The Islandora Foundation cares about protecting your privacy. Our primary objective in meeting GDPR requirements is service to our community.
Our approach to GDPR compliance is an ongoing engagement, and will include changes within operations and revisions to this guide, over time. GDPR includes a core principle of the right to be forgotten. If a Data Subject wishes to assert Rights of the Individual please contact community@islandora.ca. The Islandora Foundation aims to respond within 72 hours of receiving an inquiry. In cases where general Personally Identifying Information (PII) is processed by the Islandora Foundation, unambiguous consent is considered acceptable (e.g., a statement regarding cookies).
In cases where more sensitive PII is processed, explicit consent must be given. Consent may be revoked by the data subject at any time. The data subject may also exercise their other rights at any time, and those acting as Data Controllers and Data Processors must have a means to address those requests. Data Controllers and Data Processors have an obligation to ensure the proper storage and security of any processed PII, and must also notify affected Data Subjects within established timeframes (72 hours) if a breach has been identified.
The Islandora Foundation will not disclose information to third parties unless provided express consent or it is required to do so to comply with a legally valid and binding order. Unless prohibited from doing so, the Islandora Foundation notifies parties before disclosing content information related to our Events, Products, and Membership.For further information on our approach and to discuss aspects of this policy, please contact: community@islandora.ca.
Attribution: the Islandora Foundation would like to thank our friends at Duraspace for sharing their Privacy and Data Protection Policy, which was in turn designed with help from the Public Knowledge Project (PKP) and Simon Fraser University and access to their document “GDPR Guidebook for PKP Users.”
Consent: the agreement of a data subject to share personal data. Consent must be unambiguous (and in the case of sensitive personal data must be explicit, i.e. “opt-in”), and must be able to be withdrawn.
Data Controller: the entity that dictates the terms for processing data. With respect to Islandora Foundation products, events, membership, and general communications the Data Controllers are identified as the sitting Board and Foundation staff.
Data Processor: the entity that manages all processing of the data on behalf of the controller. With respect to Islandora Foundation events and general communications, the Data Processors are identified as:
Data Subject: a natural person whose personally identifying information may be tracked within a given system.
General Data Protection Regulation (GDPR): The EU’s new comprehensive set of regulations for the handling of personal data on the Internet by service providers. It went live on May 25 2018, and is pertinent to anyone who manages personally identifying information of EU citizens. The complete regulation is available here: https://www.eugdpr.org/. The GDPR defines the responsibilities that Data Controllers and Data Processors must adhere to with respect to the collection, processing, storage and destruction of any Personally Identifying Data that can identify a Data Subject.
Lawful Basis for Processing Personal Data: the basis by which a data controller must explain their ability to process data. The most common lawful basis is by consent.
Personally Identifying Information (PII), or Personal Data: any information that can potentially be used to identify a person, such as: their name(s); email address; mailing address; phone number; social network posts; or an IP address.
Rights of the Individual (Data Subject): The GDPR mandates the following rights of the individual, which it refers to as the “data subject”:
In order to adhere to the GDPR, people acting in the role of data controller, in conjunction with those serving as a data processor, must provide adequate means for individuals to assert these rights.
Using Islandora does not require providing any information to the Islandora Foundation. The project is open source and available to download and use without the need to fill out a form or enter any data.
Participating in the open source community which develops Islandora may require accounts in a few systems for the purposes of collaboration and communication. Those systems include GitHub, Slack, Google Drive, and project email lists (facilitated by Google Groups). Using each of these systems requires, at minimum, a username and email address to be provided. When a user’s name is requested, there is no requirement that a real name or full name be provided. Using only a first name, a nickname, or a pseudonym is acceptable.
Islandora’s community wiki and issue system are maintained in Github. In order to communicate via Github, a Github account is required. The personal information required to create a GitHub account includes username, email address, and name. More information can be provided in a GitHub account. The Islandora Foundation does not collect, capture, or process information found in GitHub accounts. Information in a GitHub account can be edited by the user at any time. To delete your GitHub account, follow the procedure established by GitHub.
In order to communicate via project email lists using Google Groups, a Google account is required. The personal information required to create a Google account includes username, email address, and name. More information can be provided in a Google account. The Islandora Foundation does not collect, capture, or process information found in Google accounts. Information in a Google account can be edited by the user at any time. To delete your Google account, follow the procedure established by Google.
Participation in Islandora Foundation events requires pre-registration and in some cases, payment. Registration is completed using EventBrite, Zoom, and PayPal. The following personal data may be collected when payment is not due: name, organization, title, email address, clothing size, and country of residence. When payment is collected the personal data requested may include: name, email address, mailing address, phone number, credit card type, number, security code and expiration date.
Credit card information is not stored by the Islandora Foundation. Personal data collected is stored in EventBrite or Zoom and will not be shared or distributed outside of the Islandora Foundation without express consent or to comply with a legally valid and binding order. The stored information in EventBrite and Zoom can be accessed, modified and erased by select Islandora Foundation staff and community partners.
Some personal data may be stored in Google Sheets for organizational purposes. This data may include: name, email address, organization, and clothing size. Survey responses are similarly stored in Google Sheets files produced by the Google Forms software. Responses are protected data in Google Drive.
All Data Processor accounts are password protected. Each Data Processor has its own Privacy Policy or Terms and Conditions statements. We do not collect more data than necessary for our operations. If you have a request related to information collected for Islandora Foundation events, do not hesitate to contact community@islandora.ca and we will do our best to respond within 72 hours.
The Islandora Foundation uses three systems for prospecting, invoicing and renewing membership; our accounting system, QuickBooks Online (QBO), online payment system Square, and Google Sheets.
Data stored in QBO is limited to an organization’s mailing address and the work email addresses of the invoice recipients, as designated by the receiving organization. Access to contact data in QBO is never shared outside of the Islandora Foundation and access to the data is very limited as it is only used when sending invoices as requested by member organizations. The stored information can be accessed, modified and deleted by select Islandora Foundation staff and community members. Recipients can update or terminate email communications by responding to any email they receive.
The second system for Islandora Foundation membership invoicing is Square. Square is used to invoice members who wish to pay by credit card. The following personal data may be collected and stored in Square: name, organization, title, work email address and country location for the organization. The personal data collected and stored is not shared or distributed outside of the Islandora Foundation. The stored information can be accessed, modified and deleted by select Islandora Foundation staff. Stored work email addresses may be included in Islandora Foundation communications and each communication allows the recipient the option to unsubscribe from Islandora Foundation communications.
Staying abreast with the Islandora Foundation community is done primarily through project email lists (facilitated by Google Groups) and Github.
Our communications network also leverages Twitter, YouTube, Facebook, and Slack, as mentioned in sections above. Our website is maintained at WebFlow.
All Data Processor accounts are password protected. Each Data Processor has its own Privacy Policy or Terms and Conditions statements. We do not collect more data than necessary for our operations. If you have a request related to information collected for Islandora Foundation events, do not hesitate to contact community@islandora.ca and we will do our best to respond within 72 hours.
Last Updated: June 2022
Updated by: Islandora Foundation Board of Directors