are you in a position of power over them ?
    • What is the impact of the processing on the individual ?
    • Are they vulnerable ?
    • Are some of the individuals concerns likely to object ?
    • Are you able to stop the processing at any time on request ?

    From our perspective, “Legitimate interests” should be used in most of the cases as :

    • The processing benefits to the owner of the website and not to a third party company.
    • A user expects to have their data kept by the website itself.
    • Matomo provides many features in order to show how personal data is processed and how users can exercise their rights.
    • As the data is not used for profiling, the impact of processing personal data is very low.

    But once more, it really depends ; if you are processing personal data which may represent a risk to the final user, then getting consent is for us the right lawful basis.

    If you are not sure, at the time of writing ICO is providing a tool in order to help you make this decision :

    Note that once you choose a lawful basis, it is highly recommended not to switch to another unless you have a good reason.

    What are the rights that a data subject can exercise ?

    According to the lawful basis you choose for processing personal data with Matomo, your users will be able to exercise different rights :

    Right to be informed Right of access Right to erasure Right to portability Right to object Right to withdraw consent
    Legitimate interests X X X X
    Consent X X X X X

     

    • Right to be informed : whatever the lawful basis you choose, you need to inform your visitor about it within your privacy notice.
    • Right of access : as described in article 15 of GDPR. Your visitor has the right to access the personal data you are processing about them. You can exercise their right directly within the page “GDPR Tools” in your Matomo.
    • Right to erasure : it means that a visitor will be able to ask you to erase all their data. You can exercise the right to erasure directly within the page “GDPR Tools” in your Matomo.
    • Right to portability : it means that you need to export the data which concern the individual in a machine-readable format and provide them with their personal data. You can exercise their right directly within the page “GDPR Tools” in your Matomo.
    • Right to object : it means that your visitor has the right to say no to the processing of their personal data. In order to exercise this right, you need to implement the opt-out feature on your website.
    • Right to withdraw consent : it means that your visitor can remove their consent at any time. We developed a feature in order to do just that. You can learn more by opening the page “Privacy > Asking for consent” in your Matomo.

    2 – Document your choice

    Once you choose “Legitimate interests” or “Consent” lawful basis, you will have some obligations to fulfill. From our interpretation, “Legitimate interests” means writing more documentation, “Consent” means a more technical approach.

    What should I do if I am processing personal data with Matomo based on “Legitimate interests ?

    ICO is providing a checklist for “Legitimate interests”, below is our interpretation :

    • Check that legitimate interests is the most appropriate lawful basis.

    Our interpretation : document and justify why you choose this lawful basis in particular. This tool from ICO can help you.

    • Understand your responsibility to protect the individual’s interests.

    Our interpretation : you need to take all the measures in order to protect your users privacy and data security. Please refer to our guide in order to secure your Matomo installation.

    • Conduct a legitimate interests assessment (LIA) and keep a record of it to ensure that you can justify your decision. This document is composed of a set of questions on those 3 key concerns : 1) purpose, 2) necessity, 3) balancing.

    1) Purpose :

    • Why do you want to process the data – what are you trying to achieve ?
    • Who benefits from the processing ? In what way ?
    • Are there any wider public benefits to the processing ?
    • How important are those benefits ?
    • What would the impact be if you couldn’t go ahead ?
    • Would your use of the data be unethical or unlawful in any way ?

    2) Necessity :

    • Does this processing actually help to further that interest ?
    • Is it a reasonable way to go about it ?
    • Is there another less intrusive way to achieve the same result ?

    3) Balancing :

    • What is the nature of your relationship with the individual ?
    • Is any of the data particularly sensitive or private ?
    • Would people expect you to use their data in this way ?
    • Are you happy to explain it to them ?
    • Are some people likely to object or find it intrusive ?
    • What is the possible impact on the individual ?
    • How big an impact might it have on them ?
    • Are you processing children’s data ?
    • Are any of the individuals vulnerable in any other way ?
    • Can you adopt any safeguards to minimise the impact ?
    • Can you offer an opt-out ?
    • Identify the relevant legitimate interests.
    • Check that the processing is necessary and there is no less intrusive way to achieve the same result.
    • Perform a balancing test, and be confident that the individual’s interests do not override those legitimate interests.
    • Use individuals’ data in ways they would reasonably expect, unless you have a very good reason.

    Our interpretation : use those data to improve user experience for example.

    • Do not use people’s data in ways they would find intrusive or which could cause them harm, unless you have a very good reason.

    Our interpretation : ask yourself if this data is representing a risk for the individuals.

    • If you process children’s data, take extra care to make sure you protect their interests.
    • Consider safeguards to reduce the impact where possible.

