2022-11-07 Privacy SIG notes

Owned by Adam Chandler
Last updated: Nov 07, 2022
3 min read

Date

Attendees

Goals

Discussion items

TimeItemWhoNotes
5 minIntroductions and what are you hoping to take away from this meeting

 5 min Review/adjust agendaAdam
10 minKevin Day, FOLIO Prokopovych development asked question about PDD for, "I have questions on specific and possible interpretations of the PDD form. Particularly in regards to the way 'store' is being used on the form."Kevin

A couple of take aways from the discussion:

  • Pragmatically speaking, from the perspective of the Privacy SIG, the subtle distinction between store and process is less important than knowing that a module handles personal data.
  • Even though a free text field might contain personal data, we are reluctant to say that it does contain personal data by default. Instead, it would be better to include in an implementors guide that it is recommended that they don't include personal data in free text fields, unless they are prepared locally to document that choice.
20 min

Start working through the questions issues Ingolf raised earlier in the fall:

On slide 5 : "Where is my data stored ?"

According to Julian, there is no right of the individual to obtain these kinds of information.

It suffices to state what personal data are being stored, for what reason and for how long.

"Stored" is likely a wrong translation from the German version of GDPR, and refers to Art. 13 of GDPR, Art. 13 GDPR - Information to be provided where personal data are collected from the data subject - GDPR.eu , and should mean "from where are my personal data being collected ?"


However, some other points which I mentioned in the previous email are still valid and should be worked out by this SIG.


Julian also pointed out that some care has to be taken when personal data are being transfered to a third country or an international organization. Reference: Point 2. of articel 15. : Art. 15 GDPR - Right of access by the data subject - GDPR.eu .

In this case, "the data subject shall have the right to be informed of the appropriate safeguards ... relating to the transfer."

This will be relevant for hosting providers like EBSCO and IndexData and should be covered also by this SIG (although the German institutions plan to self-host).


Other things apply and should be discussed in this SIG, e.g. Art. 30, g. , also Julian mentioned:

Art. 30 GDPR - Records of processing activities - GDPR.eu

"where possible, a general description of the technical and organisational security measures referred to in ..."

This is something where I still say we should collect this information for FOLIO in some kind of glossary.

Ingolf
  • Under GDPR, users have a right to know (a) What PD is collected, and (b) how it is processed, but are not entitled to receive information about where that data is stored.
  • Data Subject = end user. To understand who/which entities are the Data Controller and Data Processor, we need to understand the end-to-end flow of PD.
    • For example: Since data is input/provisioned in FOLIO by the Library or University, the Library or University is the Data Controller; whereas the hosting entity is the Data Processor. This is typically how Controller/Processor would be interpreted under GDPR, but mapping the flow of data will help confirm.
  • Action proposed for this group: Generate a data flow map, to show where PD originates, where it is stored > processed > transmitted. This will help with working through GDPR questions, and down the line will also help FOLIO implementors understand the flow of data through their integration.
  • Matt N. mentioned that the IAPP may be a good resource for data mapping examples: https://iapp.org/
20 minRaw PDD data → so  → GDPR complianceAllDiscussion of our understanding of the GDPR analysis and compliance workflow and what FOLIO and FOLIO Privacy SIG might improve to make it easier

Action items

  • Continue to encourage FOLIO module owners to update their PDD forms so we can get a big picture view of which modules handle PD. Developing a method for checking updates to PDD forms continues to be a priority for the SIG.
  • Generate a data flow map, to show where PD originates, where it is stored > processed > transmitted. This will help with working through GDPR questions, and down the line will also help FOLIO implementors understand the flow of data through their integration.
  •  Review data mapping examples from the privacy professionals community.