2019-09-27 - System Operations and Management SIG Agenda and Notes

• Welcome
• Request for a note taker

GDPR is the European Union General Data Protection Regulation.

 To make FOLIO GDPR compliant, either

• all personal data that are stored have to be anonymized
• OR stored personal data has to comply with certain rules as defined in https://eugdpr.org/ .

Institutions which reside in the EU have to comply to GDPR by law.

Some other institutions might want to comply to GDPR voluntarily.

---------------

Preview of my presentation today: FOLIO_SysOpsSIG_GDPR_Regulation.pptx

---------------

So far, GDPR compliance for FOLIO has been discussed in the Reporting SIG for the Library Data Platform (LDP).

The LDP comprises a data warehouse, thus a permanent data storage, used for Reporting.

Special care has to be taken for data which is being reported on concerning data protection regulations.

The situation is different with (what I call) "operational data", i.e. data which is stored in the FOLIO storage modules for a certain reason. A reason might be to keep the address of a borrower in order to be able to contact her in case of overdue books or open charges to the library. In the speech of the GDPR, this is called a "purpose of the processing".

If you don't want to keep personal data or have no purpose of processing for these,, you have to anonymize the data.

Even for staff data, there a privacy regulations. Some universities want to be able to create statistical reports about staff activity. For example "how many catalog records did staff member XY create in month MM" would be a desired report to run. At least in Germany, maybe in other EU countries also, keeping the relation "personal data (i.e. name, address, ...) ↔ loan records" for this reason will be forbidden by some company agreement which needs to be approved by the employees and the management (there are exceptions for small businesses, but we can neglect this for libraries). So, how do we implement these reports in FOLIO. I am talking about reports that are potentially based on personal data.

------------------

Personal data are any information which are related to an identified or identifiable natural, living person.

Names, Location Data, Online Identifiers (IP addresses,...), Identification Numbers are personal data in the sense of GDPR. If a combination of data can lead to the identification of a living, natural person, these data are also considered personal data. Example: I store Resident State, Gender and Profession in the LDP user data (but no names, addresses, userids)(assume). From this, one might infer that a female veterinarian from Texas borrowed book XY in month MM. So now, if there is a list of alle veterinarians who practice their profession in the state of Texas (there will be such a list ; the question is always if a prosecuting body can get access to such a list; it will get access) and, given the case, that there is only one woman on this list. Then, one can identfiy a natural person from the combination of Resident State, Gender and Profession. In this case, storing these data in the LDP will be considered storing personal data in the LDP.

-------------------

How to keep the data in compliance with GDPR ?

Institutions, that store personal data, must comply to certain rules in order to be GDPR compliant:

• they must identify a purpose for collecting and using personal data. Example: If we don't store your name and address, we can't contact you in case of overdue fees. We have to store your address as long as you want to borrow books here. Stored data must be adequate (for the valid reason), relevant and limited to what is necessary (Data Minimization)
• Accountability principle. "You must have appropriate measures and records in place to be able to demonstrate your compliance." Usually this means that a Data Protection Officer (DPO), sometimes also called Controller, is involed in the design of the software from the start ("Privacy by Design"). The DPO is responsible for all requests (from external) concerning data privacy and data protection.
• Documentation of processing activities. The DPO must keep a documentation which indicates where personal data is stored, in what format it is stored and how personal data is processed. This documentation must be available from the start ("Data Privacy by design"). The DPO must handle this documentation to some supervisory authority (an independent state or national data regulation office etc.) upon request.
• Right to Access. The DPO (also called "Controller") shall provide a copy of the personal data, free of charge, in an electronic format.

• Right to be informed. Each individual has the right to obtain a list, in electronic form, about what personal data are stored about him/her at any time.

• Right to rectification
• Right to erasure. Also known as ‘Right to be forgotten’. Individuals have the right to have all their personal data or parts of their personal data be erased at any time . – This may lead to a loss of contract (e.g. if you want your location data to be deleted, you can't participate in loans anymore). – There are legal restrictions. (E.g. employees can't demand that their personal data are erased by their employer, even if they are not in a working contract with that employer, anymore. For example, in Germany, employers are legally obliged to keep employees' data about tax payments for at least 6 years.)
• Right to restrict processing
• Right to data portability. "The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services."
• Data security. The GDPR requires you to implement appropriate technical and organizational measures to ensure you process personal data securely. Article 32 of the GDPR includes encryption as an example of an appropriate technical measure.
• Personal Data Breaches. In case of a leakage/breach of personal data, the institution that stores that data has 72 hours to indicate that breach to the responsible surveillance authority.

---

Data Privacy for the Reporting LDP is being discussed in this working group: Data Privacy for Reporting

But we need a more general discussion / regulations for the whole FOLIO system.

Additional meting notes:

• Data privacy and data protection obligations are the organization's responsibility. For example, EBSCO is GDPR compliant, as it hosts services for libraries across the world, including those in the EU.
• Anonymization vs pseudonymization: pseudonymization is not always the secure way to go because a collection of many pseudonymized data points can identify a person.
• Personal data for statistical reports may be kept for a longer period of time (as for operational data). Statistical reports show aggregates of personal data, not the personal data itself. E.U. member states may legislate for the derogation of some basic rights of the data subject (individual), in the case of the processing of personal data for statistical purposes. Among those rights may be the Right of access, the Right to rectification, the Right to restriction of processing and the Right to object.
• Privacy by design. We cannot demonstrate compliance after the fact, it has to be built into the data design. This is important.
• The penalties for infringement are NOT trivial. These amount to € 10 million, or 2% of the institution's worldwide annual turnover of the previous year, whichever is higher. In the case of the infringement of the basic principles for processing or the rights of the data subjects, the penalties may be of a maximum of even double of that.