    Our interpretation : Check if your web hosting provider is providing appropriate safeguards.

    • Consider whether you can offer an opt out.

    Our interpretation : Matomo is providing you the opt-out feature.

    • If your LIA identifies a significant privacy impact, consider whether you also need to conduct a DPIA.

    Our interpretation : A DPIA can easily be conducted by using this software from the French privacy commission.

    • Regularly review your LIA and update it when circumstances change.
    • Include information about your legitimate interests in your privacy information.

    As you see, going for “Legitimate interests” requires a lot of written documentation. Let’s see how “Consent” differ.

    What should I do if I am processing personal data with Matomo based on “Consent” ?

    As previously mentioned, using “Consent” rather than “Legitimate interests” is more technical but less intense in terms of documentation. Like for “Legitimate interests”, ICO is providing a checklist for “Consent” which is divided into 3 key categories : 1) asking for consent, 2) recording consent, and 3) managing consent.

    1. Asking for consent :
      1. Check that consent is the most appropriate lawful basis for processing.
      2. Make the request for consent prominent and separate from your terms and conditions.
      3. Ask people to positively opt in. Don’t use pre-ticked boxes or any other type of default consent.
      4. Use clear, plain language that is easy to understand.
      5. Specify why you want the data and what you are going to do with it.
      6. Give individual (‘granular’) options to consent separately to different purposes and types of processing.
      7. Name your organisation and any third party controllers who will be relying on the consent.
      8. Tell individuals they can withdraw their consent.
      9. Ensure that individuals can refuse to consent without detriment.
      10. Avoid making consent a precondition of a service.
      11. If you offer online services directly to children, only seek consent if you have age-verification measures (and parental-consent measures for younger children) in place.
    2. Recording consent :
      1. Keep a record of when and how you got consent from the individual.
      2. Keep a record of exactly what you told them at the time.
    3. Managing consent :
      1. Regularly review consents to check that the relationship, the processing and the purposes have not changed.
      2. Have processes in place to refresh consent at appropriate intervals, including any parental consent.
      3. Consider using privacy dashboards or other preference-management tools as a matter of good practice.
      4. Make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
      5. Act on withdrawals of consent as soon as you can.
      6. Don’t penalise individuals who wish to withdraw consent.

      3 – Inform your visitor about it in a privacy notice

      Privacy notices are an important part within the GDPR process. Read our blog post dedicated to privacy notices to learn more.

      We really hope you enjoyed reading this blog post. Please have a look at our Matomo GDPR guide for more information.

    The post Lawful basis for processing personal data under GDPR with Matomo appeared first on Analytics Platform - Matomo.

  • Your introduction to personally identifiable information : What is PII ?

    15 janvier 2020, par Joselyn Khor — Analytics Tips, Privacy, Security

    When it comes to personally identifiable information (PII), people are becoming more concerned with data privacy. Identifiable information can be used for illegal purposes like identity theft and fraud. 

    So how can you protect yourself as an innocent web browser ?

    If you’re a website owner – how do you protect users and your company from falling prey to privacy breaches ?

    As one of the most trusted analytics companies, we feel our readers would benefit from being as informed as possible about data privacy issues and PII. Learn how you can keep yours or others’ information safe.

    what is pii

    Table of Contents

    What does PII stand for ?

    PII acronym

    PII is an acronym for personally identifiable information.

    PII definition

    Personally identifiable information (PII) is a term mainly used in the United States.

    The appendix of OMB M-10-23 (Guidance for Agency Use of Third-Party Website and Applications) gives this definition for PII :

    “The term ‘personally identifiable information’ refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

    What can be considered personally identifiable information (PII) ? Some PII examples :

    • Full name/usernames
    • Home address/mailing address
    • Email address
    • Credit card numbers
    • Date of birth
    • Phone numbers
    • Login details
    • Precise locations
    • Account numbers
    • Passwords
    • Security codes (including biometric records)
    • Personal identification numbers
    • Driver license number
    • Get a more comprehensive list here

    What’s non-PII ?

    Anonymous information, or information that can’t be traced back to an individual, can be considered non-PII. 

    Who is affected by the exploitation of PII ?

    Anyone can be affected by the misuse of personal data. Websites can compromise your privacy by mishandling or illegally selling/sharing your data. That may lead identity theft, account fraud and account takeovers. The fear is falling victim to such fraudulent activity. 

    PII can also be an issue when employees have access to the database and the data is not encrypted. For example, anyone working in a bank can access your accounts ; and anyone working at Facebook can read your messages. This shows how privacy breaches can easily happen when employees have access to PII.

