Privacy and Data Protection at DuraSpace

Our Policy

We care about protecting your privacy. Our primary objective in meeting GDPR requirements is service to our community.

Our approach to GDPR compliance is an ongoing engagement, and will include changes within operations and revisions to this guide, over time. GDPR includes a core principle of the right to be forgotten. If a Data Subject wishes to assert Rights of the Individual please contact privacy@duraspace.org. DuraSpace aims to respond within 72 hours of receiving an inquiry.

In cases where general Personally Identifying Information (PII) is processed by DuraSpace, unambiguous consent is considered acceptable (e.g., a statement regarding cookies). In cases where more sensitive PII is processed, explicit consent must be given. Consent may be revoked by the data subject at any time. The data subject may also exercise their other rights at any time, and those acting as Data Controllers and Data Processors must have a means to address those requests.

Data Controllers and Data Processors have an obligation to ensure the proper storage and security of any processed PII, and must also notify affected Data Subjects within established timeframes (72 hours) if a breach has been identified.

DuraSpace will not disclose information to third parties unless provided express consent or it is required to do so to comply with a legally valid and binding order. Unless prohibited from doing so, DuraSpace notifies parties before disclosing content information related to our Products, Events, Membership, Services or the DuraSpace Service Provider (DSP) Program.

For further information on our approach and to discuss aspects of this policy, please contact: privacy@duraspace.org.

Attribution: DuraSpace would like to thank our friends at the Public Knowledge Project (PKP) and Simon Fraser University for access to their document “GDPR Guidebook for PKP Users.” It provided inspiration and many significant contributions to this documentation. Special thanks to James MacGregor, Associate Director, Strategic Projects & Services Public Knowledge Project who coordinated the PKP documentation and collaborated with us on this initiative.

Key Terms

Consent: the agreement of a data subject to share personal data. Consent must be unambiguous (and in the case of sensitive personal data must be explicit, i.e. “opt-in”), and must be able to be withdrawn.

Data Controller: the entity that dictates the terms for processing data. With respect to DuraSpace services, events, membership, and general communications the Data Controllers are identified as:

  • Products – Bill Branan, Services Technical Director
  • Services – Bill Branan, Services Technical Director
  • Events – Kristi Searle, Community Relations Coordinator
  • Membership – Kristi Searle, Community Relations Coordinator
  • DuraSpace Service Provider Program – Erin Tripp, Business Development Manager
  • General Communications (newsletter, blog, social media) – Carol Minton Morris, Communications and Marketing Director

Data Processor: the entity that manages all processing of the data on behalf of the controller. With respect to DuraSpace services, events, membership, and general communications the Data Processors are identified as

Data Subject: a natural person whose personally identifying information may be tracked within a given system.

General Data Protection Regulation (GDPR):The EU’s new comprehensive set of regulations for the handling of personal data on the Internet by service providers. It goes live on May 25 2018, and is pertinent to anyone who manages personally identifying information of EU citizens. The complete regulation is available here: https://www.eugdpr.org/. The GDPR defines the responsibilities that Data Controllers and Data Processors must adhere to with respect to the collection, processing, storage and destruction of any Personally Identifying Data that can identify a Data Subject.

Lawful Basis for Processing Personal Data: the basis by which a data controller must explain their ability to process data. The most common lawful basis is by consent.

Personally Identifying Information (PII), or Personal Data: any information that can potentially be used to identify a person, such as: their name(s); email address; mailing address; phone number; social network posts; or an IP address.

Rights of the Individual (Data Subject): The GDPR mandates the following rights of the individual, which it refers to as the “data subject”:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object;
  • the right not to be subject to automated decision-making including profiling.

In order to adhere to the GDPR, people acting in the role of data controller, in conjunction with those serving as a data processor, must provide adequate means for individuals to assert these rights.

 

Operational Data Collection & Management

Products

Using DuraSpace projects (DSpace, Fedora, VIVO, or DuraCloud) does not require providing any information to DuraSpace. Each project is open source and available to download and use without the need to fill out a form or enter any data.

