Ex Libris Ltd Alma Privacy Impact Assessment

Similar documents
Ex Libris. Summon Privacy Impact Assessment

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Data Protection Policy

Eco Web Hosting Security and Data Processing Agreement

Element Finance Solutions Ltd Data Protection Policy

GDPR: Is it just another regulation or a great opportunity for operational excellence? Athens, February 2018

EU General Data Protection Regulation (GDPR) Achieving compliance

SCHOOL SUPPLIERS. What schools should be asking!

Data Processing Agreement

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

General Data Protection Regulation (GDPR)

Version 1/2018. GDPR Processor Security Controls

GENERAL DATA PROTECTION REGULATION (GDPR)

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

1 Privacy Statement INDEX

EXAM PREPARATION GUIDE

Mile Privacy Policy. Ticket payment platform with Blockchain. Airline mileage system utilizing Ethereum platform. Mileico.com

The GDPR Are you ready?

GDPR and the Privacy Shield

Wonde may collect personal information directly from You when You:

Cybersecurity Auditing in an Unsecure World

Creative Funding Solutions Limited Data Protection Policy

GDPR Compliant. Privacy Policy. Updated 24/05/2018

What You Need to Know About Addressing GDPR Data Subject Rights in Pivot

Knowing and Implementing the GDPR Part 3

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Token Sale Privacy Policy

Data Processor Agreement

Data Processing Agreement

Embedding GDPR into the SDLC

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Requirements for a Managed System

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

What This Policy Covers

PS Mailing Services Ltd Data Protection Policy May 2018

PRIVACY POLICY. Introduction:

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Privacy Notice For Ghana International Bank Plc customers

MOBILE.NET PRIVACY POLICY

General Data Protection Regulation (GDPR)

Our Privacy Statement

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

PRIVACY NOTICE (TIER 4)

Privacy Policy. 1. Collection and Use of Your Personal Information

THE BASICS. 2. Changes

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

BIOEVENTS PRIVACY POLICY

DATA PROTECTION POLICY THE HOLST GROUP

Baseline Information Security and Privacy Requirements for Suppliers

GDPR Impacts. SEV GDPR Workshop Athens Giles Watkins, UK Country Leader. Wednesday 7th February,

GDPR- the new General Data Protection Regulations. Staff PDM- 2 nd May 2018

Data Processing Agreement for Oracle Cloud Services

Starflow Token Sale Privacy Policy

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Ohio Supercomputer Center

LBI Public Information. Please consider the impact to the environment before printing this.

The Common Controls Framework BY ADOBE

Unified Communications Phase 2 Presentation to IT Services Users Group

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Breach Notification in the GDPR Era. Speakers: Sam Pfeifle, IAPP Dennis Holmes, PwC

GDPR: A technical perspective from Arkivum

Cybersecurity Considerations for GDPR

Just-Property Ltd GDPR Client Data Register

FileFacets for GDPR. Solution Overview for Compliance. Copyright 2017 FileFacets Corporation. All rights reserved

Data Management and Security in the GDPR Era

Data Processing Clauses

Effective Date: November 26, A. Overview

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Protecting your data. EY s approach to data privacy and information security

ADMA Briefing Summary March

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

GDPR: A QUICK OVERVIEW

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

HPE DATA PRIVACY AND SECURITY

Juniper Vendor Security Requirements

Technical Requirements of the GDPR

IAPP-OneTrust Research: Bridging ISO to GDPR

Spring Mobile Mini UK Ltd. Privacy Policy Spring 2018

Fabrizio Patriarca. Come creare valore dalla GDPR

Ferrous Metal Transfer Privacy Policy

General Data Protection Regulation

DATA PRIVACY & PROTECTION POLICY POLICY INFORMATION WE COLLECT AND RECEIVE. Quality Management System

Putting It All Together:

ADIENT VENDOR SECURITY STANDARD

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

The University of British Columbia Board of Governors

Haaga-Helia University of Applied Sciences Privacy Notice for Urkund Plagiarism Detection Software

General Data Protection Regulation (GDPR) The impact of doing business in Asia

EU-US PRIVACY SHIELD POLICY (Updated April 11, 2018)

