What does GDPR allow? What is not allowed? What is in compliance? What is not in compliance? How much time to address?
FOLIO's record tracking, keeps track of when record was created and updated and by whom.
With version history in POs/POLs capture in every step.
Some libraries in EU use functional/shared logins rather than individual logins as workarounds.
Is the existing pattern a problem? - Record last updated / record created + user details
Owen Stephens 8:20 AM This may be something worth discussing with the Privacy SIG Privacy SIG Home.
They have a lot of knowledge about GDPR
We omitted the source from the record metadata in Agreements and Licenses because this concern was raised by libraries in Germany
Has been a problem from the beginning. Functional/shared accounts are a workaround. Would be great if this could be switched off on a system level for a tenant.
scolglaz 8:22 AM +1 to be able to switch on or off by tenant!
Joe Reimers (EBSCO) 8:21 AM Do you know who the responsible PO is offhand?
Owen Stephens 8:22 AM There’s no PO because it’s not a development area
Legislation not the same worldwide. Lack of information also an issue for some.
Different libraries may have different interpretations of what can be recorded.
scolglaz 8:22 AM We are definitely used to seeing this info--from our old system etc--and find it extremely helpful!
Kristin Martin 8:24 AM We use this information all the time too.
Might want to use to monitor what people are doing and might be seen as illegal in Europe
"Haven't done any work today" - seen as unacceptable.
Argument needs to be in favor of configuration because it is clear that there is no universal truth around what is allowed and what is not.
Owen Stephens 8:26 AM If it’s recorded at all then it would be available for reporting which would still be an issue
scolglaz 8:27 AM just FYI: in Agreements, it just always says: Unknown
Not just name of user that is problematic? Even UUID being in record could possibly violate their privacy?
If traceable back to the person, it's an issue.
Don't know what minimum numbers are to obfuscate the data. Seems like it needs to be at least two.
Sara - Maybe should be taken up by cross-app?
Ultimate solution has to be to set this at the tenant level
5 Colleges finds this information extremely useful
Use reporting tool and pull out data based on which institution touched which record for cleanup purposes, etc.
Pretty much recorded in most other apps.
Have very limited number of people who work in agreements, so would likely know anyways.
wiljanen 8:31 AM I use it to locate items from acquisitions to circulation
Not sure whether in Resource Access this is used at the moment.
Kristin - Also hadn't noticed this in agreements. What is the reason for not recording the information? For GDPR compliance?
Haven't prioritized because it was clear from the start from those commissioning that recording personal information at that level would be problematic. Have felt the way to approach this is to configure. Has not been prioritized. Extra work that would take away from other development work. What are the right compromises around this?
scolglaz 8:35 AM In the Circulation Log there is a Source column that shows who checked something in or out ...
scolglaz 8:36 AM ANd in the User record Source is visible for create and last updated
Kimberly.Smith@mtsu.edu 8:37 AM Sounds like it would be important to ask our current consortia and oncoming consortia about the need for this feature and where...
~:37 - Dennis - Are there any circumstances where certain applications might be omitted? Are there any apps where you actually might be able to use this data? e.g. Because it is a certain kind of content or workflow.
Not illegal to store personal data. Constrains the use of that data. Problem at staff level is that there is more at stake when you introduce idea of being able to track what work people are doing.
Martina Schildt 8:39 AM I think we should definitely hear a GDPR expert on this.
scolglaz 8:38 AM Just checking Invoices & Finance, too, and also Source shows who created and last updated
Joe Reimers (EBSCO) 8:39 AM Current FOLIO pattern is that this is ALWAYS captured for ALL record types. This meeting is to determine, "is this a problem, and how much of one is it?" Other than ERM, that is. Also, how is Chalmers handling ti?
It is a problem, for certain sites.
Kristin Martin 8:40 AM That's not true, if it is not captured for Agreements. There isn't actually consistent behavior.
scolglaz 8:40 AM Thanks, Joe, I was just trying to underscore that there needs to be a FOLIO wide solution, hence my suggestions re: Cross App to take this up
Owen Stephens 8:42 AM I tend to agree Sara although a “FOLIO wide solution” may be quite tricky here - but definitely worth us discussing at cross app I agree
System should work for all. Switch sounds like a good solution that would solve all needs across the community.
Consult EBSCO privacy team
Wouldn't be useful to have this as an app level setting. May be difficult to implement a global setting because of how these things function. May need to establish pattern for apps to follow.
Most likely way forward would be to have pattern that apps could adopt.
Joe Reimers (EBSCO) 8:46 AM Please feel free to add additional feedback/comments/questions to the wiki page! The more, the merrier!
Does introduction of change log with this information make this situation worse than it already is?
Can you wipe order history with commerical companies through GDPR?
Does give that kind of protection, at least in theory