Re: [dspace-tech] GDPR compliance for DSpace

[Claudia Jürgen]

Hello Alan,

thanks for the input, you are right it is a broad topic not only GDPR
but Data Protection and Privacy in general.
We've created a discussion page on JIRA, as it gets quite voluminous for
the JIRA Ticket:
https://wiki.duraspace.org/display/DSPACE/Data+Protection+and+Privacy

cu

Claudia


Am 23.05.2018 um 23:29 schrieb Alan Orth:

Hello,

I'm surprised nobody has written to the list about compliance with the
European Union's General Data Protection Regulation (GDPR) legislation that
comes into effect on May 25th[0]. It's a broad topic* and you should
definitely be consulting with your organization about it, but one area that
you'll definitely need to think about sooner than later if you're running
is Google Analytics. Most people are using this, it seems!

Basically, you can't send data about your users' browsing of your
repository to third parties like Google without getting the users' *affirmative
consent* first. Even then, you'll likely need to enable IP address
anonymization. We've just finished integrating these two modifications into
our repository[1] using the popular cookieconsent library[2]. This library
is a few years old (designed for a previous, less-serious EU legislation),
but works pretty well because it is published on NPM and bower, can be
easily themed with Bootstrap color schemes, and allows the opt-in mode we
now require.

You can see our implementation of the IP address anonymization[3] and the
GDPR popup[4] for the XMLUI in DSpace 5 on our GitHub repository. This
works pretty well, though there seems to be some issue with Mirage 2's
theme.js bundle that conflicts with some callback or event handler that
causes the "agree" and "disagree" buttons to not dismiss the popup after
the user chooses one, but the cookies are set properly and the popup
disappears on the next page load. The standalone cookieinsight works fine
in this regard. Maybe someone can figure it out when they do their
integration!

Thanks! I hope that helps someone out there. Regards,

* in addition you should probably tell your users that you have their
names, phone numbers, and email addresses if they have registered on the
site, all of which are considered personally identifiable information.
There are obligations here! You need a privacy policy, a data officer, etc.

[0] https://gdpr-info.eu/
[1] https://cgspace.cgiar.org
[2] https://github.com/insites/cookieconsent
[3] https://github.com/ilri/DSpace/pull/375
[4] https://github.com/ilri/DSpace/pull/377



--
Claudia Juergen
Eldorado

Technische Universität Dortmund
Universitätsbibliothek
Vogelpothsweg 76
44227 Dortmund

Tel.: +49 231-755 40 43
Fax: +49 231-755 40 32
claudia.juer...@tu-dortmund.de
www.ub.tu-dortmund.de

Wichtiger Hinweis: Die Information in dieser E-Mail ist vertraulich. Sie ist 
ausschließlich für den Adressaten bestimmt. Sollten Sie nicht der für diese 
E-Mail bestimmte Adressat sein, unterrichten Sie bitte den Absender und 
vernichten Sie diese Mail. Vielen Dank.
Unbeschadet der Korrespondenz per E-Mail, sind unsere Erklärungen 
ausschließlich final rechtsverbindlich, wenn sie in herkömmlicher Schriftform 
(mit eigenhändiger Unterschrift) oder durch Übermittlung eines solchen 
Schriftstücks per Telefax erfolgen.

Important note: The information included in this e-mail is confidential. It is 
solely intended for the recipient. If you are not the intended recipient of 
this e-mail please contact the sender and delete this message. Thank you. 
Without prejudice of e-mail correspondence, our statements are only legally 
binding when they are made in the conventional written form (with personal 
signature) or when such documents are sent by fax.

--
You received this message because you are subscribed to the Google Groups "DSpace 
Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.

Re: [dspace-tech] GDPR compliance for DSpace

[Tom Desair]

Hi Alan,

Thanks for your input. There is a ticket to track DSpace GDPR compliance:
https://jira.duraspace.org/browse/DS-3653 Could you add your remarks and
suggestions there too?

I think there are some good ideas here that should be integrated upstream.