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

SECURITY & PRIVACY DOCUMENTATION

DATA PROCESSING TERMS

Transcription:

Ex Libris Ltd Alma Privacy Impact Assessment February 2018

1 - Table of Contents 1 - Table of Contents... 2 2 - Disclaimer... 2 3 - Purpose of this document... 4 4 - Main findings and Conclusions... 4 5 - Scope and Plan... 5 6 - Data Elements... 5 6.1 - Data sharing... 6 6.2 - Data Flows... 6 7 - Risks and Controls... 6 8 - Privacy management framework... 7 8.1 - GOVERNANCE... 7 8.2 - PRIVACY POLICY... 7 8.3 - SECURITY... 7 8.4 - THIRD PARTY... 8 8.5 - USER RIGHTS... 8 8.6 - CONSENT... 8 8.7 - TRAINING & AWARENESS... 8 8.8 - INCIDENT HANDLING... 8 8.9 - PRIVACY BY DESIGN... 8 2 - Disclaimer Page 2 of 9

This report is provided to Ex Libris Ltd. If this report is received by anyone other Ex Libris Ltd. The recipient is placed on notice that the attached report has been prepared solely for use in connection with Ex Libris Ltd. and this report and its contents may not be shared with or disclosed to anyone by the recipient without the express consent of Ex Libris Ltd. and KPMG Somekh Chaikin. KPMG Somekh Chaikin shall have no liability for the use of this report by anyone other than Ex Libris Ltd. and shall pursue all available legal and equitable remedies against recipient, for the unauthorized use or distribution of this report. Page 3 of 9

3 - Purpose of this document The Privacy Impact Assessment (PIA) is a process that identifies what impact a project, initiative or general collection, and use of information might have on the privacy of individuals. A PIA is a point-in-time assessment, and the resultant report and other outputs should be revisited as changes occur to the processes that were originally assessed. This PIA includes a brief description of the data processed in the Alma service, the privacy impact, and the measures Ex Libris is taking in order to manage the risks involved. 4 - Main Findings and Conclusions We have reviewed the privacy risks regarding Alma SaaS platform and the privacy and security controls designed to mitigate those risks. It should be noted that Ex Libris is a data processor, therefore, some of the personal datarelating processes are the responsibility of the data controller (Ex Libris customers), such as consent management. Individuals personal data in Alma is limited in nature and the inherent risks resulting is low. The privacy controls designed and implemented comply with GDPR requirements, relating to the business processes of Alma. After reviewing all material GDPR aspects, the privacy risks and implemented controls, any residual risk that we found was minimal. Our impression is that Ex Libris efforts in implementing GDPR requirements are well managed, resulting in a good level of compliance. Ex Libris has also appointed a Data Protection Officer (DPO). One of the main principles of GDPR is Privacy by Design, which means promoting privacy principles throughout product and process development from the start, and maintaining this while products and services are developing. In order to maintain compliance, Ex Libris will need to continue their practice of making the privacy of its customers a core value, and lead by example for other SaaS vendors in the market. Page 4 of 9

5 - Scope and Plan This PIA scope is the Alma service, where Ex Libris is the data processor. The purpose for data processing is to manage print, electronic, and digital materials in a single interface for Ex Libris customers. 6 - Data Elements Data needed for processing information about the data subjects (library patrons) are provided by the Ex Libris customer (library authority). Additional personal data updates are done by the library staff when needed, and the processes involved are the sole responsibility of the library, which is the data controller. Following is a list of data elements related to the data subject (patron), processed by Alma. All of the data elements are related to the patron. Data Field USER_NAME EXTERNAL_ID FIRST_NAME LAST_NAME MIDDLE_NAME CITY POSTAL_CODE COUNTRY STATE_PROVINCE EMAIL PHONE WEB_SITE_URL BIRTH_DATE GENDER USER_IDENTIFIER.VALUE DB Table USER_ADDRESS USER_ADDRESS USER_ADDRESS USER_ADDRESS USER_EMAIL USER_PHONE, USER_WEB_ADDRESS USER_IDENTIFIER Page 5 of 9

