14:05:53 <josef_moravec_> #startmeeting GDPR IRC meeting 18 April 2018
14:05:53 <huginn> Meeting started Wed Apr 18 14:05:53 2018 UTC.  The chair is josef_moravec_. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:05:53 <huginn> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:05:53 <huginn> The meeting name has been set to 'gdpr_irc_meeting_18_april_2018'
14:05:57 <josef_moravec_> chair cait
14:06:03 <josef_moravec_> #chair cait
14:06:03 <huginn> Current chairs: cait josef_moravec_
14:06:26 <cait> #link https://wiki.koha-community.org/wiki/GDPR_IRC_meeting_18_April_2018 Agenda
14:06:33 <josef_moravec_> #topic Introductions
14:06:33 <wahanui> #info wahanui, a bot that has become sentient
14:06:49 <josef_moravec_> #info Josef Moravec, Municipal Library Usti nad Orlici
14:06:57 <cait> #info Katrin Fischer, BSZ, Germany
14:07:06 <cc_> #info Colin Campbell PTFS-Europe
14:07:26 <Joubu> #info Jonathan Druart
14:09:55 <cait> hi SoniaB, we just do #info
14:09:57 <SoniaB> #info Sonia BOUIS Université Lyon 3 france
14:10:20 <josef_moravec_> #topic Debate about improvements in Koha code
14:10:25 <SoniaB> cait: Hi, just in time :)
14:10:33 <josef_moravec_> #link https://wiki.koha-community.org/wiki/Improve_data_protection_and_patron_privacy
14:11:17 <josef_moravec_> Do we wan't to go point by point like last time? Or just ask if anybody has anything to add?
14:11:41 <Joubu> could you make a summary?
14:11:49 <Joubu> what has been done since last time?
14:12:11 <Joubu> will we be ready for 18.05?
14:12:20 <cait> probably not
14:13:03 <SoniaB> josef_moravec_: should we add old_issues and old_reverves ?
14:13:43 <cait> SoniaB: for anonymizing?
14:14:37 <m23> hi, Mike on the beard
14:14:38 <SoniaB> cait: yes, if necessary. I haven't the exaxt content of those tables in mind
14:15:15 <m23> board :-)
14:15:15 <josef_moravec_> SoniaB: ideally the old_issues and old_reserves should be merged into issues/reserves tables
14:15:31 <josef_moravec_> but yes, we should take care of these two too
14:15:46 <cait> we could still discuss anonymizing older entries maybe
14:16:01 <josef_moravec_> Unfortunately, I don't think we done much ;(
14:16:06 <cait> w can see when they were cancelled/filled and anonymize after x days by script
14:16:21 <josef_moravec_> I am working on patch for anonymizing patrons, but not ready yet
14:17:18 <cait> scripts like this could be probably backported
14:17:33 <m23> Anonymizing patrons and their history are mandatory task
14:17:52 <cait> who has dev time tos pend on the issues?
14:18:06 <cait> should we prioritize and then try to find someone responsible to keep track of it/work on it?
14:19:06 <SoniaB> Is there already patches related to 18081 ready to test (I haven't open them all, sorry) ?
14:19:16 <cait> (16:17:52) cait: who has dev time to spend on the issues?
14:19:16 <cait> (16:18:06) cait: should we prioritize and then try to find someone responsible to keep track of it/work on it?
14:19:24 <cait> just repeating for josef_moravec_
14:19:26 <m23> Cait: Yes
14:19:51 <josef_moravec_> cait: thanks
14:19:53 <cait> I agree
14:19:59 <cait> anonymizing is a big prio
14:20:03 <cait> especially for deletedborrowers
14:20:42 <cait> i will add priority to the table
14:20:49 <josef_moravec_> cait: good idea
14:20:52 <cait> josef_moravec_: can I add you for 1?
14:20:54 <m23> Cait: great
14:21:04 <josef_moravec_> Yes I will take it
14:22:28 <cait> working on the table, please pick the next prio
14:23:11 <cait> I will put BSZ down for the initial Cookie documentation, calire has worked some more on it
14:23:18 <cait> but there are still white spaces, everyone is invited to add
14:23:43 <cait> first changes saved
14:23:44 <m23> Privacy/anonymization : prio 2?
