2019-10-04 Reporting Data Privacy Working Group Meeting Notes

What Reports need to be GDPR compliant and when ?

According to the discussion in the Reporting SIG on Monday, this working group is supposed to find answers to the following questions:

1. Of the reports which contain personal data and can not be done in-app, which ones will be needed in January 2020 for go-live ? And in 2020 at all for go-live ? (Who needs those reports ?)

2. Which of the reports in 1. need to be installed in a GDPR compliant way ?

3. Which of the reports which contain personal data and can not be done in-app can wait one year (or more) to be implemented after go-live ?

4. Are there reports for the "ERM-only" implementers which need to be done GDPR compliant at the time of their go-live (ZBW, Bremen, Leipzig) ? → Ingolf will check → see below.

5. Florence (Italy) - go-live planned for Autumn 2019 - Do they need GDPR compliant reports ? Answer: No, the National Library of Florence will not install the FOLIO Reporting solution at the time of their go-live.

6. The National Library of Hungary - go-live planned for end of 2020 - Will they install the FOLIO Reporting LDP at go-live and if so, will they need to do reports which contain personal data ? → Ingolf asks @Lendvay Miklós

Chicago and Cornell will inlcude personal data in the LDP configuration. But for them, it is no problem not to be GDPR compliant. Alabama will want to be GDPR compliant eventually, but does not need to be in October 2020, yet.

Answers to 4.:

GBV/Bremen plan to use the LDP. They will focus on Finance, Invoices and Budget reports. Staff data are considered forbidden (by company agreements) and will not be reported upon. Vendors contact data (contact name, contact address, phone...) are considered publicly available. In so far, GBV does not plan to do reporting on personal data. GBV/VZG will send a list of its top 5 reports to Nassib  (or to the Reporting SIG).

ZBW plans to use the LDP. They need lists of organization contact data. Contact data are not part of the Users App. Contact data need to be anonymized before they flow into the LDP.

Anonymozation of personal data: contact data, vendor data

By default, the LDP loader tries to anonymize personal data that it extracts by deleting values in user data from the interface /users, except a list of fields.

→ Did we look at other tables which might also contain personal data and need to be anonymized ? Nassib needs a list of fields from us (this working group), in order to be able to anonymize them. We should look at other tables than user again. In particular, we need to look at organization contact data, maybe also st vendor data.

https://s3.amazonaws.com/foliodocs/api/mod-organizations-storage/p/contact.html

and others in mod-organizations-storage : https://dev.folio.org/reference/api/#mod-organizations-storage

in-app vs. LDP reports

Let's look at the question in-app vs. LDP reporting in a new way: The decision should be driven by functional requirements.

Sharon asked us to meet with the UM SIG to discuss which of the reports (in RA Reports to cluster ; also others ?) can and should be done in-app.

Flagged FOLIO reports - privacy is the full list of reports with potentially sensitive personal data.