...
https://dukeuniversity.webex.com/join/jcc81
Goals
- Decide on Updates and discuss next steps for our group; what do we take to the Reporting SIG, and is there anything further that our group can do at this time?
Discussion items
| Time | Item | Who | Notes |
|---|---|---|---|
Updates from Joyce on LDP reports containing personal attributes that she sent to the Reporting SIGreport owners, to determine whether the reports can remain functional if personal data are removed Updates from Ingolf about staff data privacy (audit trails) |
Meeting Notes
- Based on Ingolf's conversations with a data privacy officer, we formulated a list of attributes considered personal data, which should not be included in the LDP. A few attributes were flagged as unnecessary for reporting purposes, and should also be excluded (see Table 1 below).
- As well, we flagged several attributes that can only be included if they are formulated in a specific way (see Table 1A below).
- Tables 1 and 1A should Joyce went through all the LDP reports and flagged those containing personal data, which she then sent out to report owners. Of the 36 reports that Joyce flagged, report owners identified 24 that need to retain these data in order to be functional. These will now be shared with the Reporting SIG .
- We all agreed that it would be very time-consuming for this small group to look through all the reports and flag them. As well, as the reports are often described at a higher level, without an actual list of attributes included. Each report needs to be understood in depth, to determine whether it contains personal data attributes or not. We need to crowd-source the process of flagging reports.
- Update on 7/8/19: Joyce Chapmanlooked through the reports and found that "There are 32 that I found that could have personal data. Some I don't have enough info about, others it's very clear. Basically every single report on the user mgmt tab of the reporting master spreadsheet is for sure personal data -- these are all reports that call up different types of lists of patrons. 18 of the 32 I marked as "definitely" including personal data, and 11 of those are the "user mgmt" tab of reports." These are at https://docs.google.com/spreadsheets/d/1nR9frGMUgWq6TNKJFhY84FJx2Cwnlndnd2iq6p0wDx4/edit#gid=0
- Before taking on the issue of staff data privacy, we want to ascertain whether any reports of audits will ever need to be run from the LDP, instead of in-app. This may not be an LDP problem at allto determine whether all 24 reports can be made in-app, or whether some have to remain LDP reports, and if so, how do we handle the issue of data privacy?
- Ingolf 's conversation with a data privacy officer makes it clear that there is a marked difference between European and U.S. Universities in the matter of staff data privacy (audit trails). In Germany, staff data that can be stored only is there is a valid reason for this. It must be either a legal reason (required by law), or part of a contract that am employee has signed. Such contracts are always vetted by Employee Councils, which are part of each organization, and Employee Councils would not agree to staff data being stored for reasons such as running reports on, for example, how many items one individual has catalogued. We discussed how in the U.S., library management systems often have 'notes' fields, and staff members may identify themselves when entering specific notes, so that others may contact them for further information. As well, there is no equivalent of an Employee Council that has a say in staff audit trails. Such trails are used in many different ways in the U.S., and it is unlikely that U.S. universities will be able to do without them. Thus, there will have to be a dual system in FOLIO.
- Both issues now need to be handed over to the larger FOLIO community, as we may have come to an end of our fact-finding mission.
Action items
Present the above discussion to the Reporting SIG on Monday, July 22nd.
...