Participating in the open source community which develops each DuraSpace project requires accounts in a few systems for the purposes of collaboration and communication. Those systems include the DuraSpace Wiki, DuraSpace issue tracking system (JIRA), Slack, IRC, and project email lists (facilitated by Google Groups). Using each of these systems requires, at minimum, a username and email address to be provided. When a user’s name is requested, there is no requirement that a real name or full name be provided. Using only a first name, a nickname, or a pseudonym is acceptable.

The following personal information may be collected when using DuraSpace Wiki (Confluence) or JIRA: username, name, email address, employer, title, location, and picture. Only username, email address, and name are required information. The information provided is shared publicly and can be edited by the user at any time. If you would like your data or account removed at any time, contact sysadmin@duraspace.org and we will respond within 72 hours.

The following personal information may be collected when using Slack: username, name, email address, employer, title, picture, phone numbers, and timezone. Only username, and email address are required. Time zone is determined by your current location. The information provided is shared with others in the same slack workspace and can be edited by the user at any time. DuraSpace does not collect, capture, or process information found in Slack profiles. To delete your Slack profile, follow the procedure to deactivate your account and request profile deletion.

The only information required to communicate using IRC is a username. DuraSpace captures logs for the #duraspace IRC channel to facilitate the review of historical conversations.

In order to communicate via project email lists using Google Groups, a Google account is required. The personal information required to create a Google account includes username, email address, and name. More information can be provided in a Google account. DuraSpace does not collect, capture, or process information found in Google accounts. Information in a Google account can be edited by the user at any time. To delete your Google account, follow the procedure established by Google.

Events (Camps/User Group Meetings/Webinars/Summit)

Participation in DuraSpace events requires pre-registration and in some cases, payment.  Registration is completed using Constant Contact, Zoom Webinars and PayPal.  The following personal data may be collected when payment is not due: name, organization, title, email address and country of residence.  When payment is collected the personal data requested may include: name, email address, mailing address, phone number, credit card type, number, security code and expiration date.

Credit card information is not stored by DuraSpace.  Personal data collected is stored in Constant Contact, Zoom Webinars or in Zoho CRM and will not be shared or distributed outside of DuraSpace without express consent.  The stored information can be accessed, modified and erased by select DuraSpace staff.  Stored email addresses may be included in DuraSpace communications and each communication allows the recipient the option to unsubscribe from DuraSpace communications.

All Data Processor accounts are password protected.  Each Data Processor has its own Privacy Policy or Terms and Conditions statements. We do not collection more data than necessary for our operations. If you have a request related to information collected for DuraSpace events, do not hesitate to contact privacy@duraspace.org and we will respond within 72 hours.

Membership

DuraSpace uses two systems for prospecting, invoicing and renewing membership; our accounting system, QuickBooks Online (QBO), and our customer relationship management system, Zoho CRM.

Data stored in QBO is limited to an organization’s mailing address and the work email addresses of the invoice recipients, as designated by the receiving organization. Access to contact data in QBO is never shared outside of DuraSpace and access to the data is very limited as it is only used when sending invoices as requested by member organizations. The stored information can be accessed, modified and deleted by select DuraSpace staff. Recipients can update or terminate email communications by responding to any email they receive.

The second system for DuraSpace membership contact data is Zoho CRM.  Zoho is used to store information about the organizations who participate in the DuraSpace community along with the relevant contacts for those organizations. The following personal data may be collected and stored in Zoho: name, organization, title, work email address and country location for the organization. The personal data collected and stored is not shared or distributed outside of DuraSpace. The stored information can be accessed, modified and deleted by select DuraSpace staff.  Stored work email addresses may be included in DuraSpace communications and each communication allows the recipient the option to unsubscribe from DuraSpace communications.

Services

As a service provider, DuraSpace collects personal data about individuals representing the institutions and organizations which have service agreements with DuraSpace and/or are interested in becoming service customers. This data is collected from subscription inquiries and while signing service agreements, invoicing, providing customer service, and renewing service customers.

