Access-It Policy Update: Data Protection and Privacy Policy
May 2018
‘Access-It’ refers to Access-It Software Ltd; Access-It Software (UK) Ltd; Access-It Software International Ltd. ‘Accessit’, in contradistinction to ‘Access-It’, refers to Access-It’s library product known as Accessit Library. ‘The customer’ and ‘the organisation’ refer to you as the customer and your organisation which has purchased or has a licence to use Accessit Library.
Access-It maintains data security, data protection and integrity standards to protect the privacy of individuals and for the purpose of dependable data transparency. The policies below include updates with respect to data security and privacy in general, with specific reference to the requirements of the GDPR in particular (see following).
Note that these policies do not cover third party applications or software that may integrate with the services offered by Access-It. Customers are advised to check the data protection and privacy policies of any such third party providers to ensure they also have high standards of data protection, and that they adhere to the legislative requirements for their country or region (such as that outlined in the GDPR).
Overview of GDPR
With The General Data Protection Regulation (GDPR) (EU) 2016/679, effective from 25 May 2018, new obligations on organisations exist with respect to an individual’s data, including how it is collected, how it is protected, and the transparency and accessibility of this data to an individual. Access-It Software has taken this opportunity to improve systems and procedures not just for EU customers, but also offer improvements for customers world-wide.
Data Protection and Privacy Policy
This policy sets out our commitment to data security and protection. It relates to both data that Access-It may store that identifies an individual, and data that customers may store via the software services we offer. It also identifies some of the new tools we have implemented to give users the power to comply with the data protection and privacy policies of their organisation, country or region (including the GDPR), with respect to Accessit Library.
Information we collect and receive
Access-It maintains information on its customers. This includes the name and address of the organisation; contact details of key individuals (including first name, last name, email address, and work phone); and details of the technologies they use to run the Access-It services (such as operating system and software versions). Access-It can then ensure updates can be applied seamlessly and as appropriate; help customers efficiently with queries or requests for assistance; send customers offers of training and other services and materials relevant to their Accessit Library system.
In order to maintain up-to-date records, key contacts (such as library manager, IT support staff, and accounts contact) within an organisation are prompted quarterly to check, edit, and confirm or delete their details. Where confirmed, these details are used to help inform customers of product support material, upcoming product events, updates and billing/account management matters. The data is also used to help identify an individual subscriber with the Access-It customer support portal. An individual can at any time check the details stored on them, and confirm, edit or delete this information. The self-management of their own individual details are included in the library product supplied to customers.
Access-It recommends secure https (TLS) connections and/or the use of secure protocols (backed by security certificates and encryption algorithms for example) where ever possible. When data on the above key individuals in an organisation are processed, communications are designed for secure https connections.
Use of third-party services
Access-It does not actively pass on or on-sell any personal information to third parties. It does however make use of third-party services (to facilitate customer management), such as customer support portal software; using mail-out services to advise customers of product-related information, such as this policy update, or Accessit Library training sessions. Access-It makes use of these third-party systems in good faith, however it is the duty and obligation of such third-party providers to be bound and comply to their own data protection and privacy policy.
Accessit Library
Access-It supplies products and services to organisations that can be deployed locally within that organisation, or as part of our cloud-hosted services. When an organisation opts for local deployment, that organisation is responsible for maintaining its own standards of security with respect to access to hardware, software, backups and secure connections.
a) Backups
In order to assist with security, when an organisation creates a backup from within Accessit Library, the backup is automatically encrypted as part of this process. Temporary in-memory databases that may be created during such processes as patron synchronisations are also encrypted. It is the responsibility of the customer to permanently delete old backups (that fall outside of the data retention time of the organisation) so that old personal data cannot be restored.
b) Management app
Organisations should ensure that only authorised staff have access to the Accessit Library management application, and all such authorised users should maintain strong usernames and passwords for this solution. It is the responsibility of the organisation and its users to maintain secure practices with respect to computer access and password control.
c) Web app and web services
Web-based access to the Accessit Library system is provided via the Apache Tomcat web container. Access can be via either http or https but the latter is recommended. When using https it is the responsibility of the customer to obtain a security certificate and enable https over TLS. This is particularly important if allowing access to the system outside of the organisation’s local network, I.e access from the internet.
