I would also be interested in any work in this area. Thanks Lee Lee Blyth Discovery & Access Librarian, Library Collection & Digital Services T: +44 (0)191 243 7664 E: [log in to unmask]<mailto:[log in to unmask]> Twitter: @leeblyth University Library, Northumbria University, Newcastle upon Tyne, NE1 8ST, United Kingdom From: An informal open list set up by UKSG - Connecting the Information Community [mailto:[log in to unmask]] On Behalf Of Paul Stainthorp Sent: 13 November 2018 13:23 To: [log in to unmask] Subject: Re: [lis-e-resources] GDPR and personal accounts Hi all. Like Caroline, we have a number of queries about this at UWE Bristol which we are tackling through an internal GDPR-third parties working group. (There was a similar query on this mailing list on 7th September 2018.) We are similarly concerned about the ‘grey area’ where – rather than our sharing student personal data with Service Providers via federation attributes – users are instead encouraged or in some cases *required* to create a personalised login before they can access the service; whether the University’s effectively compelling the user to supply their personal details to that third party affects our responsibility secure a data processing agreement with that SP. I contacted Jisc Collections and Eduserv (Chest) about this a couple of months ago to ask whether there was any work going on to normalise GDPR compliance for e-resources provided via consortium licence agreements. Both replied to say that while they could advise on situations where they themselves are handling user data but not necessarily (yet) on data transfer to a third party SP. I’d be very interested in any work going on in this area. Paul Paul Stainthorp Collections Librarian (e-Resources) Library Services University of the West of England Frenchay Campus Coldharbour Lane Bristol BS16 1QY Tel: +44 (0)117 32 86414 Email: [log in to unmask]<mailto:[log in to unmask]> From: An informal open list set up by UKSG - Connecting the Information Community [mailto:[log in to unmask]] On Behalf Of Checkley, Caroline R Sent: 13 November 2018 09:20 To: [log in to unmask]<mailto:[log in to unmask]> Subject: Re: [lis-e-resources] GDPR and personal accounts Hi Mark Thanks for replying, the resource I am thinking of is a JISC collection resource and I think the issue may be worth pursuing. For most resources this is not a problem. Many resources use shibboleth to create personal accounts without extra metadata e.g. E-Book Central, Lexis but a lot of financial databases require personal registration and some vendors charge for the SSO integration. Our IdP manager also mentioned this: In the latest version of the Shibboleth IDP software there is a consent configuration screen that could be interesting. We currently have this part of the IDP disabled, but if enabled it would mean that after the user has authenticated they would be presented with a screen that allows the user to decide whether they agree to consent to the attributes that would be released to the service provider. An example of this screen is here: https://www.ukfederation.org.uk/content/Documents/Shib3ConsentConfiguration Which could be useful in this circumstance. I’ll also take a look at the code of conduct and run this past our IdP manager. Thanks. All the best Caroline Caroline Checkley Digital Systems and Services Librarian Library Services University of Essex T 01206 873176 E [log in to unmask]<mailto:[log in to unmask]> ► library.essex.ac.uk<https://library.essex.ac.uk/> WE ARE ESSEX TOP 20 FOR RESEARCH EXCELLENCE TEF GOLD 2017 QAP WINNER 2017 [cid:image006.jpg@01D4297A.665A4D50] [cid:image001.png@01D0D68E.293825B0]<https://www.facebook.com/UniEssexLibrary>[cid:image002.png@01D0D68E.293825B0]<https://twitter.com/UniEssexLibrary>[cid:image008.jpg@01D31670.FBB863F0]<https://www.instagram.com/uniessexlibrary/> From: An informal open list set up by UKSG - Connecting the Information Community <[log in to unmask]<mailto:[log in to unmask]>> On Behalf Of Mark Williams Sent: 12 November 2018 09:49 To: [log in to unmask]<mailto:[log in to unmask]> Subject: Re: [lis-e-resources] GDPR and