Best regards,
Tom


[image: logo] Tom Desair
250-B Suite 3A, Lucius Gordon Drive, West Henrietta, NY 14586
Gaston Geenslaan 14, Leuven 3001, Belgium
www.atmire.com


Op wo 23 mei 2018 om 23:29 schreef Alan Orth :

> Hello,
>
> I'm surprised nobody has written to the list about compliance with the
> European Union's General Data Protection Regulation (GDPR) legislation that
> comes into effect on May 25th[0]. It's a broad topic* and you should
> definitely be consulting with your organization about it, but one area that
> you'll definitely need to think about sooner than later if you're running
> is Google Analytics. Most people are using this, it seems!
>
> Basically, you can't send data about your users' browsing of your
> repository to third parties like Google without getting the users' 
> *affirmative
> consent* first. Even then, you'll likely need to enable IP address
> anonymization. We've just finished integrating these two modifications into
> our repository[1] using the popular cookieconsent library[2]. This library
> is a few years old (designed for a previous, less-serious EU legislation),
> but works pretty well because it is published on NPM and bower, can be
> easily themed with Bootstrap color schemes, and allows the opt-in mode we
> now require.
>
> You can see our implementation of the IP address anonymization[3] and the
> GDPR popup[4] for the XMLUI in DSpace 5 on our GitHub repository. This
> works pretty well, though there seems to be some issue with Mirage 2's
> theme.js bundle that conflicts with some callback or event handler that
> causes the "agree" and "disagree" buttons to not dismiss the popup after
> the user chooses one, but the cookies are set properly and the popup
> disappears on the next page load. The standalone cookieinsight works fine
> in this regard. Maybe someone can figure it out when they do their
> integration!
>
> Thanks! I hope that helps someone out there. Regards,
>
> * in addition you should probably tell your users that you have their
> names, phone numbers, and email addresses if they have registered on the
> site, all of which are considered personally identifiable information.
> There are obligations here! You need a privacy policy, a data officer, etc.
>
> [0] https://gdpr-info.eu/
> [1] https://cgspace.cgiar.org
> [2] https://github.com/insites/cookieconsent
> [3] https://github.com/ilri/DSpace/pull/375
> [4] https://github.com/ilri/DSpace/pull/377
>
> --
>
> Alan Orth
> alan.o...@gmail.com
> https://picturingjordan.com
> https://englishbulgaria.net
> https://mjanja.ch
>
> --
> You received this message because you are subscribed to the Google Groups
> "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dspace-tech+unsubscr...@googlegroups.com.
> To post to this group, send email to dspace-tech@googlegroups.com.
> Visit this group at https://groups.google.com/group/dspace-tech.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.

[dspace-tech] GDPR compliance for DSpace

[Alan Orth]

Hello,

I'm surprised nobody has written to the list about compliance with the
European Union's General Data Protection Regulation (GDPR) legislation that
comes into effect on May 25th[0]. It's a broad topic* and you should
definitely be consulting with your organization about it, but one area that
you'll definitely need to think about sooner than later if you're running
is Google Analytics. Most people are using this, it seems!

Basically, you can't send data about your users' browsing of your
repository to third parties like Google without getting the users' *affirmative
consent* first. Even then, you'll likely need to enable IP address
anonymization. We've just finished integrating these two modifications into
our repository[1] using the popular cookieconsent library[2]. This library
is a few years old (designed for a previous, less-serious EU legislation),
but works pretty well because it is published on NPM and bower, can be
easily themed with Bootstrap color schemes, and allows the opt-in mode we
now require.

You can see our implementation of the IP address anonymization[3] and the
GDPR popup[4] for the XMLUI in DSpace 5 on our GitHub repository. This
works pretty well, though there seems to be some issue with Mirage 2's
theme.js bundle that conflicts with some callback or event handler that
causes the "agree" and "disagree" buttons to not dismiss the popup after
the user chooses one, but the cookies are set properly and the popup
disappears on the next page load. The standalone cookieinsight works fine
in this regard. Maybe someone can figure it out when they do their
integration!

Thanks! I hope that helps someone out there. Regards,

* in addition you should probably tell your users that you have their
names, phone numbers, and email addresses if they have registered on the
site, all of which are considered personally identifiable information.
There are obligations here! You need a privacy policy, a data officer, etc.

[0] https://gdpr-info.eu/
[1] https://cgspace.cgiar.org
[2] https://github.com/insites/cookieconsent
[3] https://github.com/ilri/DSpace/pull/375
[4] https://github.com/ilri/DSpace/pull/377

-- 

Alan Orth
alan.o...@gmail.com
https://picturingjordan.com
https://englishbulgaria.net
https://mjanja.ch

-- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.