The GDPR summary from the PKP Turin Sprint, hosted by the CRAFT-OA project in October 2024, is now available.
Sprints involve PKP community members joining diverse groups to work on PKP software and support. In October, the CRAFT-OA project and the University of Turin hosted eight working groups at the PKP Turin Sprint. This is a summary of one such group’s work.
Abstract
The General Data Protection Regulation (GDPR) has different use cases in various countries. There is more than a mere implementation requirement but the framework for use cases is complex. The workload for system administrators could grow if the request volume is high and the workflows must be carefully crafted. Possible legal actions are uncertain and journals may need individual legal advice when creating the contracts.
Working Group members
- Jonas Raoni Soares da Silva, Public Knowledge Project
- Tom Granroth, Federation of Finnish Learned Societies
- Dulip Withanage, TIB
- Ipula Ranasinghe, TIB
- Jyrki Heinonen, Federation of Finnish Learned Societies
- Gabriele Raimondi, University of Bologna
Background
An important issue is important for General Data Protection Regulation (GDPR) compliance and other personal data protection laws comes when maintaining the editorial history, as balancing the right to be forgotten with user merging functionality can become a challenge.
The current processes don’t preserve the historical contributions and edits when merging user accounts, causing discrepancies in editorial records. Another complex scenario comes when an individual has deceased, as these accounts can’t be anonymized but should not remain active. A permanent tag is necessary in those cases, as well as a workflow to finish any incomplete work by that person.
Goals
- To create a list of considerations and a specification for anonymizing metadata
- Considerations
- Legal
- Do officials (e.g. police officers) have the right to deanonymize the data? If yes, and if it’s for a limited time (e.g. maximum 6 months), then we can keep the data encrypted instead of hashed, in a separate place and encrypted (so it’s possible to reverse).
- Can Agreements be made by the journal that from the time of asking “right to be forgotten”, the anonymization can happen? For earlier disseminated metadata, it may not be possible. Examples are archived tapes/backups, open-review metadata deposited in national or long-term archives
- Can Journals retain the right not to anonymize personal data contractually for already published formats e.g. PDF?
- Is GDPR a superset of the other privacy regulations? If not, it might be necessary to define which one the institution wants to follow.
- Can we get some help from PKP/SFU/TIB lawyers regarding the laws existing beyond GDPR e.g. https://oag.ca.gov/privacy/ccpa ?
- OJS
- When the user is anonymizing himself (e.g. “Delete my profile”), does it need to be approved by a manager?
- Should it allow the user to download their data before/after anonymization?
- Some users may ask to anonymize their activity in one journal.
- Can someone ask not only to anonymize but also to delete log entries?
- If encryption is used
- The encrypted value may be longer than the column
- The key has to be preserved permanently
- When thanking a reviewer, the user’s first and last name can be saved in the database. Are we allowed to change that, even in the GDPR context?
- Bots may create only users: can we delete such users instead of anonymizing them?
- What do we have to do when we are migrating data, and in the process, the journal manager wants some of the user data removed? Maybe we need a mechanism to exclude users by email or username
- Legal
- Suggestions:
- Allow the user to anonymize him/herself
- Allow journal manager to anonymize on request (legally binding)
- For multiple journals, an administrator request, the user may need to ask each journal manager where he/she is enrolled.
- For the future users’ table: maybe a tag to indicate “anonym_user”
- Considerations
Results
Current list of steps an administrator can do to anonymize a specific user
- A system administrator can create an encryption key
- Depending on the context, the policy can be a
- random encryption key (truly anonymized)
- persistent key, so that can still recover (questionable GDPR)
- Depending on the context, the policy can be a
- Encrypt the following fields in the tables
- Users: Username, email (id is not changed), phone, mailing_address, billing_address
- User_settings: biography, signature, affiliation, givenName, familyName, preferredPublicName, ORCID,
- Event_log_settings: ****username, editorName
- Disable the user by editing the users table
- Users: disabled, disabled_reason
- Delete profile image (user_settings):profileImage and clear public folder
- Delete User_settings: apiKey
- Clear the logged-in sessions
- Wrote SQL creates SQL queries
- Converting to PHP
Demonstrations of the general workflow
Rewrite the Users Table to support the OJS 3.5 design
- Demo: https://github.com/craft-oa/gdpr-invitation/issues/38#issuecomment-2402205319
- Code: Commits https://github.com/withanage/ui-library/commits/9658-users-table
Other results
- Discussed and analyzed the user-based settings in OJS 3.3 and 3.5
- A list of requirements, that can be extended
- Database-based proposal for a system administrator to anonymize user data
SQL script to list fields to anonymize. The list could be used in PHP to count lines and ensure that all fields have been handled:
SELECT
users.user_id,
username,
email,
phone,
mailing_address,
billing_address,
disabled,
disabled_reason,
setting_name,
setting_value
FROM `users`
JOIN user_settings ON users.user_id = user_settings.user_id
WHERE `email` = “email_address_in_variable”;
Next Steps
- Create a discussion in pkp-lib with the proposals for the right to be forgotten
- Parallelly contact known GDPR-Officers and known lawyers (help is welcome)
- If agreed upon, the database-based solution can be documented as a first step
- A ticket for implementing the solution into PKP-Software
- Users table, API integration
Thank you
We once again thank the Sprint host institutions, and all participants for their valuable contributions to the PKP user community. Special thanks to the CRAFT-OA Project and the University of Turin for their support and partnerships.