The Apache Tomcat system does by default record, for remote parties connected to the web app, session start and end times, the IP address of remote parties, javascript pages requested from the web server, and standard http traffic such as http redirects and requests to open additional browser windows.
d) Personal data collected
Personal data that can be collected and stored within Accessit includes name, address details, email address, phone number, associated contact details (for more details see Appendix 1 below). The personal data is provided by the users themselves (via the web app under their personal details area), manually via an operator using the management app, or supplied via a third-party system such as a patron or student management system.
Personal data is only used to assist with the provisioning of Accessit functionality, for example to identify individuals that are borrowing library items, need to be contacted about overdue items or have reserved items that are now available, etc. The data may also be used to report on users not making use of the library or for creating overdue lists, etc; whether such reporting is utilised is at the behest of the customer and the organisation’s operating policies.
Accessit does not pass personal data to a third party system unless there is a system the customer has opted into integrating with and that third party requires such data. See the next section regarding ‘Third Party Providers’ below.
e) Personal data retention/Anonymising data
To comply with the data retention policy of an organisation, the administrator of Accessit Library is able to define when users will be anonymised (and later purged) from the system. Anonymising individual data ensures that all information that could identify a patron is cleared or overwritten. This includes name, address details, email address, phone number, associated contact details (see Appendix 1 below). As such, after anonymisation it will not be possible to identify who the individual was. This process cannot be reversed. However, via the anonymising process, sufficient information is retained to enable aggregated reporting on library usage, without being able to identify any individual. Such aggregated reporting might include the total number of loans across a date range.
f) Purging data
In addition to defining when users will be automatically anonymised, the administrator of Accessit Library can also define when old records will be purged entirely from the system. When this happens, all anonymised data from an individual will be permanently removed from the system. Once purged, the data cannot be reinstated. Subsequent aggregated reporting will exclude purged data.
Purging data is only a procedure to improve internal efficiencies in the Accessit system and does not affect privacy or security in any way, because the process only works with data that has already been fully anonymised (as per section (e) above).
g) Scheduled Anonymisation/Purging
It is expected that library administrators will, in general, set a rule within Accessit Library that allows a deleted patron to stay in the system for a reasonable period (for example, 12 months) to enable full and comprehensive reporting on loan histories, overdue items or accounts that still relate to the patron who has left the organisation, and so on. After a suitable period (defaults to 12 months), based on the organisation’s data retention policies, the deleted patrons can be anonymised. After a further time (defaults to 7 years) after a patron has been deleted, the rule should be set to automatically purge such anonymised patrons.
h) Retention and deletion policy
Each Access-It customer can set the above retention and deletion implementation based on the needs, requirements and policy of their own organisation, irrespective of whether they have opted for local deployment or cloud-hosted Access-It services.
i) External access
Where a customer opts for local deployment of Accessit Library, it is up to each site to organise secure external connections via VPNs for users who require external access to the Accessit Library management application.
j) Cloud hosting
For Access-It cloud-hosted customers, data and backups are managed by Access-It staff. All data and backups are stored within secure regionally-based data centres as well as within secure cloud-based, third party archiving providers. Transfers to third party archiving providers are over secure SSL connections.
k) In-country and regional storage of data
Wherever possible, for cloud-hosted customers, their data resides in the country of origin. For example, UK cloud-hosted customers are hosted within UK data centres; Australian customers are hosted within Australian data centres; NZ customers hosted in New Zealand data centres; US customers within data centres within the US. For other countries outside the above, the cloud hosted environment may reside in a nearby region outside the specific country. If data is moved from a country, Access-It will adhere to the requirements of the data protection and privacy requirements of the country of origin.
