Talk:Limitations on mapping private information

From OpenStreetMap Wiki
Jump to navigation Jump to search

Graves

What is the rationale for suggesting that names on graves not be mapped? For instance it is common in Ireland for there to be a large detailed map of every grave in a churchyard to enable people to find them. Locating graves in even quite small cemeteries is non-trivial. Information on gravestones is widely used for historical and linguistic studies too. I don't particularly forsee people mapping graveyards in earnest on OSM, but it seems an odd thing to suggest is personal data.SK53 (talk) 22:08, 12 February 2018 (UTC)

Thanks for opening the discussion. The line about cemetery=grave was reflecting an old tagging discussion, which is consolidated on the linked page with the line "Only significant graves are to be mapped". I already moved that item down from a "don't" to a "shouldn't". I see quite a difference in having a printed map at the entrance of a cemetery compared to a machine-readable database. Similarly, in Germany all the names of the inhabitants of an apartment block are printed on the doorbell panel, the same people would object to have that collected in a database. I'd assume many people would object to have their deceased relatives listed; though I don't know the legal side. Legislation if and how long privacy is protected after death is probably country-dependant.--Polarbear w (talk) 23:47, 12 February 2018 (UTC)
Either everyone has a 'right to privacy after death' in which case not only significant graves, but famous people plaques saying "xxx lived here" would be no go for OSM. Furthermore any notion of such a concept is fairly alien in Anglo-Saxon legal jurisdictions. The examples I refer to for scholarly study include : lichenometry using date on gravestones; linguistic studies which similarly use the language on the graves and date of death to determine historical boundaries of languages. The collection of such data is painstaking and awkward, sharing of such data is of value to scholars and people interested in their ancestry. A company which publishes maps of Irish Graveyards enables searches of data online[1]. SK53 (talk) 11:19, 2 March 2018 (UTC)
Maybe this case could be softened to "respect the rules in the respective country". Or dropped completely.--Polarbear w (talk) 13:47, 3 March 2018 (UTC)
I will remove it, but if there are places where it is a major concern it may go back with "respect local rules when mapping names on graves" Mateusz Konieczny (talk) 13:14, 11 May 2020 (UTC)
See for example this search results. It is page provided by administration of public cemeteries in capital of Poland, allowing to query grave location by name/surname/date of birth/date of death Mateusz Konieczny (talk) 13:32, 11 May 2020 (UTC)
https://www.twobirds.com/en/in-focus/general-data-protection-regulation/gdpr-tracker/deceased-persons lists examples of countries that may considered such info as private in law Mateusz Konieczny (talk) 07:23, 16 September 2020 (UTC)
It should be established whether name, date of birth, date of death (& possibly marriage partner) are included in personal data with respect to GDPR. I suspect not, as many activities require public information on a person's death. I would expect addresses of a recently deceased person to be something which should be kept private (mainly because such information may well allow personal information of someone living to be deduced). In practice I would reverse the statement and say that mapping graves with the name, date of birth and date of death is acceptable on OSM: we have abundant precedent with famous graves for this approach. SK53 (talk) 21:32, 16 September 2020 (UTC)

We have a rule for preserving privacy here that when you are doing genealogy researching, you may only access the public records of one who had been deceased for at least 30 years (or your own relatives). I think that sounds like a reasonable protection to follow. Certain records that afford special protection are exempt from this and can not be accessed even after that (related to medical history, ethnicity and so on). -Bkil (talk) 20:09, 20 July 2021 (UTC)

Private Infrastructure

I guess it is already covered, but it might be worth spelling out explicitly: there was some work in Nepal where the presence of an indoor toilet facility was mapped for each house. Clearly information such as this relates to the socio-economic status of the inhabitants and in my view should not be collected in OSM. SK53 (talk) 22:08, 12 February 2018 (UTC)

