The Islandora Foundation cares about protecting your privacy. Our primary objective in meeting GDPR requirements is service to our community.
Our approach to GDPR compliance is an ongoing engagement, and will include changes within operations and revisions to this guide, over time. GDPR includes a core principle of the right to be forgotten. If a Data Subject wishes to assert Rights of the Individual please contact firstname.lastname@example.org. The Islandora Foundation aims to respond within 72 hours of receiving an inquiry.
In cases where general Personally Identifying Information (PII) is processed by the Islandora Foundation, unambiguous consent is considered acceptable (e.g., a statement regarding cookies). In cases where more sensitive PII is processed, explicit consent must be given. Consent may be revoked by the data subject at any time. The data subject may also exercise their other rights at any time, and those acting as Data Controllers and Data Processors must have a means to address those requests.
Data Controllers and Data Processors have an obligation to ensure the proper storage and security of any processed PII, and must also notify affected Data Subjects within established timeframes (72 hours) if a breach has been identified.
The Islandora Foundation will not disclose information to third parties unless provided express consent or it is required to do so to comply with a legally valid and binding order. Unless prohibited from doing so, the Islandora Foundation notifies parties before disclosing content information related to our Events, Products, and Membership.
For further information on our approach and to discuss aspects of this policy, please contact: email@example.com.
Attribution: the Islandora Foundation would like to thank our friends at Duraspace for sharing their Privacy and Data Protection Policy, which was in turn designed with help from the Public Knowledge Project (PKP) and Simon Fraser University and access to their document “GDPR Guidebook for PKP Users.”
Consent: the agreement of a data subject to share personal data. Consent must be unambiguous (and in the case of sensitive personal data must be explicit, i.e. “opt-in”), and must be able to be withdrawn.
Data Controller: the entity that dictates the terms for processing data. With respect to Islandora Foundation products, events, membership, and general communications the Data Controllers are identified as:
- Products – Danny Lamb, Technical Lead
- Events – Melissa Anez, Project & Community Manager
- Membership – Melissa Anez, Project & Community Manager
- General Communications (newsletter, blog, social media) – Melissa Anez, Project & Community Manager
Data Processor: the entity that manages all processing of the data on behalf of the controller. With respect to Islandora Foundation services, events, membership, and general communications the Data Processors are identified as
- Events – Drupal, Zoom, FreeConferenceCallHD, Skype, University of Prince Edward Island
- Membership – Google Sheets, Intuit QuickBooks
- General Communications – Google (Google Docs, Sheets, Forms, Mail, Calendar, etc), Atlassian Confluence, Atlassian JIRA, Twitter, YouTube, irc, Drupal, Pinterest, Facebook, Mailchimp, University of Prince Edward Island, Duraspace
Data Subject: a natural person whose personally identifying information may be tracked within a given system.
General Data Protection Regulation (GDPR): The EU’s new comprehensive set of regulations for the handling of personal data on the Internet by service providers. It went live on May 25 2018, and is pertinent to anyone who manages personally identifying information of EU citizens. The complete regulation is available here: https://www.eugdpr.org/. The GDPR defines the responsibilities that Data Controllers and Data Processors must adhere to with respect to the collection, processing, storage and destruction of any Personally Identifying Data that can identify a Data Subject.
Lawful Basis for Processing Personal Data: the basis by which a data controller must explain their ability to process data. The most common lawful basis is by consent.
Personally Identifying Information (PII), or Personal Data: any information that can potentially be used to identify a person, such as: their name(s); email address; mailing address; phone number; social network posts; or an IP address.
Rights of the Individual (Data Subject): The GDPR mandates the following rights of the individual, which it refers to as the “data subject”:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object;
- the right not to be subject to automated decision-making including profiling.
In order to adhere to the GDPR, people acting in the role of data controller, in conjunction with those serving as a data processor, must provide adequate means for individuals to assert these rights.
Operational Data Collection & Management
Using Islandora does not require providing any information to the Islandora Foundation. The project is open source and available to download and use without the need to fill out a form or enter any data.
Participating in the open source community which develops Islandora may require accounts in a few systems for the purposes of collaboration and communication. Those systems include GitHub, IRC, and project email lists (facilitated by Google Groups). Using each of these systems requires, at minimum, a username and email address to be provided. When a user’s name is requested, there is no requirement that a real name or full name be provided. Using only a first name, a nickname, or a pseudonym is acceptable.
In order to communicate via Github, a Github account is required. The personal information required to create a GitHub account includes username, email address, and name. More information can be provided in a GitHub account. The Islandora Foundation does not collect, capture, or process information found in GitHub accounts. Information in a GitHub account can be edited by the user at any time. To delete your GitHub account, follow the procedure established by GitHub.
The only information required to communicate using IRC is a username. Islandora captures logs for the #islandora IRC channel to facilitate the review of historical conversations.
In order to communicate via project email lists using Google Groups, a Google account is required. The personal information required to create a Google account includes username, email address, and name. More information can be provided in a Google account. The Islandora Foundation does not collect, capture, or process information found in Google accounts. Information in a Google account can be edited by the user at any time. To delete your Google account, follow the procedure established by Google.
Events (Camps/User Group Meetings/Conferences)
Participation in Islandora Foundation events requires pre-registration and in some cases, payment. Registration is completed using Drupal Commerce and PayPal. The following personal data may be collected when payment is not due: name, organization, title, email address, clothing size, and country of residence. When payment is collected the personal data requested may include: name, email address, mailing address, phone number, credit card type, number, security code and expiration date.
Credit card information is not stored by the Islandora Foundation. Personal data collected is stored in Drupal Commerce and will not be shared or distributed outside of the Islandora Foundation without express consent or to comply with a legally valid and binding order. The stored information in Drupal Commerce can be accessed, modified and erased by select Islandora Foundation and University of Prince Edward Island (UPEI) staff. Because UPEI acts as the host for islandora.ca, some Robertson Library staff have administrative access to our site, which includes Drupal Commerce. Stored email addresses may be included in Islandora Foundation communications and each communication allows the recipient the option to unsubscribe from Islandora Foundation communications.
Some personal data may be stored in Google Sheets for organizational purposes. This data may include: name, email address, organization, and clothing size.
Data stored in QBO is limited to an organization’s mailing address and the work email addresses of the invoice recipients, as designated by the receiving organization. Access to contact data in QBO is never shared outside of the Islandora Foundation and access to the data is very limited as it is only used when sending invoices as requested by member organizations. The stored information can be accessed, modified and deleted by select Islandora Foundation staff. Recipients can update or terminate email communications by responding to any email they receive.
The second system for Islandora Foundation membership invoicing is Square. Square is used to invoice members who wish to pay by credit card. The following personal data may be collected and stored in Square: name, organization, title, work email address and country location for the organization. The personal data collected and stored is not shared or distributed outside of the Islandora Foundation. The stored information can be accessed, modified and deleted by select Islandora Foundation staff. Stored work email addresses may be included in Islandora Foundation communications and each communication allows the recipient the option to unsubscribe from Islandora Foundation communications.
Staying abreast with the Islandora Foundation community is done primarily through our blog and organizational or event-related communications sent via project email lists (facilitated by Google Groups) or Mailchimp.
Our communications network also leverages Drupal, Twitter, YouTube, Facebook, irc, and Pinterest, as mentioned in sections above. Because UPEI acts as the host for islandora.ca, some Robertson Library staff have administrative access to our Drupal site.