    Website owner’s responsibility for data privacy (PII and analytics)

    If you’re using a web analytics tool like Google Analytics or Matomo, best practise is to not collect PII if possible. This is to better respect your website visitor’s privacy. 

    If you work in an industry which needs people to share personal information (e.g. healthcare, security industries, public sector), then you must collect and handle this data securely. 

    Protecting pii

    The US National Institute of Standards and Technology states : “The likelihood of harm caused by a breach involving PII is greatly reduced if an organisation minimises the amount of PII it uses, collects, and stores. For example, an organisation should only request PII in a new form if the PII is absolutely necessary.” 

    How you’re held accountable remains up to the privacy laws of the country you’re doing business in. Make sure you are fully aware of the privacy and data protection laws that relate specifically to you. 

    To reduce the risk of privacy breaches, try collecting as little PII as you can ; purging it as soon as you can ; and making sure your IT security is updated and protected against security threats. 

    With data collection tools like web analytics, data may be tracked through features like User ID, custom variables, and custom dimensions. Sometimes they are also harder to identify when they are present, for example, in page URLs, page titles, or referrers URLs. So make sure you’re optimising your web analytics tools’ settings to ensure you’re asking your users for consent and respecting users’ privacy.

    If you’re using a GDPR compliant tool like Matomo, learn how you can stop processing such personal data

    PII, GDPR and businesses in the US/EU

    You may get confused when considering PII and GDPR (which applies in the EU). The General Data Protection Regulation (GDPR) gives people in the EU more rights over “personal data” – which covers more identifiers than PII (more on PII vs personal data below). GDPR restricts the collection and processing of personal data so businesses need to handle this personal data carefully. 

    According to the GDPR, you can be fined up to 4% of their yearly revenue for data/privacy breaches or non-compliance. 

    GDPR and personal information

    In the US, there isn’t one overarching data protection law, but there are hundreds of laws on both the federal and state levels to protect PII of US residents. US Congress has enacted industry-specific statutes related to data privacy like HIPAA. Recently state of California also passed the California Consumer Privacy Act (CCPA). 

    To be on the safe side, if you’re using analytics, follow matters relating to “personal data” in the GDPR. It covers more when it comes to protecting user privacy. GDPR rules still apply whenever an EU citizen visits any non EU site (that processes personal data).

    Personally identifiable information (PII) vs personal data

    PII and “personal data” aren’t used interchangeably. All personal data can be PII, but not all PII can be defined as personal data.

    The definition of “personal data” according to the GDPR :

    GDPR personal data definition

    This means “personal data” covers more identifiers, including online identifiers. Examples include : IP addresses and URL names. As well as seemingly “innocent” data like height, job position, company etc. 

    What’s seen as personal data depends on the context. If a piece of information can be combined with others to establish someone’s identity then that can be considered personal data. 

    Under GDPR, when processing personal data, you need explicit consent. So best to be compliant according to GDPR definitions of “personal data” not just what’s considered “PII”.

    How do you keep PII safe ?

    • Try not to give your data away so easily. Read through terms and conditions.
    • Don’t just click ‘agree’ when faced with consent screens, as consent screens are majorly flawed. 
    • Disable third party cookies by default. 
    • Use strong passwords.
    • Be wary of public wifi – hackers can easily access your PII or sensitive data. Use a VPN (virtual private network)
    • Read more on how to keep PII safe. For businesses here’s a checklist on PII compliance.

    How Matomo deals with PII and personal data

    Although Matomo Analytics is a web analytics tool that tracks user activity on your website, we take privacy and PII very seriously – on both our Cloud and On-Premise offerings. 

    If you’re using Matomo and would like to know how you can be fully GDPR compliant and protect user privacy, read more :

    Disclaimer

    We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to issues you may encounter when dealing with PII. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns. 

    Additional resources :

  • What is PII ? Your introduction to personally identifiable information

    15 janvier 2020, par Joselyn Khor — Analytics Tips, Privacy, Security

    Most websites you visit collect information about you via tools like Google Analytics and Matomo – sometimes collecting personally identifiable information (PII).

    When it comes to PII, people are becoming more concerned about data privacy. Identifiable information can be used for illegal purposes like identity theft and fraud. 

    So how can you protect yourself as an innocent internet browser ? In the case of website owners – how do you protect users and your company from falling prey to privacy breaches ?

    what is pii

    As one of the most trusted analytics companies, we feel our readers would benefit from being as informed as possible about data privacy issues and PII. Learn what it means, and what you can do to keep yours or others’ information safe.

    Table of Contents

    What does PII stand for ?

    PII acronym

    PII is an acronym for personally identifiable information.

