|45||FOLIO and GDPR||Ingolf|
GDPR is the European Union General Data Protection Regulation.
To make FOLIO GDPR compliant, either
Institutions which reside in the EU have to comply to GDPR by law.
Some other institutions might want to comply to GDPR voluntarily.
Preview of my presentation today: FOLIO_SysOpsSIG_GDPR_Regulation.pptx
So far, GDPR compliance for FOLIO has been discussed in the Reporting SIG for the Library Data Platform (LDP).
The LDP comprises a data warehouse, thus a permanent data storage, used for Reporting.
Special care has to be taken for data which is being reported on concerning data protection regulations.
The situation is different with (what I call) "operational data", i.e. data which is stored in the FOLIO storage modules for a certain reason. A reason might be to keep the address of a borrower in order to be able to contact her in case of overdue books or open charges to the library. In the speech of the GDPR, this is called a "purpose of the processing".
If you don't want to keep personal data or have no purpose of processing for these,, you have to anonymize the data.
Even for staff data, there a privacy regulations. Some universities want to be able to create statistical reports about staff activity. For example "how many catalog records did staff member XY create in month MM" would be a desired report to run. At least in Germany, maybe in other EU countries also, keeping the relation "personal data (i.e. name, address, ...) ↔ loan records" for this reason will be forbidden by some company agreement which needs to be approved by the employees and the management (there are exceptions for small businesses, but we can neglect this for libraries). So, how do we implement these reports in FOLIO. I am talking about reports that are potentially based on personal data.
Personal data are any information which are related to an identified or identifiable natural, living person.
Names, Location Data, Online Identifiers (IP addresses,...), Identification Numbers are personal data in the sense of GDPR. If a combination of data can lead to the identification of a living, natural person, these data are also considered personal data. Example: I store Resident State, Gender and Profession in the LDP user data (but no names, addresses, userids)(assume). From this, one might infer that a female veterinarian from Texas borrowed book XY in month MM. So now, if there is a list of alle veterinarians who practice their profession in the state of Texas (there will be such a list ; the question is always if a prosecuting body can get access to such a list; it will get access) and, given the case, that there is only one woman on this list. Then, one can identfiy a natural person from the combination of Resident State, Gender and Profession. In this case, storing these data in the LDP will be considered storing personal data in the LDP.
How to keep the data in compliance with GDPR ?
Institutions, that store personal data, must comply to certain rules in order to be GDPR compliant:
Data Privacy for the Reporting LDP is being discussed in this working group: Data Privacy for Reporting
But we need a more general discussion / regulations for the whole FOLIO system.