2019-05-31 Reporting Data Privacy Working Group Meeting Notes



We will use Joyce's webex account for our weekly meetings:



Discussion items


Limited role of FOLIO Community in enforcing data privacyIngolfIngolf found out that the FOLIO Community has an important but limited role in enforcing data privacy. Specifically, we need to make sure that data are erasable upon a user's demand, that personal data not needed for reporting are not transferred, and that personal data needed for reporting are anonymized prior to being transferred to the LDP. A list of all data fields needs to be given to the Library's Data Privacy Officer, who will then create forms for users to sign (informing users about the types of data that are collected, and why). These types of forms will differ across libraries, based on each country's and university's laws. The Data Privacy Officer is at the university or library level, and it is FOLIO's charge only to provide information (data fields) to the data privacy officer, as well as ensure that technically personal data can be erased, and that these data are anonymized prior to LDP transfer.

Tasks of the FOLIO Community to fulfill GDPRIngolf
  • A List of Data Fields
    • what personal data are stored
    • where are the personal data stored
    • in what form are the personal data stored
    • how are the personal data transferred
    • What personal data are stored about a specific person (a data dump) ?
  • Technical ability to erase personal data of a specific person (at any time).
    • Ability to erase only some fields of personal data, not all

Survey members about data privacy requirementsAllSharon Beltaine had suggested that it would be a good idea to survey members about their data privacy requirements, so that these can be addressed either via LDP or other ways (anonymize vs. erase data, based on individual institutional requirements, and on compliance needs). After Ingolf's update on FOLIO's role in fulfilling data privacy requirements, we wondered whether a survey was required. If a configuration table is set up that anonymizes all personal data before it is transferred, then that would fulfill the stringent GDPR requirements, as well as any requirements of American libraries. We need Nassib's input on this.

Action items