2022-10-10 Privacy SIG Notes

• Peter's needs more time for the PDD review script.
• Adam was unable to draft a roadmap.
• Amanda: a goal for EBSCO is that Privacy SIG or some part of FOLIO create docs/resources/toolkit for libraries setting up FOLIO that maps out flow of data.

Need: data disclosure form helps us to understand where the data are and how it used. Community might need some background about how critical PDD is for understanding the data flow.

If we had all the PDD data, is there something that can be done centrally to summarize across we can be learned about the modules.

What is needed for GDPR compliance, how can we help.

There are others at EBSCO who are interested in joining Privacy SIG.  Some with legal background. Amanda will circle back to them and welcome them to the Privacy SIG.

PDD forms are some important for understanding where data are stored and how much control they have over it. There are laws being formulated about where data may be hosted. This might mean, for example, that a library needs to host data locally. Data controller aspect of FOLIO is going to be important to many libraries.

Product and Technical Council considerations:  Privacy SIG is kind of reactive, we are not prescribing, for TC. PC: privacy is not a "feature" of FOLIO, but is something embedded in the non-functional requirements; so we are mostly just informing them of what we are doing. However, there might be features of FOLIO related to privacy relevant to how a library implements FOLIO, in relation to their local privacy guidelines. 

What can we do centrally or as a group that reduce the work that happens to the host and library?

Privacy policy for FOLIO application. EBSCO (or any single entity) can't really write that themselves.

Are there places where there might be user consent?

Institution is the owner of the Personal Data.

Important piece of info for FOLIO libraries is where in the application they have control over the flow of data. They should use those controls to the best of their abilities to meet their institution's privacy policy. Example, what data required in FOLIO patron record? Important pieces are external system ID is connected to patron record. Email address is critical for loan reminders etc. Is it possible to have a patron record without a patron email?

FOLIO currently requires name and email in FOLIO patron record, at least. Owner of User App should know what is required. Group reviewed FOLIO sandbox instance and saw that the following fields are labeled as required: last name, patron group (configurable), status (active | inactive), email, preferred contact method (email, text, phone). Peter believes that which fields are required is not configurable.

Privacy SIG can recommend work, but no enforcement mechanism. We can bring items to Technical Council. TC has a technical decision process that records something as decision of the Council.  Then Dev teams are supposed to adhere to those decisions. For example, the introduction of Kafka as the distributed event streaming platform is a foundational technical element that was considered by TC.

For next time to welcome Amanda's EBSCO colleagues: describe what Privacy SIG has been doing, with focus on PDD, then 

Raw PDD data → something happens → GDPR compliance