Wikimedia Foundation Access to Nonpublic Personal Data Policy Exceptions

The exceptions framework and correlated Access to nonpublic personal data policy change were approved by the Wikimedia Foundation General Counsel on August 20th, 2024, with authority delegated by the Wikimedia Foundation Executive Director under the Board delegation of policy-making authority.

The Wikimedia Foundation Access to nonpublic personal data policy is a board approved policy setting minimum requirements for who the Foundation will allow to gain access to nonpublic information, as well as when that nonpublic information may be used and disclosed. The Wikimedia Foundation may, at its sole discretion, provide Nonpublic Personal Data to groups of community members who are not covered by that Policy and to covered community members under terms outside of that Policy (“exceptions”). Such exceptions must be reviewed by the Wikimedia Foundation’s Legal department; approved exceptions are listed below:

1. Bureaucrats are permitted to access account two-factor authentication (2FA) status to verify whether other users have enabled 2FA prior to being added to groups that require 2FA. Bureaucrats are not covered under the Access to nonpublic personal data policy, but are nonetheless expected to use and disclose account 2FA status only when necessary.
2. Access to temporary account IP addresses and information about temporary account IP addresses are provided to users under the linked separate terms. Additionally, users who are covered by the Access to nonpublic personal data policy and have access to temporary account IP addresses are also permitted to disclose temporary account IP addresses when it is reasonably believed to be necessary, as provided by the separate policy.
3. English Wikipedia Arbitration Committee (ArbCom or Committee) access to Nonpublic Personal Data is covered by the Access to nonpublic personal data policy terms. However, the Committee is additionally permitted to disclose Nonpublic Personal Data publicly as part of decisions when the Committee has determined (1) a sanction is necessary and (2) disclosure of Nonpublic Personal Data in their decision is reasonably believed to be necessary for community safety or transparency purposes. Individual ArbCom members must still refrain from such disclosures when not speaking on behalf of the Committee, unless the disclosure was previously made by the Committee under the above authorized conditions.
4. Steward access to Nonpublic Personal Data is covered by the Access to nonpublic personal data policy terms except when disclosure is reasonably believed to be necessary by the Stewards’ collective decision process. As permitted by a Stewards’ collective decision, users within the steward group may disclose Nonpublic Personal Data to other users who do not have the same access rights and/or the public. Such disclosures must conform with the Stewards policy and the relevant section of the Privacy Policy, as well as any specific scope created within the Stewards' collective decision process.

If you have identified a possible exception or an apparent exception that is not listed above, please email legalwikimediaorg.