In general, Tidepool is an extremely open organization. Part of our mission is to transfer as much of our knowledge, intellectual property and work product to the public as we can, because we feel like that's better for the diabetes community. Examples of things that we explicitly make public:
Our source code.
Our finances (e.g., tax returns, audit documents and other public filings).
Our regulatory quality system.
Our user interface designs.
Our product planning boards.
Even with our commitment to openness, we don't make everything public. For example:
Code: Server configuration information is kept confidential.
Specifications: Most (if not all) of the device protocol specifications we have received from device makers are confidential.
Finances: We don't publish our bank account numbers or credit card info, details of every transaction we make, nor details of grants or contracts with partners.
Regulatory: There are tests related to system security that we keep secret. And passwords used to log in to test accounts that we keep secret.
Design: We occasionally are given design samples or other documents, such as from a device maker partner, with an expectation of confidentiality.
Product planning: We keep security issue planning private. We keep some internal planning documents private.
Meeting notes: We take copious meeting notes that we keep private, for both internal and external meetings.
Hiring: Information about interview candidates, including notes taken during the interview process, we keep private.
And, of course, we keep all of our user's Protected Health Information (PHI) confidential. As part of your onboarding, and then each year thereafter, you will be required to read HIPAA training and to undergo an audit of your computer and mobile devices. Our publicly available HIPAA training materials and audit template documents are here.
In general, unless your job requires you to do so (e.g., for a project, or for debugging a specific issue, or for providing customer support), you should never make copies or publicly reveal any of our user's info, including names, email addresses or anything they store in their Tidepool account (on prd or int - which house our HIPAA-compliant data).
It may not always be obvious what is and is not confidential. If you are ever unsure, it's always best to assume that it is confidential and ask the Chief Privacy Officer (currently Howard).
FAQ
Is it OK for me to keep copies of everything I've worked on and take it with me when I leave?
In general, if we already make it public, then you get the same rights that everyone else in the public gets. We release most of our source code under BSD 2, and most of our regulatory, design and web content is made public under CC-BY-SA 4.0.
In general, other stuff that isn't explicitly made made public should be considered confidential. You should not make personal copies of this stuff or send it to parties outside of Tidepool without checking with the Chief Privacy Officer (currently Howard) first.
What if there's something that isn't currently public that I think should be made public?
If there is something else that you think we should be making public that we currently aren't making public, feel free to talk to the Chief Privacy Officer (currently Howard) about it!
Who owns the intellectual property (IP) of the stuff I've worked on?
In general, our entity Tidepool Project owns the intellectual property of stuff you work on. That's pretty important, because it's what allows Tidepool to assert copyright and place a license on the work. You assigned the IP for your work to Tidepool as part of your employee agreement (through Zenefits) or your consulting agreement.
Fortunately, the licenses we choose (BSD2 and CC-BY-SA 4.0) for stuff that we make public are pretty permissive. They give you (and everyone else) very broad, perpetual rights.
How do I know if something is public?
For source code, if it's in a public repo, it's public. If it's in a private repo, it's private (and there's probably a good reason to keep it that way).
For other documents and folders, such as Google Drive folders, we've tried to include PUBLIC in the name of public folders and documents. Other folders should be considered private (with permissions to match).
Trello boards say whether or not they are public at the top. In general, unless it's security-related, it's OK for all Trello boards to be public.
What should I do if I find something that we've made public that I think should be private?
Let the Chief Privacy Office (currently Howard) know right away.
Back to: Tidepool Employee Handbook
Proceed to: Why Diversity is Important