Koha Tutorial Videos

Monday Minutes : GDPR

What is GDPR?

The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individual citizens of the European Union and the European Economic Area. GDPR has not been implemented as a law in the United States, however, since Koha is an international open-source software, there are libraries that needed to inform patrons on how their data is being used.

System Preferences

To activate these preferences, the system preference, GDPR_policy to Enforced or Permissive.

Enforced:

Once set to enforce, the first time a patron logs onto the OPAC, patrons must give consent before using the OPAC. If a patron does not give consent, they will be logged out of their account.

Permissive:

If a library chooses to set this system preference to Permissive. The patron is not required to give consent to access their patron account.

Disabled:

The consent will not appear on the OPAC.


A required system preference if a library chooses Enforced or Permissive for the GDPR policy is the PrivacyPolicyURL. A library will need a URL to have Koha refer to on this consent form. This URL is designed to allow libraries to show patrons what their privacy policies are.

More GDPR System Preferences

In 19.05, Koha released more system preferences that work with this GDPR process.

UnsubscribeReflectionDelay

PatronAnonymizeDelay

PatronRemovalDelay

These system preferences work together to establish a 3 tier system of locked/anonymized/deleted.

The patron can be locked out of their account after X number of days after they refused consent on the GDPR form. The patron's account can be anonymized after X number of days and finally, the patron will be deleted from Koha after X number of days.

These actions set up in the system preferences will be performed by the cleanup database cron job.

If these values in the system preferences are empty, nothing will happen. If a number (including zero), this will be interpreted as go forward with this process.

When a patron is locked out of their account after denying consent, a staff member can remove this lock by resetting the password on the account. The GDPR consent will be presented again to be allowed to move forward.

Monday Minute Video with Maribeth Shafer from CKLS (Central Kansas Library System)

Thank you to Maribeth for sharing the experiences of the Central Kansas Library System with us. We are happy to have a partner share advice on how they implemented the GDPR consent into their library system and hopes this helps other libraries with this process.

If you do have further questions about CKLS's process - please contact Maribeth, she is very willing to help! Her email is : mshafer@ckls.org