2019-10-04 Reporting Data Privacy Working Group Meeting Notes
Date
Attendees
We will use Joyce's webex account for our weekly meetings:
https://dukeuniversity.webex.com/join/jcc81
Goals
- Classification of personal data sensitive reports
Discussion items
Time | Item | Who | Notes |
---|---|---|---|
What Reports need to be GDPR compliant and when ? | According to the discussion in the Reporting SIG on Monday, this working group is supposed to find answers to the following questions:
Chicago and Cornell will inlcude personal data in the LDP configuration. But for them, it is no problem not to be GDPR compliant. Alabama will want to be GDPR compliant eventually, but does not need to be in October 2020, yet. Answers to 4.: GBV/Bremen plan to use the LDP. They will focus on Finance, Invoices and Budget reports. Staff data are considered forbidden (by company agreements) and will not be reported upon. Vendors contact data (contact name, contact address, phone...) are considered publicly available. In so far, GBV does not plan to do reporting on personal data. GBV/VZG will send a list of its top 5 reports to Nassib (or to the Reporting SIG). ZBW plans to use the LDP. They need lists of organization contact data. Contact data are not part of the Users App. Contact data need to be anonymized before they flow into the LDP. | ||
Anonymozation of personal data: contact data, vendor data | By default, the LDP loader tries to anonymize personal data that it extracts by deleting values in user data from the interface /users, except a list of fields. → Did we look at other tables which might also contain personal data and need to be anonymized ? Nassib needs a list of fields from us (this working group), in order to be able to anonymize them. We should look at other tables than user again. In particular, we need to look at organization contact data, maybe also st vendor data. https://s3.amazonaws.com/foliodocs/api/mod-organizations-storage/p/contact.html and others in mod-organizations-storage : https://dev.folio.org/reference/api/#mod-organizations-storage | ||
in-app vs. LDP reports | Let's look at the question in-app vs. LDP reporting in a new way: The decision should be driven by functional requirements. Sharon asked us to meet with the UM SIG to discuss which of the reports (in RA Reports to cluster ; also others ?) can and should be done in-app. Flagged FOLIO reports - privacy is the full list of reports with potentially sensitive personal data. |
Meeting Notes
Present:
Action items
- - REP-147Getting issue details... STATUS Monthly Report. This is a report. Likewise - REP-148Getting issue details... STATUS . → Has been re-ranked by GBV (Uschi Klute) for "a quarter after go-live" → Done
- Ingolf to contact Lendvay Miklós (maybe via Kirstin)
- Ingolf: asks Sven Markgraf "Is Organization Vendor data: name, address, phone number, email" personal data ? → Yes, some personal rights will have to be respected. (right of access, right of erasure)
- Whole group: mod-organizations-storage: Find out a list of personal data fields and send it to Nassib for exclusion from LDP; by Oct 18th (next meeting of this WG). See API documentation here: https://dev.folio.org/reference/api/#mod-organizations-storage
- This group: Go through https://docs.google.com/spreadsheets/d/1mS6nuvUhdxwzj3xXFOPjlc4iiV5xhH4n05a5ZloZb5g/ again and decide from a functional perspective: Which of the reports which contain sensitive personal data should be made in-app, and which ones are really LDP reports ?