2019-09-27 Reporting Data Privacy Working Group Meeting Notes
Date
Attendees
We will use Joyce's webex account for our weekly meetings:
https://dukeuniversity.webex.com/join/jcc81
Goals
- Review Reports with potentially sensitive data
Discussion items
Time | Item | Who | Notes |
---|---|---|---|
Review Reports with sensitive data in RA reports to review . What is aggregate data, what is personal data ? Cf. GDPR Art. 5 (b) 'purpose limitation'; in conjunction with GDPR Recital 162 "Process for Statistical Purposes" and GDPR Art. 89 "Safegurds and derogations to processing for ... statistical purposes" Review other reports with potentially sensitive data with respect to this : Flagged FOLIO reports - privacy . |
Meeting Notes
Present: Joyce Chapman Ingolf Kuss Vandana Shah
Ingolf had already studied all of Angela's Resource Access cluster reports from https://docs.google.com/spreadsheets/d/1mS6nuvUhdxwzj3xXFOPjlc4iiV5xhH4n05a5ZloZb5g/edit#gid=0. These are reports that do not fall into a specific cluster. Several of these contain personal data; we reviewed these as well as reports that Joyce had flagged in Flagged FOLIO reports - privacy . We had a detailed discussion about many of these; the comments by Angela and Sharon indicate that many of these should be moved to batch processing or in-app, but we don't know whether that decision has already been made. An important question to take to the Reporting SIG is whether developers will have the time to make all these in-app, and if not, what are the ramifications? People seem to want to keep many of these as data warehouse reports: is that just because they feel they will have no other way to access these data? Ingolf had various suggestions that should be discussed with Nassib.
After extensive research into this by Ingolf, as well as his conversations with data privacy officers, and our group's discussions, our suggestion to the Reporting SIG is that the LDP should contain no personal data. For US institutions that must have reports containing personal data, their individual data warehouses can be linked to an in-house system to provide this functionality, but it should not be a part of the FOLIO package. That should be done via in-house development for each institution.
At this point, we feel we need to bring this discussion to a wider audience, as we have done all that we can as a group to look into this issue. We will schedule a meeting with Product Council next.