By Karen Coyle
Preprint. Published as:Make Sure You Are Privacy Literate, in: Library Journal, v. 127, n. 16, October 1, 2002. pp. 55-57.
"Encourages libraries and their staff to protect the privacy and confidentiality of the people's lawful use of the library, its equipment, and its resources (Policy 52.4, Policy on Confidentiality of Library Records:)..." ALA Resolution, January 23, 2002
Recent newspaper articles on the effect of the USA Patriot Act on libraries have presented the Act as the end of privacy for library users. It is more accurate to see the Patriot Act as an extraordinary exception to the laws and policies, still in force, that protect patron privacy. The state laws that confer privacy rights on library users continue to be the primary mandate for a library's treatment of information about its patrons for all information requests except those made under the Patriot Act. And we can hope that most of us will never face the prospect of responding to a Patriot Act exception to this rule.
However, with our renewed awareness of the threat to patron privacy this is an opportunity to take stock of privacy policies and procedures and to examine how effective each library is in this respect. In particular this is a good time to ask if our policies and procedures are up to date with current library technology. Because library records are now almost exclusively in machine-readable form, the data in these system could be used to violate the privacy of patrons, not only to learn of their reading habits but obtain personal information like addresses and phone numbers. Librarians have become, somewhat unconsciously, the caretakers of a significant data bank of personal information about our users. This responsibility can come into conflict with our desire to provide better service through personalization, which can put our users more at risk of privacy violations. Our systems, like all computer systems, are susceptible to intrusion and to misuse. All librarians need to guard against these threats through system security and data practices.
The questions are: do we know what data is gathered and stored by all of our library systems (web sites, OPACs, licensed services)? How long it is stored? Do we remove data that is no longer needed? The best way to find out is to perform a privacy audit. While we cannot promise or provide absolute privacy for our users, we must ensure that we take privacy into account in all areas of the library where information about individuals is gathered and stored. The following will lead you through a library privacy audit and will suggest what other measures you might want to take to protect user privacy.
A review of the legal and policy context begins with a look at your state law related to library records. You may find that this law was written before the use of computers in libraries, as many of them were. Until these laws are revised or re-interpreted by the courts, the determination of what we mean by user privacy in these modern times is somewhat up to us.
Most libraries are part of a larger institution or jurisdiction, such as a college or a city or county. That larger body undoubtedly has policies on record keeping and records management. Look in particular to policies on electronic records. Records management policies will not only inform you about records you must retain but they also often contain statements on privacy practices.
An actual systems audit is a lengthy process and probably shouldn't be attempted as a single task. Instead, divide it into logical and reasonable portions and schedule these over a period of 12 or 18 months. The audit should cover these areas of your library and its systems:
For each of these areas of your library system the audit should cover the following:
The most obvious files that carry personal information on users are the patron database and circulation files. If you do have privacy procedures in place they are probably focused on these files. Less obvious data files are in the logs produced by your web server and your library system's transaction logging. It is very common for computer systems to log transactions, and each system varies in how easy it is to extract information about and identify individuals. However, clearing these files on a regular basis (after the extraction of needed statistics) is advised. It also saves disk space. Once again, resist the temptation to keep raw data on hand "because you never know." You also never know when it could be used by the wrong people for the wrong reason.
Although many of our newer offerings make use of personalization to provide a wealth of desirable services, personalization also often means linking an individual to an activity. Privacy risks exist any place where patrons log in, give an email address, or participate in requesting documents or ILL deliveries. Computer systems can mitigate these risks through functions like encryption of stored data, but these features are often not available on current library systems. If we cannot be sure that we have protected the data itself, then we must at least inform users that there is some risk involved when they use these services This is another area where regular removal of "dead" accounts matters.
Records of patron use of library systems can also be of the low-tech variety, such as the informal paper sign-up sheets that many libraries employ for their Internet access stations. These potentially can be used to correlate a particular person to activity at that station at a given time and therefore must be given the same consideration as other logs of activity. And at the user end of a transaction is the public access workstation which caches user activity in a variety of ways. Fortunately there are tools available that make clearing this data automatic. The Web4Lib Reference Center lists a number of them.
Most libraries have a myriad of partnerships with vendors of databases, consortium members, and ILL partners. The privacy planning must include these partners to the extent possible. Contracts with outside vendors can specify that no data can be gathered relating to individual users. (The Privacy Guidelines For Electronic Resources Vendors provides some good wording for library contracts.) Even with this restriction the library and the vendor can take advantage of aggregate data to track overall usage and trends.
The library staff makes privacy policies a reality. All members of your staff must be fully up to date on policies and procedures and be able to explain these to the public. Librarians should take pride in the profession's role in free speech through the commitment to the freedom to read, and staff should be willing and able to discuss these basic ethics.
In today's world, everyone needs to know about the privacy implications of everyday activities like using a grocery store discount card or visiting the doctor. Libraries are the focal point for modern literacy needs, from reading to computer use, and the library could play a key role in promoting "privacy literacy" by making information on privacy issues available. There are some excellent resources such as the Fact Sheets (in English and Spanish) from the Privacy Rights Clearinghouse.