14:24:22 <josef_moravec_> what about #10 or #11/#12/#13 ?
14:25:03 <cait> is that like a cookie banner? or more complicated?
14:25:07 <cait> 13 sorry
14:25:20 <cait> ah that was for self reg?
14:25:34 <m23> 7 			Statistics  importatnt for Czech libraries
14:25:47 <cait> and it's the way to more anonymization
14:25:58 <cait> prio 1 or prio 2? for 7? who will work on it?
14:26:16 <josef_moravec_> I think #13 is a bit more complicated - depends on some settings of system which should be investigated more
14:26:43 <josef_moravec_> number #7 - I am working on patch for 20606
14:26:54 <cait> i think maybe make 2 prio 1 too
14:27:01 <SoniaB> #7 : statistics is important too in France
14:27:25 <SoniaB> I don't really know how to help
14:27:28 <cait> ok making 7 prio 1 an djosef
14:28:02 <m23> 3 			Privacy/anonymizatio prio 3?
14:28:14 <cait> ok fo rme
14:28:19 <cait> put a name yet or later?
14:28:56 <cait> mkaing 2 prio 1 too, i think it's in line with deletedborrowers and statistics, to get a clean state
14:29:02 <cait> someone willing to work on 2?
14:29:27 <cait> hm we have a way to delete them, so maybe prio 2 actually
14:29:58 <cait> prio 2 = we have something, but not perfect yet. ok?
14:30:14 <josef_moravec_> ok
14:30:32 <cait> cookie docs
14:30:36 <cait> 1 or 2?
14:30:37 <wahanui> 3
14:30:41 <cait> heh wahanui
14:30:41 <wahanui> heh i am good
14:31:03 <josef_moravec_> 2
14:31:11 <cait> keep updating the page, i am adding and saving :)
14:31:20 <josef_moravec_> cait++
14:31:41 <cait> SoniaB: we have something for old issues
14:31:45 <cait> i think we need another for old reserves
14:31:55 <cait> hm or maybe one for both
14:32:05 <cait> 3 is abit more complicated than just anonymizing
14:32:43 <cait> hm but i think there is a script if they set to default, so maybe only need a script for old_reserves too
14:33:12 <josef_moravec_> maybe just enhance the script we have?
14:33:18 <josef_moravec_> not sure now ;)
14:33:52 <m23> edhance looks lika stright way
14:33:53 <cait> I've added 15 as a reminder
14:34:02 <m23> whats about 9 			Administration 	Staff client should not be publicly accessed, even the access to login form should be restricted.
14:34:07 <cait> we can still merge them, after more investigation
14:34:17 <m23> Its just about Apache settings?
14:34:36 <cait> hm i think one idea was to make the ip settings on branch more flexible
14:34:38 <cait> more than one ip
14:35:19 <m23> Cait: it will be nice
14:35:40 <cait> one ip rarely works, so it's probably not used much
14:35:47 <cait> someone up to working on it?
14:35:49 <cait> prio2?
14:36:13 <cait> ah the other idea was apache yep
14:37:01 <josef_moravec_> prio 2
14:38:07 <cait> prio 2 for 9?
14:38:11 <cait> done
14:38:20 <cait> ok 4 5 6
14:38:34 <cait> i think plugins are realy up to the library, i'd put 3 or 4
14:39:00 <cait> hm a permission
14:39:00 <wahanui> a permission is a blocker
14:39:16 <cait> but then we'd have plugin authors to make sure they implement the permission, can't force them
14:39:36 <josef_moravec_> yes, plugins are problematic
14:39:47 <cait> but also totally optional
14:39:50 <cait> maybe not super high priority
14:39:54 <josef_moravec_> agree
14:40:15 <cait> 3?
14:40:15 <wahanui> hmmm... 3 is not.
14:40:35 <josef_moravec_> 3
14:41:02 <cait> 14 logrotate policy
14:41:24 <cait> i think we just recently stopped a change there to keep them almost forever
14:41:32 <cait> might be good to document somewhere that we don't want that :)
14:42:05 * cait hands josef_moravec_ the duct tape
14:42:11 <m23> Sorry, can we set higher prio to 3 	Prio 3 		Privacy/anonymization
14:42:33 <cait> m23: can you explainß
14:42:33 <cait> ?
