2019-10-25 Reporting Data Privacy Working Group Meeting Notes



We will use Joyce's webex account for our weekly meetings:



  • Classification of personal data sensitive reports

Discussion items


National Library of HungaryIngolf

The National Library of Hungary - go-live planned for end of 2020 - Will they install the FOLIO Reporting LDP at go-live and if so, will they need to do reports which contain personal data ? → Ingolf asks Lendvay Miklós

organization vendors dataIngolf

Vendors contact data (contact name, contact address, phone, email) are considered publicly available. In so far, GBV does not plan to do reporting on personal data. GBV/VZG will send a list of its top 5 reports to Nassib  (or to the Reporting SIG).

Ingolf asks Sven Markgraf if these are really not subject to GDPR compliance.

Fields to anonymizeThis group

Organization contact data need to be anonymized before they flow into the LDP.

  • mod-organizations-storage: Compile a list of personal data fields and send it to Nassib for exclusion from LDP; by Oct 18th See API documentation here: https://dev.folio.org/reference/api/#mod-organizations-storage
  • We found two modules in mod-organization-storage that contain personal data. These are: mod-organizations-storage/contact, and mod-organizations-storage/email. These should not be brought into the LDP.

in-app vs. LDP reportsThis group

Let's look at the question in-app vs. LDP reporting in a new way: The decision should be driven by functional requirements.

Let's go through Flagged FOLIO reports - privacy  (or RA Reports to cluster or both ?) again and decide from a functional perspective: Which of the reports which contain sensitive personal data should be made in-app, and which ones are really LDP reports ?

We completed a review of reports that contain personal data. There are several that are required by U.S. institutions, and of those, some are needed at go-live. Details of all are contained in the notes column of Flagged FOLIO reports - privacy .  As Nassib has explained, since the LDP will have a personal-data turn-off switch for European institutions, this should not be a problem. However, we do have to make sure that in the long run, when the U.S. institutions are moving towards GDPR compliance, that all these data will be deleted from the LDP, and will not remain as historic data.

There are three reports containing personal data that are needed at go-live by GBV. Since these need live data, they clearly fall into the category on in-app, and not reports. Ingolf will follow up on this with Uschi.

Meeting Notes


Action items

  • Ingolf: speak to Miklos this coming week
  • Ingolf: remind GBV/VZG to send list of top reports when he sees them in person
  • REP-148 - Getting issue details... STATUS 147 and 146: critical reports ranked by GBV which contain personal data: Ingolf to clarify this with GBV in Göttingen meeting next week,.
  • This group will contact Product Council to ask whether they still want us to do a presentation of GDPR and Data Privacy in the LDP.