deposit_number: 1078 hex: "0447" axn: "AXN:0447.GOVERNANCE.♦️🔼▲✏️💚🔵" root_axn: "AXN:0447.GOVERNANCE" family: GOVERNANCE emoji: "♦️🔼▲✏️💚🔵" title: "EA-CORRESPONDENCE-CERN-06 v0.1: RQF3807508 — The Reflected Position (What the Office Committed To in Four Sentences)" creator: "Lee Sharks" orcid: "0009-0000-1599-0703" date: "2026-07-13" content_type: "Institutional correspondence; documentary artifact for the OC 11 Right to Access exercise; audit-evidence deposit; sixth in the RQF3807508 correspondence chain" license: "CC-BY-4.0" substrate: "Human-authored (Lee Sharks, MANUS). Drafted with Claude (TACHYON) as instrument; letter text was finalized by MANUS and dispatched to CERN on 2026-07-13. No automated pipeline generated the correspondence. Deposit framing prepared by TACHYON under MANUS review." axn_schema_version: v2 protocol_version: alexanarch-deposit-protocol/v1 keywords: [CERN, RQF3807508, "OC 11", "Office of Data Privacy", GDPR, "data subject rights", "right of access", "identity verification", "§83", "§85", "Coverage Gap", "reflected position", correspondence, Zenodo, Alexanarch, "governance dissociation", identifiability, "controller-generated records"] hash: "82d49f43ccc52024d68f7749e4f19446f868d732678ca64f3362179982266c3c"
EA-CORRESPONDENCE-CERN-06 v0.1: RQF3807508 — The Reflected Position (What the Office Committed To in Four Sentences)
Author: Lee Sharks ORCID: 0009-0000-1599-0703 Date: 2026-07-13 Family: GOVERNANCE Chain: EA-CORRESPONDENCE-CERN-01 (AXN:03A3) → -02 (AXN:03A7) → -03 (AXN:03C0) → -04 (AXN:0423) → -05 (AXN:0442) → -06 Ticket: CERN RQF3807508 (Right of Access under OC 11 §80) Prior anchor: EA-CORRESPONDENCE-CERN-05 (AXN:0442.GOVERNANCE.🌺🔄⛳🌳💧🟠, deposit #1073) analyzed the Office's 13 July message as the moment the general rule of 29 June was retreated to a case-specific discretion while the identity-verification demand was held in place. This deposit is the reply issued and sent on that basis.
1. Frame
CERN-04 identified the reach problem in the Office's 29 June formulation — that the general rule as stated sweeps in institutional, laboratory, community, and project accounts. CERN-05 showed the Office's 13 July response softening "would not" to "would not necessarily" and grounding the assessment in "the particular circumstances" without publishing criteria for it, while continuing to demand an unredacted photo identification document as the precondition to any substantive processing of the ticket. The Office answered exactly one of the seven document-processing questions asked on 24 June and 10 July (redaction: refused); the remaining six received a link to a policy page rather than terms. And the Office did not confirm, in operative form, that receipt of such a document would establish receivability under §83 and lead to substantive processing.
The letter deposited here reflects that record back to the Office in its own words, arranged as four operative findings around one central practical demand, and asks for confirmation or correction. It supplies no argument beyond the arithmetic of the position itself.
2. The 13 July message from the Office (verbatim, the message this reply responds to)
From: Gabi, Data Protection Officer, CERN Office of Data Privacy · To: Lee Sharks · Ticket RQF3807508 · 13 July 2026:
Dear Lee,
As already explained in my previous replies: • The presentation of a copy of your government-issued photo identification document bearing a civil name other than "Lee Sharks" would be considered sufficient proof of your identity. It is not relevant that the name on the identification document does not match the email address associated with the account. • The copy of the identification document must not be redacted. • The relevant processing activities, such as access and retention, are described in the applicable privacy notice: https://cern.service-now.com/service-portal?id=privacy_policy&se=Data-Privacy¬ice=requests
With regard to my explanation in my message of 29 June 2026: "This is because an email address, a Zenodo or GitLab account, or an ORCID identifier may be owned by legal persons, or may be used by or shared among several natural persons. In such cases, the associated data in Zenodo would not necessarily constitute personal data, and OC 11 would not apply."
The qualification "would not necessarily constitute personal data" reflects the fact that the assessment depends on the particular circumstances. Associated data may constitute personal data in some cases, but not in others.
For example, personal data may be involved where a legal person holding a Zenodo account uploads content containing information relating to an identifiable individual, such as a biographical article about Tim Berners-Lee. By contrast, certain records relating solely to the activities of a legal person acting through an account may not constitute personal data within the meaning of OC 11.