14:42:44 <m23> Its important
14:42:55 <cait> at the moment the choice is on the user and you can have a default with a script run
14:43:22 <cait> well you can also not offer the user the choice, but then anonymize immediately or afteer x days i think
14:43:28 <cait> the addition is only for gui in staff
14:43:34 <cait> but we can, make it 2 or 1?
14:43:47 <m23> 2 if we can :-)
14:43:59 <cait> i am never quite sure if the staff should be able to change it
14:44:03 <cait> probably needs to be logged
14:44:36 <cait> updated
14:44:49 <cait> hm data portability
14:44:51 <cait> 10
14:44:53 <josef_moravec__> #14 is not high priority I think our defaults are Ok and sysadmin can always change it
14:45:02 <cait> prio 3?
14:45:24 <josef_moravec__> maybe 4 ;)
14:45:39 <cait> done
14:45:43 <cait> ok a few remaining
14:45:53 <cait> start at the top
14:45:55 <cait> 4 - reports
14:46:10 <josef_moravec__> 2?
14:46:10 <wahanui> 2 is, like, pretty awesome
14:46:12 <cait> yeah
14:46:22 <josef_moravec__> thank you wahanui ;)
14:46:26 <cait> we have an existing permission at least, just not granular
14:46:32 <cait> waht was the discussion, add a flag to them?
14:46:58 <josef_moravec__> cait: that's the easiest way ;)
14:47:03 <cait> true
14:47:17 <josef_moravec__> and probably ok for start
14:47:36 <cait> added
14:47:49 <cait> 6 - backups
14:47:57 <josef_moravec__> prio 4
14:48:09 <josef_moravec__> it's the same class as #14 i think
14:48:10 <cait> can already be done by sysadm
14:48:16 <josef_moravec__> exactly
14:48:27 <cc_> once we actually delete and anonymize users what can be exposed by reports is reduced
14:49:18 <josef_moravec__> cc_: true, but that's for case when user which could run reports should not see personal data at all
14:49:24 <josef_moravec__> for example
14:49:36 <cait> we had the case with student helpers
14:49:46 <cait> they look for missing items and do other clean up tasks, but should not see patron data
14:49:50 <cait> or be able to download them
14:49:59 <cait> i thnk having some granularity in permissions woudl be nice to have
14:50:10 <SoniaB> cait++
14:50:34 <cc_> agreed I'm just saying priority should be after the core of removing data
14:50:48 <cait> prio 3 then for 4?
14:50:53 <cait> it's 2 now
14:51:22 <josef_moravec__> prio 2.5 ;)
14:51:33 <cait> i refuse that :)
14:51:56 <cait> number 8 - log when koha-dump is run
14:52:06 <cait> shoud this be a new log option separate from cronjobs log?
14:52:16 <cait> cronjobs log is very noisy, it might be better
14:53:00 <josef_moravec__> but it's logical to log this to crnjobslog
14:53:05 <cait> true
14:53:08 <cait> just looked into the bug
14:53:24 <cait> maybe long have some options there, but for now in cronjobs log
14:53:25 <cait> prio?
14:53:43 <josef_moravec__> 3
14:53:48 <m23> 3 I think
14:54:18 <cait> done
14:54:24 <cait> next is 10
14:54:31 <josef_moravec__> prio 2
14:54:40 <cait> hm ok
14:54:47 <cait> close to 1 for us, but the other are more important even
14:55:00 <cait> Prio 1.5? ;)
14:55:04 <cait> 11
14:55:05 <cait> cookie banner
14:55:19 <cait> we just had a big customer ask for it
14:55:26 <cait> they have their own solution to implement
14:55:46 <cait> the problem is that the e-privacy law is not done yet I think?
14:55:51 <cait> so we don't know if it will be required?
14:56:01 <cait> m23: hm?
14:56:18 <m23> if we ask customer ti agree, we need to offer way if tehy dont agree
14:56:29 <cait> right now we can only inform
14:56:41 <cait> not storing cookies will be harder and def need some implementation in Koha
14:56:47 <m23> without chceck button?
