|
| 1 | +_Last Updated: (2026-04-20)_ |
| 2 | +_Last Reviewed: (2026-04-20)_ |
| 3 | + |
| 4 | +## Overview |
| 5 | + |
| 6 | +The purpose of this form is to disclose the types of personal data[^1] (PD) stored by each module. This information enables those hosting FOLIO to better manage and comply with various privacy laws and restrictions, e.g. GDPR. |
| 7 | + |
| 8 | +It's important to note that PD is not limited to that which can be used to identify a person on its own (e.g. Social security number), but also data used in conjunction with other data to identify a person (e.g. date of birth + city + gender, or dynamic IP address + date + time), and any information about such a person (e.g. has loaned 5 items, 2 of which are overdue). |
| 9 | + |
| 10 | +For the purposes of this form, "store" includes the following: |
| 11 | + |
| 12 | +* Persisting to storage - Either internal (e.g. Postgres) or external (e.g. S3, etc.) to FOLIO |
| 13 | +* Caching - In-memory, etc. |
| 14 | +* Logging |
| 15 | +* Sending to an external piece of infrastructure such as a queue (e.g. Kafka), database (e.g. Elasticsearch, Library Data Platform), distributed table, etc. |
| 16 | + |
| 17 | +## Personal Data processed by this Module |
| 18 | + |
| 19 | +- [x] This module does not store any PD. |
| 20 | +- [x] This module does not process any PD. |
| 21 | +- [ ] This module provides [custom fields](https://github.com/folio-org/folio-custom-fields). |
| 22 | +- [ ] This module stores fields with free-form text (tags, notes, descriptions, etc.) |
| 23 | +- [ ] This module caches PD |
| 24 | +- [ ] This module logs PD |
| 25 | + - [ ] Log level ERROR includes PD |
| 26 | + - [ ] Log level WARNING includes PD |
| 27 | + - [ ] Log level INFO includes PD |
| 28 | + - [ ] Log level DEBUG includes PD |
| 29 | +- [ ] This module transmits PD (including queues, additional databases, etc.) |
| 30 | + |
| 31 | +--- |
| 32 | + |
| 33 | +### Identifiable information |
| 34 | + |
| 35 | +- [ ] Passport number / National identification numbers |
| 36 | +- [ ] Driver’s license number |
| 37 | +- [ ] Social security number |
| 38 | +- [ ] Financial account information |
| 39 | + |
| 40 | +### Identifiable information if linked |
| 41 | + |
| 42 | +Information can be combined with others to form a person’s identity. |
| 43 | + |
| 44 | +- [ ] First name |
| 45 | +- [ ] Last name |
| 46 | +- [ ] Gender |
| 47 | +- [ ] Date of birth |
| 48 | +- [ ] Place of birth |
| 49 | +- [ ] Racial or ethnic origin |
| 50 | +- [ ] Address |
| 51 | +- [ ] Location information |
| 52 | +- [ ] Geolocation data |
| 53 | +- [ ] Phone number(s) |
| 54 | +- [ ] Pseudonym / Alias / Nickname |
| 55 | +- [ ] Username / User Identifier (UUID) |
| 56 | +- [ ] Email address |
| 57 | +- [ ] Financial information / Fees or Fines |
| 58 | +- [ ] Circulation transaction(s) |
| 59 | +- [ ] Web cookies |
| 60 | +- [ ] IP address / MAC address |
| 61 | +- [ ] Photographs of users (profile picture) |
| 62 | +<!--- - [ ] Other PD - Please list as needed --> |
| 63 | + |
| 64 | +**NOTE** This is not intended to be a comprehensive list, but instead provides a starting point for module developers/maintainers to use. If needed, append additional lines and check those accordingly. |
| 65 | + |
| 66 | +## Privacy Laws, Regulations, and Policies |
| 67 | + |
| 68 | +Numerous laws and policies were considered when creating the list of personal data fields above. For additional information, please refer to the following: |
| 69 | +* [General Data Protection Regulation (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:02016R0679-20160504) |
| 70 | + * [What are identifiers and related factors? (ico.org.uk)](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/what-are-identifiers-and-related-factors/) |
| 71 | + * [What is the meaning of 'relates to'? (ico.org.uk)](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/what-is-the-meaning-of-relates-to/) |
| 72 | + * [Opinion 4/2007 on the concept of personal data (Article 29 working party)](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf) |
| 73 | +* [California Consumer Privacy Act (CCPA)](https://oag.ca.gov/privacy/ccpa) |
| 74 | +* [U.S. Department of Labor: Guidance on the Protection of Personal Identifiable Information](https://www.dol.gov/general/ppii) |
| 75 | +* Cybersecurity Law of the People's Republic of China |
| 76 | + * https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-cybersecurity-law-peoples-republic-china/ |
| 77 | + * http://en.east-concord.com/zygd/Article/20203/ArticleContent_1690.html |
| 78 | +* [Personal Data Protection Bill, 2019 (India)](https://www.prsindia.org/billtrack/personal-data-protection-bill-2019) |
| 79 | +* [Data protection act 2018 (UK)](https://www.legislation.gov.uk/ukpga/2018/12/section/3/enacted) |
| 80 | + |
| 81 | +--- |
| 82 | +[^1]: Personal data is "any information relating to an identified or identifiable natural person". [GDPR Article 4](https://web.archive.org/web/20220308161519/https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679#d1e1374-1-1) |
| 83 | + |
| 84 | +v1.1 |
0 commit comments