2021-06-15 - Privacy SIG Notes

Owned by Ingolf Kuss
Last updated: Dec 14, 2021 by James Fuller
2 min read

Date

Attendees

Goals

  • Restart the FOLIO Privacy SIG

Discussion items

TimeItemWhoNotes
10minMeeting startup
  • Introductions of new attendees
  • Decide if we want to keep our meeting recordings

Agreed to store the recordings of the SIG meetings for four weeks.  The convener will be responsible for deleting them.  Recordings to be open at this time; we may need to revisit this topic in the future.  The legitimate interest is to allow people to catch up on the activities of the meeting.  There may be an interest in saving portions of a meeting (like a presentation) for a longer period of time.

Noting that our decisions about our recordings can have an impact beyond the Privacy SIG.  How we are thinking about our Zoom recordings can set an example for other SIGs and how they use their meeting recordings.  FOLIO might need a body/committee to handle privacy-related needs..a group that has the authority to implement decisions/needs related to privacy.

20minReview of the Privacy SIG charterall

Make edits to the Google Docs draft of the charter.


Log file privacy

SIG should find answers to the following questions:

  • Where are Log in and Log off information (date, time, username) being stored in the system logfiles (Okapi, Modules) and how long are they being stored ?
  • What other personalized information on other processes (Check in, check out, ...) are being stored in the system logfiles and how to configure to automatically delete them after a certain period of time ?

Information needed to put up the list of processing activities in compliance with GDPR

For GDPR, we need this list of processing activities.  To coordinate with the technical teams to understand what is being stored.  For instance, login information in Okapi is stored by default for 10 days.  In a complete install of Iris, there are 59 containers and so 59 log files.  What are the defaults, how to configure it, and what is stored?  Postgres can also log activities.  ElasticSearch, when implemented, will also log activities.

Ask the developers for the log4j configuration files.  What are the defaults and what are the impacts of changes to the log file configuration?  How can sites make informed decisions about the impact of these log files?  Forensic logs versus statistical/analysis logs.


Action items

  • Make edits to the Google Docs draft of the Privacy SIG charter
  • Peter Murray to create a draft document for asking the development teams about module log files