Protecting Patron Privacy: A Data Perspective

Remember earlier this summer when your email inbox and the headers of your favorite websites were chock full of notices about "Updated Privacy Policies?"  You may also remember that this flurry of privacy policy updates was due to a new European Union law going into effect that controlled how companies could collect data about European citizens.  Since many Internet services are global by nature, some Americans also benefit from these new data policies, although American companies serving American citizens obviously don't need to abide by the EU regulations.

Just to reiterate -- US libraries are not subject to that EU law, known as the General Data Protection Regulation ("GDPR").  If you want to learn more about the law, check out this excellent GDPR explainer article by Erin Berman at the San Jose (CA, US) Public Library.  

Looking for more information about the principles involved in data protection from a US library perspective?  The National Information Standards Organization ("NISO") published a set of principles and definitions for libraries considering patron data privacy.  [Note: my Galecia colleague, Lori Ayre, was a member of the Core Working Group that produced this standards document.]  The twelve listed principles include several that involve the technology that we support in public libraries, such as data collection, anonymization, and security.

Unfortunately, too many libraries haven't thought about privacy policies beyond the simple privacy policy you may have stuck somewhere in your website footer, often a boilerplate mandate from their parent government entity or some "legalese" copied and pasted from another site.  Some libraries may have written privacy policies for various topics, such as borrowing activity, or computer usage.  

As the developer of the open source "BookPoints" summer reading software, we provide our libraries the ability to add custom privacy policies and legal terms and conditions to the online applications that we build for their patrons.  It's been clear after working with dozens of libraries that many librarians aren't familiar with these issues -- so we're careful to let them know about data retention and purging policies, and to collect the minimum amount of data possible.  (And of course we also follow technical best practices to meet our own data security standards!)

These issues become even more complicated as libraries have added more data services for our patrons, and as data moves up to the cloud.  Our data retention and management techniques and policies have changed drastically over the years -- obviously having a single circulation system on a local network has much different data privacy implications than a fully integrated library system hosted by an off-site provider or regional consortium. 

If your library does have a patron privacy policy -- how often is it reviewed?  Does it only mention the ILS and circulation/borrowing data?  Or has it been expanded recently to include the many other services you provide patrons, such as e-book/audio book services, cloud printing, online databases, or audio and video streaming services?  Have you reviewed their privacy policies and integrated their policies with yours?  It's too easy to just "click through" the user agreement of a new service without fully considering what data they record about your borrowers and the materials they consume.  Even seemingly-small issues like "referrer leaking," where a web user's browsing history is recorded by another third-party site, can be a serious privacy impact when patrons are researching critical issues such as health and legal topics.

National library leaders are working on these issues and related topics.  IMLS recently funded a UWisc-led, ALA-assisted project to convene "library practitioners, privacy advocates, and technology experts to discuss and debate a national roadmap for a digital privacy strategy for libraries."  This community and the eventual roadmap will hopefully provide resources to help libraries strengthen their digital privacy policies -- but the time to start studying and working on these issues is now!

Looking for more resources?  Check out:

• ALA's webinar: "A Practical Guide to Privacy Audits" is an archived webinar presented in spring 2018 about the privacy audit process
• ALA provides the "Choose Privacy Everyday" website with programming ideas and weekly news updates about library privacy-related issues