Privacy Policies

1
Privacy Policies Your Library Perfect
Together?

• Luis Rodriguez
• Montclair State University
• VALE Users Conference 2005

2
Privacy policies can deal with more than library
records

• Policies for appropriate use of computers in
  library
• Insuring privacy of use of library computers and
  other equipment (privacy screens, cookie
  management and other strategies)
• Working with IT and other campus units
• Protecting PII from hacking
• Working with database vendors

3
Privacy and Confidentiality

• Privacy Confidentiality
• Privacy right to use library resources and
  services without examination or scrutiny by
  others
• Confidentiality when a library keeps personably
  identifiable information (PII) about users
  private on their behalf
• Privacy An Interpretation of the Library Bill
  of Rights

4
PII can be found in more than circulation records

• Database search records
• Interlibrary loan records
• Reserve and e-reserve use records
• Reference interviews
• Computer sign-up sheets
• Log files in ILS, proxy servers, etc.
• Back-up tapes
• Database vendor records
• Electronic and digital records generated while
  using library computers
• RFID
• Library assessment and survey instruments
• Ask a librarian email
• Personalized web pages (My Library web site
  concept)

5
Professional Codes Ethics

• ALA Code of Ethics
• Article III We protect each library user's right
  to privacy and confidentiality with respect to
  information sought or received and resources
  consulted, borrowed, acquired or transmitted.
• Database search records, reference interviews,
  circulation records, interlibrary loan records,
  and other personally identifiable uses of library
  materials, facilities, or services.
• Library Bill of Rights
• Privacy An Interpretation of the Library Bill of
  Rights

6
Federal Legislation

• US Supreme Court has established a broad but not
  unlimited interpretation of the right of privacy
• Lack of a unifying federal law on privacy
• FERPA

7
State Legislation

• NJ State Law on Confidentiality of library
  records (18A73-43.1-2)
• Assembly Bill 545 (referred to the Assembly
  Education Committee)
• This bill provides a parent or legal guardian
  with access to the library record of the parent's
  or legal guardian's minor child, defined in the
  bill as a person 16 years of age or less, upon
  presentation by a parent or legal guardian of a
  valid form of identification which identifies the
  person as the parent or legal guardian of the
  minor child.

8
ALA Privacy Tool Kit

• Table of Contents
• Introduction
• Privacy Policy
• Guidelines for Developing a Library Privacy
  Policy
• Privacy Procedures
• http//www.ala.org/ala/oif/iftoolkits/toolkitspriv
  acy/Default4517.htm

9
Parameters of a privacy policy

• Notice and Openness
• Choice and Consent
• Access by Users
• Data Integrity and Security
• Enforcement and Redress

10
Notice and Openness

• Provide notice to users of their rights to
  privacy and confidentiality and of the policies
  of the library on these issues
• Types of information gathered and purposes for
  and limitations to its use

11
Choice and Consent

• Give users options as to how PII collected from
  them may be used
• Opt-in vs. opt-out options

12
Access by users

• Give users the right to access their own PII and
  mention this in your privacy policy

13
Data Integrity and Security

• Insure the integrity of data where PII is
  available
• Regularly purge PII no longer needed
• Shared data policies and practices to assure
  that data shared with other units is protected
  and reliable
• Security technical and administrative measures
  to protect against loss and the unauthorized
  access, destruction, use, or disclosure of the
  data.

14
Data Integrity and Security(continued)

• Administrative measures to limit access to data
  and to make sure those with access do not misuse
  the data
• Electronic Tracking
• Internally avoid collecting PII with logging or
  tracking.
• Externally Let users know about limits to
  privacy when using remote sites

15
Data Integrity and Security(continued)

• Data retention Purge or shred PII that is no
  longer needed (including back-up tapes, videos
  from security cameras)
• Encryption negotiate with vendors to include
  encryption tools for certain functions. Make
  these tools available to users who would need
  them for special functions.