DuraSpace uses WordPress website forms to collect information from individuals interested in learning more about our services. The required information collected includes full name, email address, organization, title, and the country where the organization is located. This information in sent to staff via GMail and is stored in Zoho CRM and is not shared or distributed outside of DuraSpace without express consent. If DuraSpace services will not meet the requirements of those who express interest in a service, we will ask their permission to refer them to a list of vetted service providers who may be able to meet the requirements. The stored information can be accessed, modified and erased by select DuraSpace staff. Stored email addresses may be included in DuraSpace communications and each communication allows the recipient the option to unsubscribe from DuraSpace communications.

Subscribing to a DuraSpace service requires collecting personal information for individuals who will act as subscription account contacts on behalf of their organization. The information is used to invoice and onboard customers and to communicate important subscription information. The required information collected includes full name, email address, organization, and title. Personal data collected is stored in Zoho CRM (customer relationship management software), Google Sheets, Zendesk, and Intuit QuickBooks. It is not shared or distributed outside of DuraSpace.  The stored information can be accessed, modified and erased by select DuraSpace staff.

As a service provider, DuraSpace has a responsibility to provide secure software and timely customer communications, and we welcome this opportunity to strengthen privacy rights. We do not collection more data than necessary for our operations. If you have a request related to information collected for DuraSpace service inquiries or subscriptions, do not hesitate to contact privacy@duraspace.org and we will respond within 72 hours.

Our Services and Customer Content

The realm of digital preservation raises a number of considerations for compliance with GDPR, particularly around the regulation’s core principle of the right to be forgotten.

One function of digital preservation is to produce a historical record. As such, our services fall within what the GDPR recognizes as a need “to reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression” (GDPR, Article 85).

More specifically, the GDPR specifies that “the right of erasure” (Article 17) holds in situations in which “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.” In digital preservation, provenance data remains necessary. GDPR allows “for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes the preservation of which is in the public interest” (Recital 65).

Security Breaches

DuraSpace shall notify customers of any security or privacy breaches associated with Data Processors within 72 hours of discovery, and provide regular updates until the incident is resolved.

In the event a customer-initiated security or privacy breach has implications for the safe and effective operation of DuraSpace operations or services, DuraSpace reserves the right to immediately take the customer’s instance and place it in a secure and isolated systems environment until the problem has been resolved.  DuraSpace reserves the right to charge an additional fee for the time and effort required to resolve a customer-initiated security or privacy breach.

DuraSpace Service Provider Program

As the administrator of the DuraSpace Service Provider (DSP) Program, DuraSpace collects personal data about individuals representing the institutions and organizations which provide services for DuraSpace products and wish to participate in the DSP Program. Data about service providers is collected from DSP Program inquiries and through the application and annual renewal process of the program. .

DuraSpace uses WordPress website forms to collect information from individuals interested in participating in the DSP Program. The required information collected includes full name, email address, organization, title, and the country where the organization is located. This information in sent to staff via GMail and Google Sheets and is not shared or distributed outside of DuraSpace without express consent for referrals. The stored information can be accessed, modified and erased by select DuraSpace staff.

If participating in the DSP Program, DuraSpace requires collecting personal information for individuals who will act as contacts on behalf of their organization. The information is used to invoice the organization for participation in the program and communicate referrals and other opportunities for service provision in our communities. The required information collected includes full name, email address, organization, and in some cases an in-kind contribution and revenue report. The reports are held in the strictest confidence and are accessible to limited DuraSpace staff. Data collected is stored Google Drive and Intuit QuickBooks.

General Communications

Staying abreast with the DuraSpace community is done primarily through our newsletters and organizational or event-related communications sent via Constant Contact, Zoom Webinars and project email lists (facilitated by Google Groups).

Our communications network also leverages WordPress, Twitter, LinkedIn, YouTube, Slack, as mentioned in sections above.

All Data Processor accounts are password protected.  Each Data Processor has its own Privacy Policy or Terms and Conditions statements. We do not collection more data than necessary for our operations. If you have a request related to information collected for DuraSpace events, do not hesitate to contact privacy@duraspace.org and we will respond within 72 hours.