Confidentiality, policy etc

We’ve been testing ojs for some time and now thinking about running a journal in anger; our central IT service has asked for some information on confidentiality of account information and policy on removing user accounts. In addition they are not happy that passwords are sent in plain text… I have sent the reply below, is this accurate and would anyone be able to point me at any similar policy examples?

Account information is confidential and will only be accessible by the system administrator and Journal manager which is likely to be limited to a small number of colleagues in the Library.

The policy on user accounts will need to be formalised but we will delete accounts if requested to do so

We have full control over system generated email so I am able to remove the plain text pword from the registration email for example

Hi @BeckettResearch,

Nothing requires passwords to be sent in clear-text; they can be removed from the email templates. Processes like password reset etc. don’t depend on mailed passwords. Account passwords are stored hashed and never in plaintext.

As for account information confidentiality, only privileged roles (Journal Manager, Editor, Site Administrator) can view account information (beyond of course what’s published as part of the journal, like authorship information).

Let me know if IT raises any other specific concerns and I’ll provide the details.

Alec Smecher
Public Knowledge Project Team

Great, thanks for swift response.