6.1 - Data sharing Information is not shared with any third party organizations or individuals. Notice about information collection and sharing is detailed in: https://knowledge.exlibrisgroup.com/alma/product_documentation/010alma_online_hel p_(english)/010getting_started/020security_and_data_privacy#personal_information_ Collected_and_How_It_is_Collected 6.2 - Data Flows Data is collected and provided by the library management (data controller), which provide library services for the patrons (data subjects), and import this data into Alma Data is not transferred to any third party or to other countries. 7 - Risks and Controls Data processing involves high volume activities involving a large number of people or a larger percentage of the relevant population. Yet, the sensitivity of the information collected about individuals (patrons) is low. None of the data elements are considered special category (GDPR Article 9). Specific risks and controls: Main Risks Disclosure of individuals data to unauthorized party internal users Disclosure of individuals data to unauthorized party external party (e.g., hackers) Processing of personal data without proper need Key Controls - Access management controls, authentication and authorization mechanisms - Application security measures - Operational security including: data center security, server security and network security - Intrusion prevention - Contractual agreements - Security monitoring - Contractual agreement - Privacy by Design processes, managed by DPO, including privacy implementation in product development - Privacy assessments Page 6 of 9

Breach of individual rights The organization has not implemented a documented Privacy management framework - Data Processing Agreement - Most individual rights are responsibility of data controller - Governance processes by DPO - Documented, published and implemented privacy policy - Appointed DPO, responsible for keeping the privacy processes current 8 - Privacy management framework 8.1 - GOVERNANCE The development and implementation of the privacy framework is the responsibility of Ex Libris DPO, Ellen Amsel. This also includes involvement in product development and privacy processes implementation throughout Ex Libris. 8.2 - PRIVACY POLICY Ex Libris privacy policy, relating to Alma, is published in: https://knowledge.exlibrisgroup.com/alma/product_documentation/010alma_online_hel p_(english)/010getting_started/020security_and_data_privacy#ex_libris_privacy_poli cy and managed by the DPO. 8.3 - SECURITY Information security policy is clear and published in: https://knowledge.exlibrisgroup.com/alma/product_documentation/010alma_online_hel p_(english)/010getting_started/020security_and_data_privacy. Security controls include: - Physical security - Operational security - Network security - Intrusion prevention - Application security - Access control - Asset management - Backup controls - Privacy management - Risk management and compliance Page 7 of 9

8.4 - THIRD PARTY Ex Libris uses one vendor for Alma Equinix co-location provider. Ex Libris owns and manages all the equipment in the data center and monitors the security controls over this vendor, using SOC2 (Type 2) audit report. Personal data is not shared with any third parties. 8.5 - USER RIGHTS Data is collected and provided by library management - data is processed according to the data processing agreement, and individuals consent is the responsibility of the library (the data controller). Ex Libris provides their customers with processes and tools to allow patrons the ability to access and correct their personal data, and to delete their personal information in accordance with the library s policies. This is performed by the library staff, using the Alma interface. Any patron wishing to make a comment or complaint regarding their own information can contact the Ex Libris DPO. 8.6 - CONSENT Consent is managed by the customer (library), who is the data controller. 8.7 - TRAINING & AWARENESS Ex Libris is managing a privacy awareness training program, as well as a security awareness training program. Additionally, specialized Privacy by Design training has been conducted specifically for GDPR. 8.8 - INCIDENT HANDLING Ex Libris has constructed incident response and notification procedures. Procedures include breach notification policy and the involvement of the DPO in case of a data breach. 8.9 - PRIVACY BY DESIGN Ex Libris has implemented Privacy by Design processes, which involve the DPO and privacy concerns from the beginning of product development and through change management. 8.9.1 - Data minimization Page 8 of 9

The information collected by Alma (specific data elements listed above) is limited to the information necessary, relevant and proportionate to the purposes of the system use. Only personal data which is necessary for the processing is collected. 8.9.2 - Data retention Alma allows retention of historical data, in order to support auditing needs. To reduce privacy risk, the system anonymizes historical data that is no longer needed. Specific anonymization rules (for loans, fees and fines) are detailed in Alma Data Privacy FAQs. Alma allows libraries to delete historical data, when this is not needed, in order to implement their own data retention policies. Page 9 of 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback