Skip to end of banner
Go to start of banner

2022-11-04 Privacy SIG notes

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Date

Attendees

Goals

Discussion items

TimeItemWhoNotes
5 minIntroductions and what are you hoping to take away from this meeting

 5 min Review/adjust agendaAdam
10 minKevin Day, FOLIO Prokopovych development asked question about PDD for, "I have questions on specific and possible interpretations of the PDD form. Particularly in regards to the way 'store' is being used on the form."Kevin
20 min

Start working through the questions issues Ingolf raised earlier in the fall:

On slide 5 : "Where is my data stored ?"

According to Julian, there is no right of the individual to obtain these kinds of information.

It suffices to state what personal data are being stored, for what reason and for how long.

"Stored" is likely a wrong translation from the German version of GDPR, and refers to Art. 13 of GDPR, Art. 13 GDPR - Information to be provided where personal data are collected from the data subject - GDPR.eu , and should mean "from where are my personal data being collected ?"


However, some other points which I mentioned in the previous email are still valid and should be worked out by this SIG.


Julian also pointed out that some care has to be taken when personal data are being transfered to a third country or an international organization. Reference: Point 2. of articel 15. : Art. 15 GDPR - Right of access by the data subject - GDPR.eu .

In this case, "the data subject shall have the right to be informed of the appropriate safeguards ... relating to the transfer."

This will be relevant for hosting providers like EBSCO and IndexData and should be covered also by this SIG (although the German institutions plan to self-host).


Other things apply and should be discussed in this SIG, e.g. Art. 30, g. , also Julian mentioned:

Art. 30 GDPR - Records of processing activities - GDPR.eu

"where possible, a general description of the technical and organisational security measures referred to in ..."

This is something where I still say we should collect this information for FOLIO in some kind of glossary.

Ingolf
  • Under GDPR, users have a right to know (a) What PD is collected, and (b) how it is processed, but are not entitled to receive information about where that data is stored.
  • Data Subject = end user. To understand who/which entities are the Data Controller and Data Processor, we need to understand the end-to-end flow of PD.
    • For example: Since data is input/provisioned in FOLIO by the Library or University, the Library or University is the Data Controller; whereas the hosting entity is the Data Processor. This is typically how Controller/Processor would be interpreted under GDPR, but mapping the flow of data will help confirm.
  • Action proposed for this group: Generate a data flow map, to show where PD originates, where it is stored > processed > transmitted. This will help with working through GDPR questions, and down the line will also help FOLIO implementors understand the flow of data through their integration.
  • Matt N. mentioned that the IAPP may be a good resource for data mapping examples: https://iapp.org/
20 minRaw PDD data → so  → GDPR complianceAllDiscussion of our understanding of the GDPR analysis and compliance workflow and what FOLIO and FOLIO Privacy SIG might improve to make it easier

Action items

  •  
  • No labels