  • "Do not map private indoor facilities, like showers, toilets etc"? Mateusz Konieczny (talk) 13:17, 11 May 2020 (UTC)
    • Sounds good to me. SK53 (talk) 13:20, 11 May 2020 (UTC)
You can clarify as that for individual households. Indoor facilities of a publicly-known "private" club, etc, should be acceptable. -- Kovposch (talk) 22:15, 11 May 2020 (UTC)
I added it as "Do not map personal private indoor facilities, like showers and toilets in private apartments/houses" Mateusz Konieczny (talk) 20:50, 12 May 2020 (UTC)
Resolved: -- Kovposch (talk) 12:49, 13 May 2020 (UTC)

GDPR

w:General_Data_Protection_Regulation

A final point is that European GDPR which come into force later this year, potentially makes adding personal data to OSM a serious offence in EU countries. So certain types of data are likely to be redacted anyway. SK53 (talk) 22:08, 12 February 2018 (UTC)

I think that the point of this page is to reduce work on adding private information and work to remove this private information - private information is already removed from OSM once spotted. Mateusz Konieczny (talk) 09:02, 13 February 2018 (UTC)
Is there anything that should be changed on that page given GDPR? Mateusz Konieczny (talk) 07:14, 16 September 2020 (UTC)
@SK53: Is there anything that should be changed on that page given GDPR? Mateusz Konieczny (talk) 17:27, 20 October 2020 (UTC)
This might be a problem: Do not name individuals in OpenStreetMap tags, unless their name is on a business sign posted towards the street, or part of the business name or otherwise publicly available. - Name and phone number is often posted this way on hairdressers, veterinary, lawyer's office, insurance agent's office (individual persons). But to me they look to be a "PII - Personally Identifiable Information" (both name and phone, even separately) which must be handled with agreement only. When they post it on their office's door, it's their own will, they handle their own data (as data controller and processor). But they never allowed OSM to handle it. What do you think? Kempelen (talk) 16:54, 20 July 2021 (UTC)
Do you have a pointer for those business names that contain personal names with regard to the GDPR and ideally also in relation to the freedom of information? What about the names of big companies? E.g. Ferdinand Porsche, Adam Opel, Enzo Ferrari, Robert Bosch, Werner von Siemens, Gottlieb Daimler, Carl Benz and Henry Ford may all be dead, but there are also a lot of companies whose founders are still alive and where their company has their name. —Dieterdreist (talk) 17:34, 20 July 2021 (UTC)
In terms of GDPR I'm not talking about names like Henry Ford, please. I've uploaded some real life examples here https://www.openstreetmap.hu/letoltes/kempelen/ (tel*.jpg) On each I grayed out names and phone numbers. Those are the data I'm concerned about. But without those data, these single-person company nodes will be just shop=hairdresser and no other info (office=estate_agent, office=lawyer, office=insurance and similar). There is basically no other info than the type of business plus one (or more) persons name and phone number. (Not Henry Ford's.) I'm afraid GDPR (and CCPA etc) prohibits adding those to OSM database, but open for discussion. Kempelen (talk) 19:40, 20 July 2021 (UTC)
In those examples, we are not publishing private information, they are themselves publishing the information and we are only recording it. There also isn't a connection from the telephone number to a person, as there are not last names. IMHO, if you are hesitant to add this information, do not do it, if others have already added it, engage with them and see if they can be convinced to remove the data, personally, I find it ok to add this kind of stuff, and I also believe it is in their best interest, so I do not see a moral problem either.--Dieterdreist (talk) 10:38, 21 July 2021 (UTC)
I'm not sure whether mapping names are that important, but without adding contacts, most POI lose a lot from their value. Did you consider how all of our competitors are mapping just these same set of information for each POI (Google Maps, Facebook, Foursquare, etc.)? What's next, we shouldn't map the public website (or wifi) of a POI unless we can be sure that it is owned by a company, because the NS records and IP addresses could be used against a person later on and may also contain parts of their name or initials? -Bkil (talk) 20:34, 20 July 2021 (UTC)

