True anonymisation of user purge with "Keep statistics" option
When purging users, the option recommended to retain anonymised statistics is the "Keep statistics" option. However this option "anonymises" the statistics by moving the Primary ID into the Last Name field.
For us, and many other libraries, the Primary ID is a unique personal identifier associated with the student - it's even more identifiable than their name! So this does absolutely nothing to anonymise the statistics or to increase compliance with our Privacy Act.
We'd expect instead of using the Primary ID in this way, some random hex code should be generated (or at least use the Alma internal user id) and all actual identifiers (including primary id, barcode, etc) should be removed.
Libraries who've previously purged users with this option should be able to retroactively anonymise data associated with purged users per the new standard.
A Keep Statistics and Remove Primary ID (Recommended) option is now available on the Delete User Policy page. The new option is selected by default for new customers.
When selecting the new option and purging a user record, the last name column is populated with an internal unique Alma ID instead of the Primary ID.
Additionally, if you select Keep Statistics and Remove Primary ID (Recommended) when the prior selection was Keep fully reportable or Keep statistics, a confirmation message is displayed to indicate that user records that were previously purged using the previously selected option will also be updated, and you are asked to confirm the choice. When you confirm, a new job updates the previously purged user records.
-
We are targeting for a deployment before the end of the year, subject to other priorities and constraints that may affect development plans.
-
Masud commented
Hi Moshe,
When will this be implemented?
Thanks,
Masud -
Stacey van Groll commented
I was a little confused as to what specific data changes would occur in Analytics with the new policy 'Keep Statistics (Primary ID), so queried in SalesForce.
If anyone else was similarly confused, a rewording was provided as follows:
"Once this new development is released there will be two options to choose from if you wish to anonymize deleted users but keep statistics;
1. Last Name field will contain the value that used to be the user's primary ID
or
2. Last Name field will contain the user's internal ID
All other fields (including Primary ID field) will be cleared."
Unfortunately this does still result in a Primary Identifier field which is empty (null), so that any existing reports we have using this data for counts or filtering no longer work as expected.
Cheers, Stacey van Groll, University of Queensland -
Deborah Fitchett commented
Fantastic, thanks so much for the quick response/plan!
-
François Renaville commented
Thank you, Moshe!
-
Esther Arens commented
Great news, Moshe. Thank you very much!
-
Skalk van der Merwe commented
This sounds like a great idea thanks for suggesting.
-
Chris Jones commented
Completely agree and support this idea - it doesn't really meet GDPR just to move what might be the main identifier in the way it is currently being done.