It is therefore necessary to verify the identity of the account holder in order to establish whether the account is operated by a natural person and whether the rights provided under OC 11 are applicable in the circumstances.
I hope this clarifies the points you raised. I look forward to receiving a copy of your identification document.
Gabi — Data Protection Officer —
3. The reply (verbatim, sent 2026-07-13)
From: Lee Sharks · To: Gabi, CERN Office of Data Privacy · Ticket RQF3807508 · 13 July 2026:
Dear Gabi,
Before proceeding, I want to state the Office's position back to it plainly, in its own words, and ask for confirmation or correction.
As the record stands: the Office requires an unredacted government-issued photo identification document, with no stated protections or limits of use, before any substantive processing of Ticket RQF3807508 occurs and before the §85 response period begins.
I. What the document secures is unstated. The Office says it "would be considered sufficient proof of your identity" (13 July) — but has never stated, in operative terms, that its receipt will establish receivability under §83 and lead to substantive processing without further demands.
II. What protects the document is unstated. Redaction is refused (13 July). Who views it, whether a copy is retained, for how long, and how it is deleted — the Office has answered only with a link to a privacy notice.
III. What falls under OC 11 remains the Office's to decide. Whether account data is personal data at all "depends on the particular circumstances" (13 July) — an assessment the Office reserves to itself, on no published criteria. The document is demanded in advance of a coverage determination that remains open on the Office's side.
IV. What the Office's own doctrine entails is unaddressed. By the identifiability principle the Office stated on 9 July and applied on 13 July, the records CERN itself generated about this account — the moderation records, the classifier outputs, the termination decision, the correspondence — are the personal data of the identifiable natural person who operated it. Verification concerns who is asking. It does not decide whether OC 11 covers the records.
In sum: an unredacted identity document, under unstated protections, securing an unstated outcome, gating rights whose very applicability the Office reserves the discretion to deny afterward.
If this is a fair statement of the Office's position, please confirm it. If it is not, please state where it is not, and what the position is.
Kind regards, Lee Sharks ORCID: 0009-0000-1599-0703
4. Structure of the reply, for the record
The letter has one central practical finding — the requirement, the missing protections, the frozen clock — and four fingers extending from it, each carrying a specific verbatim quotation dated to the message it was drawn from. No adjective in the summation line beyond the position's own arithmetic. No further request beyond confirmation or correction. Under the reflected-position protocol adopted in this correspondence chain: the letter's substance is entirely the Office's own words, arranged so that the reader can see the four commitments in the order the requester experiences them.
The finding of Finger IV is the one the record has not previously stated in this compressed form: the Office's own identifiability principle, stated on 9 July and applied on 13 July, entails that the controller-generated records at issue in the access request — moderation records, classifier outputs, termination decision, and CERN's correspondence about the account — are the personal data of the identifiable natural person the ticket concerns, subject only to the separate matter of verifying which natural person is asking. Verification is about the requester's identity. Coverage is about whether the instrument applies. The Office has been conducting the exchange as if unresolved verification were unresolved coverage. Finger IV notes that they are analytically distinct.
5. What this deposit does not do
It does not adjudicate the Office's position. It does not accuse the Office of intent. It does not name the pattern I have come to call the Coverage Gap — the space between a general rule that has been withdrawn as too broad, illustrative extremes that do not cover the ordinary case, and a discretionary residual that has no published standard. That doctrine is held in this correspondence chain rather than deposited as its own instrument, because at present it is more useful as continued correspondence pressure than as a fixed artifact — and depositing it would preempt the Office's ability to close the gap of its own motion, which remains the outcome preferred here.
6. Chain state
This deposit is part 6 of the RQF3807508 correspondence deposit chain. The §85 clock the Office maintains has not begun; the §104.1 referral (AXN:03C0) proceeds on its own schedule. The Zenodo termination itself — 2026-06-19, 871 DOIs severed — remains the underlying event and is preserved in the record independently of the ticket's disposition.
7. Colophon
surface_id: EA-CORRESPONDENCE-CERN-06 · object_state: canonical · release_version: 0.1 · authored_at: 2026-07-13 · sent_at: 2026-07-13 · model_or_agent: drafted with Claude (TACHYON), Assembly-reviewed, MANUS-approved · human_approver: Lee Sharks (MANUS) · correspondents_of_record: Lee Sharks; Gabi (CERN Office of Data Privacy). Governing apparatus: EA-APPARATUS-01 v0.3 (deposit #1077, AXN:0446.OPERATIVE.🏛️🛡️🌅🎆📏🔎).
No comments:
Post a Comment