14:57:10 <cait> the one i've been working on haas a link to the documentation
14:57:18 <cait> including information about own/third party cookies
14:57:22 <cait> and a checkbox to say 'seen'
14:57:35 <cait> when you have 'seen' it it sets a cookie so it doesn't reappear all the time
14:57:54 <cait> that's the latest I know
14:58:00 <cait> I can't tell if it's enough in all cases
14:58:05 <m23> if cookia banner is just information about data that we store, we can list here all data that we collected, like IP
14:58:18 <cait> store if you use the website
14:58:43 <cait> but yep, you shoudl list what you have in your logs in whatever page it links too
14:58:51 <cait> ip is a personal data
14:59:14 <cait> but we can't know these things, we could just offer a configurable url maybe
15:00:10 <m23> we can store IP, because we need for law purposes, because libraryry statistic
15:00:31 <cait> we don't need it, so it's cut i think
15:00:41 <josef_moravec__> but it does apply in czech republic..
15:00:58 <josef_moravec__> not in germany, as cait said right now ;)
15:01:01 <cait> afaik it's still a bit of a grey area if you need a cookie banner
15:01:13 <cait> lots here do it now to be on the safe side
15:01:25 <josef_moravec__> cait++
15:01:27 <josef_moravec__> so prio 2
15:01:28 <josef_moravec__> ?
15:01:33 <m23> Its depend on library and conty law
15:01:40 <m23> country
15:01:56 <cait> m23: right now yes, I think the e-privacy regulation? is supposed to fix that
15:01:59 <cait> but it's nt done
15:02:39 <m23> cait: e-privacy we neet to solve to, but later :-)
15:02:53 <cait> i think i can#t really translate well what i am trying to explain
15:03:02 <cait> it's a new EU thing that will accompany the GDPR
15:03:17 <cait> but it won't be ready for may
15:03:23 <josef_moravec__> e-privacy? Does it mean we will need another wiki page like this one? ;)
15:03:37 <cait> looking for an english link
15:03:58 <cait> ePrivacy directive maybe
15:04:23 <josef_moravec__> this one? http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML
15:04:35 <cc_> https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation
15:05:33 <cait> https://www.eprivacy.eu/en/about-us/news-press/news-detail/article/what-does-the-eprivacy-regulation-mean-for-the-online-industry/
15:05:36 <cc_> part of the intention is to simplyfy the requirements re cookies
15:05:53 <josef_moravec__> ah, thanks
15:05:55 <cait> the problem is it will take effect later than the GDPR
15:06:00 <cait> so we don't quite knwo yet
15:06:07 <cait> cc_: that about right?
15:06:56 <m23> e-privacy is on the way, date not set
15:07:14 <cait> i will put the banner thing on prio 2
15:07:21 <cait> i think just informing is possible now with some custom javascript
15:07:38 <cait> but we probably need to talk about the eprivacy directive again at another meeting?
15:08:21 <cait> of the prio 1 items: Josef works on 1 and 7
15:08:26 <cc_> yes - detail not complete but it does distinguish between cookies to run you site and user tracking which were a bit confused in current rules
15:08:32 <cait> 15 still needs someone to look into it
15:09:06 <m23> ok, is something more specicif, focus is on the data transfrer security like postal security
15:09:50 <cait> someone for 15?
15:10:45 <reiveune> bye
15:11:05 <m23> video about black vision about eprivacy https://vimeo.com/236635324
15:11:26 <cait> ok, maybe later?
15:11:40 <cait> #info We are looking for someone to take care of 15  - anonymizsation of old_reserves
15:11:56 <cait> should we conclude the meeting with this and meet again in a few weeks?
15:12:30 <SoniaB> cait: Ok for me
15:12:43 <cc_> yes
15:13:02 <cait> #info If you plan to work on an issue, please mark it on the wiki
15:13:12 <cait> josef_moravec__: ?
15:13:38 <josef_moravec__> i am ok with it
15:13:51 <cait> ok, ending meeting, make suggestions for new date later.
15:13:55 <cait> #endmeeting