This is not to be considered legal advice. "This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data." [2] Hence, if the hairdresser is an entrepreneur operating as a legal entity and they themselves opted to publish their phone numbers on the walls or store fronts visible from public property, this data is not to be subjected by the GDPR. If, on the other hand they are hired by a company as employees, that company must take GDPR-responsible measures before posting phone numbers on their walls (purchasing SIM's for work or getting consent from the workers). In neither case should OSM be in the red: we are just mapping what can be seen on the ground. If they delete the text from the wall, anyone can then delete the phone number from OSM as well if it did turn out to have been published there without their consent for example. -Bkil (talk) 20:34, 20 July 2021 (UTC)

ok, Henry Ford was not a good example, what about Norman Foster and Partners? —Dieterdreist (talk) 00:50, 21 July 2021 (UTC)
!!Not a lawyer warning!! https://www.fosterandpartners.com/ ? The name of company is not PII even if it is based on PII. See https://gdpr.eu/eu-gdpr-personal-data/ - "By using “natural person,” the GDPR is saying data about companies, which are sometimes considered “legal persons,” are not personal data.". In the same way as things in https://en.wikipedia.org/wiki/Category:Lists_of_things_named_after_people are not PII. And even if it is PII then it falls under some exceptions somewhere, especially as it was published by related person in way that strongly implies consent to using this name (is it sufficient?). Mateusz Konieczny (talk) 03:19, 23 July 2021 (UTC)

Private playgrounds and firepits

Is it fine to map private playgrounds and private firepits?

I am 100% fine with mapping them on even venues and so on (access=customers) but I am unsure about mapping them on a completely private property Mateusz Konieczny (talk) 07:19, 16 September 2020 (UTC)

I don't see why they should not be mapped, provided you put the proper access tag. In my street there are several playgrounds, all accessible to the public but on private property (homeowners association) - there has never been an attempt to close off access to them, it could possibly be prohibited by building codes to limit access. --Stalfur (talk) 10:15, 16 September 2020 (UTC)

What borderline?

The statement "Limit the detail of mapping private backyards. As a guideline, permanently installed private swimming pools, or some structure of a semi-public garden appear to be the borderline of being acceptable. Add access=private as appropriate." makes no sense. Anyone care to expand on why this is? --Stalfur (talk) 10:20, 16 September 2020 (UTC)

I'd imagine that since this page advertises itself as 'reflecting consensus' (although it doesn't say of whom), that means some people would put mapping private pools on one side of the acceptable-unacceptable line, and others would put it on the other side. But as a guidance page, that's not particularly helpful. From my perspective, pools would seem to be covered by the emergency use point of why_we_won't_delete_roads_on_private_property. Arlo James Barnes (talk) 14:42, 16 September 2020 (UTC)
I just came here to write about the very same paragraph. For me mapping things in semi public gardens (maybe different people have different ideas about the term semi public) is not at all borderline or an edge case, it can be mapped without problems. —Dieterdreist (talk) 08:14, 20 October 2020 (UTC)
I understand it as "as far as mapping private infrastructure in gardens, mapping private swimming pools is fine but mapping other smaller private equipment/infrastructure in gardens may start becoming unwanted". As far as I know mapping private pools is clearly accepted. Feel free to amend/rewrite it. Mateusz Konieczny (talk) 17:29, 20 October 2020 (UTC)
Mateusz, the problematic sentence is: As a guideline, ... some structure of a semi-public garden appear to be acceptable, but on the borderline between "acceptable" and "not acceptable"--Dieterdreist (talk) 20:35, 20 October 2020 (UTC)

Suggested detail of mapping elementary, middle, and high school student-only areas, gated communities, and front yards or backyards of private houses.

Suggested to map: Grass areas and trees: Map anywhere outside of elementary, middle, and high school student-only areas, gated communities, and front yards or backyards of private houses. Front yard businesses or gardens: Map unless inside or in the backyard of a private house. Elevators, fire extinguishers, or AEDs: Map unless inside or in the backyard of a private house, or used to gain entry in the case of elevators. Swimming pools, solar panels, basketball courts, or tennis courts: Map unless inside of a private house.