    PII definition

    Personally identifiable information (PII) is a term used predominantly in the United States.

    The appendix of OMB M-10-23 (Guidance for Agency Use of Third-Party Website and Applications) gives this definition for PII :

    “The term ‘personally identifiable information’ refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

    What can be considered personally identifiable information (PII) ? Some PII examples :

    • Full name/usernames
    • Home address/mailing address
    • Email address
    • Credit card numbers
    • Date of birth
    • Phone numbers
    • Login details
    • Precise locations
    • Account numbers
    • Passwords
    • Security codes (including biometric records)
    • Personal identification numbers
    • Driver license number
    • Get a more comprehensive list here

    What’s non-PII ?

    Anonymous information, or information that can’t be traced back to an individual, can be considered non-PII.

    Who is affected by the exploitation of PII ?

    Anyone can be affected by the exploitation of personal data, where you have identity theft, account fraud and account takeovers. When websites resort to illegally selling or sharing your data and compromising your privacy, the fear is falling victim to such fraudulent activity. 

    PII can also be an issue when employees have access to the database and the data is not encrypted. For example, anyone working in a bank can access your accounts ; anyone working at Facebook may be able to read your messages. This shows how privacy breaches can easily happen when employees have access to PII.

    Website owner’s responsibility for data privacy (PII and analytics)

    To respect your website visitor’s privacy, best practice is to avoid collecting PII whenever possible. If you work in an industry which requires people to disclose personal information (e.g. healthcare, security industries, public sector), then you must ensure this data is collected and handled securely. 

    Protecting pii

    The US National Institute of Standards and Technology states : “The likelihood of harm caused by a breach involving PII is greatly reduced if an organisation minimises the amount of PII it uses, collects, and stores. For example, an organisation should only request PII in a new form if the PII is absolutely necessary.” 

    How you’re held accountable remains up to the privacy laws of the country you’re doing business in. Make sure you are fully aware of the privacy and data protection laws that relate specifically to you. 

    To reduce the risk of privacy breaches, try collecting as little PII as you can ; purging it as soon as you can ; and making sure your IT security is updated and protected against security threats. 

    If you’re using data collection tools like web analytics, data may be tracked through features like User ID, custom variables, and custom dimensions. Sometimes they are also harder to identify when they are present, for example, in page URLs, page titles, or referrers URLs. So make sure you’re optimising your web analytics tools’ settings to ensure you’re asking your users for consent and respecting users’ privacy.

    If you’re using a GDPR compliant tool like Matomo, learn how you can stop processing such personal data

    PII, GDPR and businesses in the US/EU

    Because PII is broad, you may run into confusion when considering PII and GDPR (which applies in the EU). The General Data Protection Regulation (GDPR) provides more safeguards for user privacy.

    GDPR grants people in the EU more rights concerning their “personal data” (more on PII vs personal data below). In the EU the GDPR restricts the collection and processing of personal data. The repercussions are severe penalties and fines for privacy infringements. Businesses are required to handle this personal data carefully. You can be fined up to 4% of their yearly revenue for data breaches or non-compliance. 

    GDPR and personal information

    Although there isn’t an overarching data protection law in the US, there are hundreds of laws on both the federal and state levels to protect the personal data of US residents. US Congress has also enacted industry-specific statutes related to data privacy, and the state of California passed the California Consumer Privacy Act. 

    To be on the safe side, if you are using analytics, follow matters relating to “personal data” in the GDPR. It’s all-encompassing when it comes to protecting user privacy. GDPR rules still apply whenever an EU citizen visits any non EU site (that processes personal data).

    Personally identifiable information (PII) vs personal data

    PII and “personal data” aren’t used interchangeably. All personal data can be PII, but not all PII can be defined as personal data.

    The definition of “personal data” according to the GDPR :

    GDPR personal data definition

    This means “personal data” encompasses a greater number of identifiers which include the online sphere. Examples include : IP addresses and URL names. As well as seemingly “innocent” data like height, job position, company etc. 

    What’s considered personal data depends on the context. If a piece of information can be combined with others to establish someone’s identity then that can be considered personal data. 

    Under GDPR, when processing personal data, you need explicit consent. You need to ensure you’re compliant according to GDPR definitions of “personal data” not just what’s considered “PII”.

    How Matomo deals with PII and personal data

    Although Matomo Analytics is a web analytics software that tracks user activity on your website, we take privacy and PII very seriously – on both our Cloud and On-Premise offerings. 

    If you’re using Matomo and would like to know how you can be fully GDPR compliant and protect user privacy, read more :

    Disclaimer

    We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to issues you may encounter when dealing with PII. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns. 

    Additional resources :

Navigation