16
Enforcement and Redress

• Develop a mechanism to enforce privacy policies
• Conduct privacy audits
• Provide redress to patrons and procedures for
  investigating complaints
• Develop educational materials to alert users to
  privacy issues while using library and in general

17
ALA Privacy Principles

• Avoid creating unnecessary records. Only record
  a user's personally identifiable information when
  necessary for the efficient, effective operation
  of the library.
• Avoid retaining records that are not needed for
  efficient operation of the library. Check with
  your local governing body to learn if there are
  laws or policies addressing record retention and
  in conformity with these laws or policies,
  develop policies on the length of time necessary
  to retain a record. Assure that all kinds and
  types of records are covered by the policy,
  including data-related logs, digital records, and
  system backups.
• Restrict access to personally identifiable
  information closely and reveal it only with
  appropriate authority.
• Tell your users what information you are keeping
  and why, and how to ask you for more
  clarification.
• Be aware of library practices and procedures that
  place information on public view, e.g., the use
  of postcards for overdue notices or requested
  materials, staff terminals placed so that the
  screens can be read by the public, sign-in sheets
  to use computers or other devices, and the
  provision of titles of reserve requests or
  interlibrary loans provided over the telephone to
  users' family members or answering machines.

18
Fair Information Principles(from the Privacy Act
of 1974)

• There should be no records whose very existence
  is private
• An individual must be able to discover what
  information is contained in his or her record and
  how it is used
• An individual must be able to prevent information
  collected for one purpose from being used for
  another purpose without consent
• An individual must be able to correct or amend
  erroneous information and
• Any organization creating, maintaining, using or
  disseminating records of identifiable personal
  data must assure the reliability of that data for
  its intended purpose and must take precautions to
  prevent misuse.
• K.A. Coombs, Walking a Tightrope Academic
  Libraries and Privacy, J. of Academic
  Librarianship, 30 (6) 493-498.

19
OECD Privacy Principles

• Openness 
• Purpose specification 
• Collection limitation 
• Use limitation 
• Individual participation 
• Quality
• Security safeguards 
• Accountability
• A Checklist of Responsible Information-Handling
  Practices
• Privacy Rights Clearinghouse
• http//www.privacyrights.org/fs/fs12-ih2.htmIB

20
Conducting a privacy audit

• Useful sites
• SOPAG Privacy Audit and Guidelines
• http//www.cdlib.org/libstaff/privacytf/privacy_au
  dit.html
• Privacy Audit Checklist
• http//cyber.law.harvard.edu/clinical/privacyaudit
  .html

21
USA PATRIOT Act

• ALA resources on the Act
• http//www.ala.org/ala/pio/mediarelations/patriota
  ctmedia.htm
• Guidelines to assist libraries with requests for
  confidential library records (NJLA)
• http//www.njla.org/statements/confoflib.html

22
Educating staff and users

• What have you done to handle this?

23
Sample library privacy policies

• Privacy Tool Kit links
• http//www.ala.org/ala/oif/iftoolkits/toolkitspriv
  acy/guidelinesfordevelopingalibraryprivacypolicy/g
  uidelinesprivacypolicy.htmsamplepolicies
• Indiana University Purdue University
• http//www.lib.ipfw.edu/1158.0.html
• John Carroll University
• http//www.jcu.edu/library/statpol/jcuprivacypolic
  y.htm
• Syracuse University
• http//libwww.syr.edu/policies/privacy.html
• University of Michigan
• http//www.lib.umich.edu/policies/privacy.html

24
Checklist of Questions About Privacy and
Confidentiality

• See handout for list of questions to ask about
  how your library deals with privacy and
  confidentiality
• From the Privacy Tool Kit
• http//www.ala.org/ala/oif/iftoolkits/toolkitspriv
  acy/guidelinesfordevelopingalibraryprivacypolicy/g
  uidelinesprivacypolicy.htmchecklist