Is OJS GDPR compliant?

Please also remember that users have the right to request a copy of all information stored about them. (Article 15 section 3.) We must have a simple way to retrieve that information.

1 Like

I wonder if this also includes the actions they have done inside OJS. I mean is it enough to have easy access to
a) all profile information stored in OJS (this is all visible in the profile page) OR
b) do we also need a simple list that includes things like “User X submitted a new manuscript on 12 February 2018”.

Yes, I think you’re right in that they don’t need to be able to delete the accounts, but rather, as the GDPR states, “pseudonymise” their personal data. I must admit I don’t quite understand what they mean by that. Perhaps scrambling the identifiers such as ORCiD, name, surname, email, etc.? Hash them perhaps?

1 Like

I think that is fairly easy to do, but as I said above, only in the users table. The author metadata is a different story. I have to discuss this with some people I know at the Finnish National Library (how they see GDPR). Because I really see a parallel between OJS author data and library data.

Does anyone have any thoughts about PKP PN and GDPR compliance? Even though it’s mostly “library data” only (see above), the native XML export (which I think is the same data that the PKP PN plugin takes) includes some personal information about uploads (uploader, file name including user name, etc.).

Disclaimer: Not well-read on GDPR yet …

This is something what I have been thinking for a long time now. Specifically the situation where an European journal activates PKP PLN and the data is moved to a server situated in USA or Canada.

The Safe Harbor agreement between the US and EU used to cover this until 2015, but not anymore Safe harbor (law) - Wikipedia.

See PKP PLN, EU and data privacy for an earlier topic. I have not found an answer for this question yet.

For Canada, see https://gowlingwlg.com/en/insights-resources/articles/2015/is-canada-safe-from-the-safe-harbor-decision

Paging @mjordan here. It’s a good question. We may be able to walk back some of the information that’s included in the export file to satisfy GDPR - OJS 2.x didn’t have that info, and I’m not sure how necessary it is for 3.x.

I’m arranging for an informal working group on this general topic - I’ll be reaching out in this thread with some more information shortly. My hope is to meet and get answers (or at least a good start to answers) next week, and determine what work needs to be done in the next couple of months on our end, or on publishers’ ends.

Cheers,
James

@jmacgreg thanks for confirming that 2.x doesn’t include any personal info. For the OJS3.x PN plugin, we already decided in Extend native import/export plugin to include additional entities · Issue #3261 · pkp/pkp-lib · GitHub that we will need to filter some things out of the XML that gets included in the deposits. If that includes information that violates GDRP, we should start the work of filtering out now, before we release the plugin. I’ll link to this thread from the Github issue.

Hi to all,
I read meeting minutes of march 2018 and I see that there are not plan for OJS 2.x. There is any user working on OJS 2.x about this topic? I think that I can help on it.

I’m hoping all changes (those that apply) will be implemented in version 2. Where did you read they won’t?

In fact the plan is to do same static fix, not a code deveop. In my link to wiki, read the Google document ‘Issues and workplan’ :

Starting points:
Solutions will likely be a mix of policy, guidelines/best practice recommendations, and code development.
Any code development should be only against OJS/OMP 3 for now
Develop some guidelines and workarounds for older installs (eg. “copy and paste this policy info into a static page and add it to your navigation bar”)

Bye

I missed that one. That would really be a shame since most of the changes are easily applicable to OJS 2, such as the registration checkboxes, privacy statements, cookie notices, etc.

I would really like if someone from PKP can confirm whether GDPR obligations will be implemented in OJS 2 on time, so that we can know if we should develop our own solutions.

Hi all,

James from PKP here. We’ll be releasing our recommendations, and plans for code changes, in the near future via our blog. I’ll also notify folks here via this thread.

There isn’t going to be very much in the way of actual code changes at this time, and the good news is that OJS 2 is actually a bit better placed than OJS 3 - it already includes the journal’s privacy statement in the required spots (which can be extended to include an explicity consent statement as a workaround to not having a discrete consent policy field). So I suspect that you will have to do very little, if anything at all, code-wise in OJS 2 to comply, and we’ll provide suggested steps for configuration for OJS 2 users.

Given that, we will focus any compliance improvements and additions to the OJS 3 line.

NB: there is also already a cookie policy plugin for OJS 2: GitHub - ictineo/ojs-cookiesAlert: CookiesAlert plugin for OJS

Cheers,
James

Thanks for the quick answer! That’s good to know, especially since (I assume) most folks are still on OJS 2. Also, didn’t know about that plugin, so thank you for that as well. Do you know if there’s an OMP cookie notice plugin as well?

Hi jmvezic,

There isn’t an OMP cookie notice plugin, but I’ll be suggesting to the core dev team here that the OJS 2 cookie plugin, which has to be updated to work with OJS 3, be updated so that it will also work with OMP. (Both OJS 3 and OMP 3 are so close, code-wise that this should be easy to do.) I can’t guarantee that this will be done by May 25, but I will see what I can do. :slight_smile:

James

Although, from what I understand about the “cookie notice requirement”, session cookies, login cookies and similar, which are neccesary for a site to be functional are exempt from the rule (meaning, obviously, you can’t opt-out from them).

Still, it’s always nice to have the option to display the notice.

In my specific case, though, we have a site which incorporates both OMP and OJS platforms on the same domain (https://morepress.unizd.hr/), and there will probably be a Wordpress installation as a main “landing” site, so I’ll probably be making a custom site-wide cookie notice.

Hi @jmvezic, all,

I thought about this a bit more for the OJS 3 context, and tried the new OJS 3 Custom Header plugin to implement a cookie policy. It works - see Open Journal Systems Demonstration Journal. This cookie policy was derived from the following site/javascript: https://cookieconsent.insites.com/download/#. It comes with its own problem, namely the usage of the Cloudflare CDN, but this could be resolved using another similar cookie policy code snippet. Just a quick proof of concept; I’ll include some additional instructions for OJS/OMP 3 in the Guide once I have a better solution.

Cheers,
James

1 Like

Thank you for the suggestion! It works very well!
http://journal.seriousgamessociety.org/
Looking forward also for additional instructions!

1 Like

Hi all,

A few new notes after a PKP Technical Committee meeting yesterday.

  1. We have identified a few items from the Project that we will develop for OJS 3.1.1-1. This point release should come out in a few weeks, before the May 25 deadline. The best way to get ready would be to upgrade to 3.1.1 now-ish, so that the update to 3.1.1-1 will be easy.

  2. The most important items will be included in OJS 3.1.1-1, namely: a configurable consent statement, available on registration and author submission pages; the addition of the privacy statement to the registration page; and the return of opt-in for author/reader roles in registration.

  3. We have decided against back-porting any code to the OJS 2 line. Reasonable workarounds already exist for this line.

  4. We also discussed the cookie policy issue briefly (and informed by Antti-Jussi’s comments on this topic) and concluded that a simple acknowledgement statement is not sufficient for cookies. Cookies should not be created until explicit consent has been given. I have filed this here: Add cookie consent option · Issue #3624 · pkp/pkp-lib · GitHub. We may not be able to get this done for May 25, in which case the above-described solution will have to suffice.

Cheers,
James

Hi all,

Thank you for your efforts regarding the GDPR. Just pop up to my mind: Are you going to take care about the OMP as well?

Best regards, Primož