...
Time | Item | Who | Notes |
---|---|---|---|
5 min | Introductions and what are you hoping to take away from this meeting | ||
5 min | Review/adjust agenda | Adam | |
10 min | Kevin Day, FOLIO Prokopovych development asked question about PDD for, "I have questions on specific and possible interpretations of the PDD form. Particularly in regards to the way 'store' is being used on the form." | Kevin | A couple of take aways from the discussion:
|
20 min | Start working through the questions issues Ingolf raised earlier in the fall: On slide 5 : "Where is my data stored ?" According to Julian, there is no right of the individual to obtain these kinds of information. It suffices to state what personal data are being stored, for what reason and for how long. "Stored" is likely a wrong translation from the German version of GDPR, and refers to Art. 13 of GDPR, Art. 13 GDPR - Information to be provided where personal data are collected from the data subject - GDPR.eu , and should mean "from where are my personal data being collected ?" However, some other points which I mentioned in the previous email are still valid and should be worked out by this SIG. Julian also pointed out that some care has to be taken when personal data are being transfered to a third country or an international organization. Reference: Point 2. of articel 15. : Art. 15 GDPR - Right of access by the data subject - GDPR.eu . In this case, "the data subject shall have the right to be informed of the appropriate safeguards ... relating to the transfer." This will be relevant for hosting providers like EBSCO and IndexData and should be covered also by this SIG (although the German institutions plan to self-host). Other things apply and should be discussed in this SIG, e.g. Art. 30, g. , also Julian mentioned: Art. 30 GDPR - Records of processing activities - GDPR.eu "where possible, a general description of the technical and organisational security measures referred to in ..." This is something where I still say we should collect this information for FOLIO in some kind of glossary. | Ingolf |
|
20 min | Raw PDD data → so → GDPR compliance | All | Discussion of our understanding of the GDPR analysis and compliance workflow and what FOLIO and FOLIO Privacy SIG might improve to make it easier |
...
- Continue to encourage FOLIO module owners to update their PDD forms so we can get a big picture view of which modules handle PD. Developing a method for checking updates to PDD forms continues to be a priority for the SIG.
- Review PD Generate a data flow map, to show where PD originates, where it is stored > processed > transmitted. This will help with working through GDPR questions, and down the line will also help FOLIO implementors understand the flow of data through their integration.
- Review data mapping examples from the privacy professionals community.