Hi folks,
With regard to PII and IP addresses, the trend with privacy regulations has
been to classify IP addresses as PII. For those who fall under the scope of
GDPR, "personal data" includes IP address. For the States, some
sector-based laws have IP address under personal identifier categories
(HIPAA). IP addresses are considered "personal information" in the
California Consumer Privacy Act [CaCPA]. While 99% of libraries are not
under the scope of CaCPA, other states are looking at CaCPA to inform their
own efforts to create and enact similar laws, some of which might have
libraries within their scope of compliance. This is only one of the many
reasons why we should not have IP addresses traced back to individuals if
we can help it (which many of us have the ability and resources to do).
Would folks be willing to share the contract addendum language and changes
that they successfully negotiated with the vendor to the list? Having the
language would help others negotiate with Lean Library if the library's
risk tolerance for potential patron privacy violations is lower than others
who choose not to negotiate.
Thanks,
Becky
On Wed, Aug 22, 2018 at 7:58 AM Tim McGeary <[log in to unmask]> wrote:
> I think we need to clear (and careful) in this discussion about what user
> data we are discussing. With authentication being done by the library /
> university, Lean Library doesn’t actually have personally identifiable
> information (PII). While IP addresses can be traced, is that any more a
> concern than an user’s ISP tracking all of users traffic already, since
> Lean Library is only effective from off campus IP addresses?
>
> On EZProxy, we do use a wildcard certificate, and we are in the process of
> moving the IP address of the service to a private IP address.
>
> Similar to a previous comment, this service will be an individual choice of
> a user to make. We can’t push this to our users; it will take their own
> initiative to install.
>
> Another context that I haven’t seen yet: what do others think of the cost?
> Have you found it to be reasonable or high? We are still considering that
> question internally.
>
> One more context is the licensing. The base license language has the
> jurisdiction in The Netherlands, which is something we (Duke) could never
> accept. We are suggesting other language changes, too, so I don’t know
> where all of this will land. It is possible we won’t come to a mutual
> agreement on contract terms.
>
> Tim
> AUL for Digital Strategies and Technology
> Duke University Libraries
>
>
|