personal accounts Hi Caroline, The “added value” caveat is certainly something some Publishers are leveraging. If there is enough interest in taking this issue further, I’d be happy to set up a webinar / workshop on the issues and we could look at what the UK federation could do to help address this. You also might want to have a look at the Geant Code of Conduct for service providers - https://wiki.refeds.org/display/CODE/Data+Protection+Code+of+Conduct+Home If institutions start requesting Service Providers take up the Geant Code of Conduct up, it would certainly help us push it within the federation space. Hope that helps Mark [Jisc]<http://www.jisc.ac.uk/> Mark Williams UK federation Manager T: 02030066042 (Direct) E: [log in to unmask]<mailto:[log in to unmask]> Jisc 15 Fetter Lane, EC4A 1BW London From: An informal open list set up by UKSG - Connecting the Information Community [mailto:[log in to unmask]] On Behalf Of Checkley, Caroline R Sent: 12 November 2018 09:36 To: [log in to unmask]<mailto:[log in to unmask]> Subject: [lis-e-resources] GDPR and personal accounts Dear all, We have been reviewing our e-resources in the light of GDPR and are concerned with the creation of personal accounts required by some resources for ‘added value’ Our Data Protection Officer is thinking that if we are in essence recommending resources to our students by making them available then we should be ensuring this resources are GDPR compliant and aware of what information these resources are asking for. Shibboleth logins usually negate the necessity of creating personal accounts one of our resources is requiring that we hand over e-mail address in the metadata rather than use eduPersonPrincipleName. I do have a particular resource in mind and had a quick look at the EBSCO ‘My EBSCO’ feature which only requires e-mail so is not so bad but I think I have one other resource that does ask for extra metadata via shibboleth. Has anyone else been considering this? Thanks All the best Caroline Caroline Checkley Digital Systems and Services Librarian Library Services University of Essex T 01206 873176 E [log in to unmask]<mailto:[log in to unmask]> ► library.essex.ac.uk<https://library.essex.ac.uk/> WE ARE ESSEX TOP 20 FOR RESEARCH EXCELLENCE TEF GOLD 2017 QAP WINNER 2017 [cid:image006.jpg@01D4297A.665A4D50] [cid:image001.png@01D0D68E.293825B0]<https://www.facebook.com/UniEssexLibrary>[cid:image002.png@01D0D68E.293825B0]<https://twitter.com/UniEssexLibrary>[cid:image008.jpg@01D31670.FBB863F0]<https://www.instagram.com/uniessexlibrary/> lis-e-resources is a UKSG list - http://www.uksg.org UKSG groups also available on Facebook and LinkedIn Follow us on Twitter: https://twitter.com/UKSG Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800. lis-e-resources is a UKSG list - http://www.uksg.org UKSG groups also available on Facebook and LinkedIn Follow us on Twitter: https://twitter.com/UKSG lis-e-resources is a UKSG list - http://www.uksg.org UKSG groups also available on Facebook and LinkedIn Follow us on Twitter: https://twitter.com/UKSG lis-e-resources is a UKSG list - http://www.uksg.org UKSG groups also available on Facebook and LinkedIn Follow us on Twitter: https://twitter.com/UKSG This message is intended solely for the addressee and may contain confidential and/or legally privileged information. Any use, disclosure or reproduction without the sender’s explicit consent is unauthorised and may be unlawful. If you have received this message in error, please notify Northumbria University immediately and permanently delete it. Any views or opinions expressed in this message are solely those of the author and do not necessarily represent those of the University. Northumbria University email is provided by Microsoft Office365 and is hosted within the EEA, although some information may be replicated globally for backup purposes. The University cannot guarantee that this message or any attachment is virus free or has not been intercepted and/or amended. lis-e-resources is a UKSG list - http://www.uksg.org UKSG groups also available on Facebook and LinkedIn Follow us on Twitter: https://twitter.com/UKSG