2019-10-04 Reporting Data Privacy Working Group Meeting Notes

Date

Attendees


We will use Joyce's webex account for our weekly meetings:

https://dukeuniversity.webex.com/join/jcc81

Goals

  • Classification of personal data sensitive reports

Discussion items

TimeItemWhoNotes

What Reports need to be GDPR compliant and when ?

According to the discussion in the Reporting SIG on Monday, this working group is supposed to find answers to the following questions:

  1. Of the reports which contain personal data and can not be done in-app, which ones will be needed in January 2020 for go-live ? And in 2020 at all for go-live ? (Who needs those reports ?)
  2. Which of the reports in 1. need to be installed in a GDPR compliant way ?
  3. Which of the reports which contain personal data and can not be done in-app can wait one year (or more) to be implemented after go-live ?
  4. Are there reports for the "ERM-only" implementers which need to be done GDPR compliant at the time of their go-live (ZBW, Bremen, Leipzig) ? → Ingolf will check → see below.
  5. Florence (Italy) - go-live planned for Autumn 2019 - Do they need GDPR compliant reports ? Answer: No, the National Library of Florence will not install the FOLIO Reporting solution at the time of their go-live.
  6. The National Library of Hungary - go-live planned for end of 2020 - Will they install the FOLIO Reporting LDP at go-live and if so, will they need to do reports which contain personal data ? → Ingolf asks Lendvay Miklós

Chicago and Cornell will inlcude personal data in the LDP configuration. But for them, it is no problem not to be GDPR compliant. Alabama will want to be GDPR compliant eventually, but does not need to be in October 2020, yet.


Answers to 4.:

GBV/Bremen plan to use the LDP. They will focus on Finance, Invoices and Budget reports. Staff data are considered forbidden (by company agreements) and will not be reported upon. Vendors contact data (contact name, contact address, phone...) are considered publicly available. In so far, GBV does not plan to do reporting on personal data. GBV/VZG will send a list of its top 5 reports to Nassib  (or to the Reporting SIG).

ZBW plans to use the LDP. They need lists of organization contact data. Contact data are not part of the Users App. Contact data need to be anonymized before they flow into the LDP.


Anonymozation of personal data: contact data, vendor data

By default, the LDP loader tries to anonymize personal data that it extracts by deleting values in user data from the interface /users, except a list of fields.

→ Did we look at other tables which might also contain personal data and need to be anonymized ? Nassib needs a list of fields from us (this working group), in order to be able to anonymize them. We should look at other tables than user again. In particular, we need to look at organization contact data, maybe also st vendor data.

https://s3.amazonaws.com/foliodocs/api/mod-organizations-storage/p/contact.html

and others in mod-organizations-storage : https://dev.folio.org/reference/api/#mod-organizations-storage


in-app vs. LDP reports

Let's look at the question in-app vs. LDP reporting in a new way: The decision should be driven by functional requirements.

Sharon asked us to meet with the UM SIG to discuss which of the reports (in RA Reports to cluster ; also others ?) can and should be done in-app.

Flagged FOLIO reports - privacy is the full list of reports with potentially sensitive personal data.

Meeting Notes

Present: 

Action items

  • REP-147 - Getting issue details... STATUS Monthly Report. This is a report. Likewise REP-148 - Getting issue details... STATUS . → Has been re-ranked by GBV (Uschi Klute) for "a quarter after go-live" → Done
  • Ingolf to contact Lendvay Miklós (maybe via Kirstin)
  • Ingolf: asks Sven Markgraf "Is Organization Vendor data: name, address, phone number, email" personal data ? → Yes, some personal rights will have to be respected. (right of access, right of erasure)
  • Whole group: mod-organizations-storage: Find out a list of personal data fields and send it to Nassib for exclusion from LDP; by Oct 18th (next meeting of this WG). See API documentation here: https://dev.folio.org/reference/api/#mod-organizations-storage
  • This group: Go through https://docs.google.com/spreadsheets/d/1mS6nuvUhdxwzj3xXFOPjlc4iiV5xhH4n05a5ZloZb5g/ again and decide from a functional perspective: Which of the reports which contain sensitive personal data should be made in-app, and which ones are really LDP reports ?