As part of the cloud hosting service, Access-It also supports the data protection and privacy statements of the country, including for example the mandatory data breach reporting, introduced in Australia in February 2018.
Software updates
As a result of the introduction of the GDPR, additional options and features have been added to Accessit Library to further protect and strengthen an individual’s right to data privacy. It is incumbent on each organisation to ensure they have the latest software release of Accessit Library, so that they are able to take advantage of any new data protection functionality.
Correct and appropriate use of Accessit Library
It is incumbent on each organisation to ensure only authorised staff are provided access to the Accessit Library system and are well trained and kept up to date with the latest versions of Accessit. It is vital staff do not store sensitive or personal information in incorrect or inapproriate fields which are not intended for that purpose.
Accessit Library phone app
The Accessit Library phone app provides users with the ability to search their organisation's library (via web services), write reviews, reserve items, and view items that they have on loan. If the user chooses to make use of features that require them to be authenticated, this authentication process takes place between the site hosting the organisation's Accessit Library solution and the user of the phone app. As such, the Accessit Library solution should be accessed from the phone app via https only.
a) Personal details which identify a user are used solely for authentication processes; after authentication, personal data (see section (d) above) for that user may be used in the provisioning of Accessit functionality, such as allowing the user to write a review on an item or display a list of their personal lending history.
b) If the user decides to remain logged in, the app uses storage on user's device to store their login credentials.
c) Other information collected by the library solution are to identify the platform (Android or iOS), version and device to ensure the user gets the relevant UI and user experience.
Third Party Providers
As part of the normal operation of the Accessit Library solution, some third party content providers (which the customer has opted in to using) may require authenticated access to their third party content. Where such authentication is required, Accessit Library may be required to pass authentication details (such as username and password) to this provider during the authentication process. All such processes should be via secure https (TLS) connections and/or the use of secure protocols (backed by security certificates and encryption algorithms for example) where ever possible. However when a customer wishes to utilise integration with a third party content provider, the customer should check with the third party that they will protect and safeguard such authentication data at their end. As such, Access-It cannot be responsible for the data protection, privacy and integrity of a third party provider.
Apart from authentication processes as described above, Access-It does not pass on or on-sell any personal information to third parties.
Data Migrations from legacy systems
When new customers request a data migration from their old legacy library system to Accessit Library, internal staff within Access-It process the legacy data into the Accessit data structure. Where possible, the data collection is carried out in the country of origin. In the event that data needs to be moved to the New Zealand head office for additional migration processing, Access-It staff will adhere to the data protection and privacy requirements of the country of origin. In this respect, New Zealand has favoured (white list) status with respect to data leaving the EU, facilitating the free flow of personal data from EU countries to New Zealand for processing.
Whenever data is sent to the Access-It data migration team, this data transfer is carried out via secure services. Once the data migration is completed, Access-It staff will encrypt all data provided during the data migration process. This encrypted data will be retained for a maximum of two years, in case there are any post data migration issues that need further analysis or fine-tuning. After two years of secure storage, old legacy data is purged completely.
Access-It strives to maintain high levels of data security and data protection, and regularly examines its infrastructure and internal processes to ensure its systems are secure. In addition, Access-It trains its staff in best practice with respect to data security and integrity. This is to ensure that only data that is needed is collected in the first place, and that once internal staff have access to data, that such access is controlled and monitored carefully to adhere to Access-It’s data protection policy.
Access-It Policy Updates: Data Protection and Privacy Policy – Summary
This document is published in good faith and deemed to be a true and accurate record of the intentions, workings and policies of the Accessit Library system.
Please contact Access-It Software Ltd for clarifications or omissions.
Access-It Software Ltd reserves the right to correct omissions and make changes to the policies outlined herein. Latest copies of this policy are available on request.
Access-It Software Ltd; Access-It Software (UK) Ltd; Access-It Software International Ltd.
Last revision: 18 June 2018