2019-07-19 Reporting Data Privacy Working Group Meeting Notes

Date

Attendees


We will use Joyce's webex account for our weekly meetings:

https://dukeuniversity.webex.com/join/jcc81

Goals

  • Updates and discuss next steps for our group; what do we take to the Reporting SIG, and is there anything further that our group can do at this time?

Discussion items

TimeItemWhoNotes

Updates from Joyce on LDP reports containing personal attributes that she sent to report owners, to determine whether the reports can remain functional if personal data are removed

Updates from Ingolf about staff data privacy (audit trails)




Meeting Notes

  • Joyce went through all the LDP reports and flagged those containing personal data, which she then sent out to report owners. Of the 36 reports that Joyce flagged, report owners identified 24 that need to retain these data in order to be functional. These will now be shared with the Reporting SIG to determine whether all 24 reports can be made in-app, or whether some have to remain LDP reports, and if so, how do we handle the issue of data privacy? Link to her sheet: https://docs.google.com/spreadsheets/d/1nR9frGMUgWq6TNKJFhY84FJx2Cwnlndnd2iq6p0wDx4/edit#gid=0
  • Ingolf 's conversation with a data privacy officer makes it clear that there is a marked difference between European and U.S. Universities in the matter of staff data privacy (audit trails). In Germany (and probably most of Europe), staff data can be stored only is there is a valid reason for this. It must be either a legal reason (required by law), or part of a contract that has been made between the workers' council and the employer and that is valid for all employees. Such contracts are always vetted by Employee Councils, which are part of each organization 1, and Employee Councils would not agree to staff data being stored for reasons such as running reports on, for example, how many items one individual has catalogued. We discussed how in the U.S., library management systems often have 'notes' fields, and staff members may identify themselves when entering specific notes, so that others may contact them for further information. As well, there is no equivalent of an Employee Council that has a say in staff audit trails. Such trails are used in many different ways in the U.S., and it is unlikely that U.S. universities will be able to do without them. Thus, there will have to be a dual system in FOLIO (it might be done only in-app and then falls in the purview of some other working group; this working group is only about data in the LDP). Conerning the question whether GDPR applies to staff audit data, the answer is, that GDPR only applies if there is no other regulation. If there is a company deal (between workers' council and management) this deal will be applicable and refine GDPR. In particular, if there is the company agreement that some operational data about employees are necessarily to be recorded in order to avert damage to the company (or for some other sufficient reason), then the individual employee forfeits her right of erasure of the data (which she would have if only plain GDPR applied), as long as she is an employee of that company. But, as mentioned above, an audit trail "how many catalogue records did employee X create in the last 7 days", would never pass the consent of a workers' council in Germany. In other words, measuring the performance of individual emplyoees is considered not a sufficient reason. There always has to be a sufficient reason to record personally related data.
  • Both issues now need to be handed over to the larger FOLIO community, as we may have come to an end of our fact-finding mission.

Action items

Present the above discussion to the Reporting SIG on Monday, July 22nd.


1 The organization has to exceed a ceratin size, which is 5 employees (in Germany). There is no obligating to the employer to establish a workers' council. But the employees have the right to elect a workers' council, they have to take action. Once a workers' council has been elected, though, the employer is legally obliged to inform the workers' council (or call it employee's council, as you like) about all affairs which concern the staff / employees. The employer is also supposed to reach consent with the emplyoee's council. If the employer refuses to do so, the council can go as far as to take legal actions against the employer.