Privacy and Library Systems Before & After 9/11
Karen Coyle
Outline of talk given March 27, 2002 at the Public Library Directors' Forum
USA Patriot Act
- FBI access to "business records" for fight against terrorism
- State laws already allow access to library records with a proper court order or warrant
Disclosure Section of Patriot Act
"(d) No person shall disclose to any other person (other than those persons necessary to produce the tangible things under this section) that the Federal Bureau of Investigation has sought or obtained tangible things under this section."
However, libraries can ask for permission to consult legal counsel (according to ALA). Permission may or may not be granted. Warrants cannot be stalled.
ALA Response to USA Patriot Act
Resolution, January 23, 2002
"Encourages libraries and their staff to protect the privacy and confidentiality of the people's lawful use of the library, its equipment, and its resources (Policy 52.4, Policy on Confidentiality of Library Records:)…"
Why we Need a Library Privacy Assessment Today
- Many policies date from 1970's or 80's
- State laws pre-date use of computers in libraries
- Many new library services that store patron information
- ALA/LITA Task Force in 2000 assessed computer systems and privacy
Library Practices & Privacy - Conflicts
- Providing customized services to our users.
- Tracking statistics and management information to assess and improve our service.
- Monitoring system use to detect intrusions and abuse.
- Identifying those who have used systems for illegal or harmful purposes.
- Running systems in an efficient and cost-effective manner.
Steps in Updating your Library Privacy Policy
- Review legal & policy context
- Review current policies
- Conduct assessment of library systems data (privacy audit)
- Determine & implement desired practices
- Designate privacy officer
- Educate staff
- Inform users through library privacy policy
California Law
Exception to the Public Records Act
Information Practices Act of 1977
"… In order to protect the privacy of individuals, it is necessary that the maintenance and dissemination of personal information be subject to strict limits."
Policy
- ALA Policy on Confidentiality (ALA Code of Ethics 54.15 pt. 3)
- Your institution's policy
- Your library's general policy on privacy
Why Do We Need a Library Systems Audit?
- More data recorded about our users than ever before
- Systems may not be secured
- Privacy practices may not have been put into place
Circulation & Borrower Records
Records
- Circulation Records
- Patron registration
- Circulation transaction logs
- Overdue and billing records
Privacy Actions
- Restrict access to records and logs that reveal what was borrowed by a patron, to library staff who have a legitimate need to see the records.
- Delete patron registration records after expiration of borrower
privileges.
Server Logging
Records
- Web server logs
- Library system transaction logs
Privacy Actions
- Restrict access to server logs to library staff who have a legitimate need to consult.
- Set limits on length of time stored
- Create aggregate statistics to replace individual transactions
Personalization
Records
- User log-ins
- E-mail features
- Saved sets
- SDI-like functions
- Document delivery
- MyLibrary
Privacy Actions
- Notify users whenever personally identifiable information will be stored on the system.
- Remove data from dormant accounts
- Pay attention to system security
Remote Systems
- Vendor databases
- ILL partners
- Advise users of limits to library privacy protection when using remote sites.
- Negotiate for proper and secure logging practices and procedures in contracts
Define System Rules
- What data will be retained
- How user data that is stored on the system protected from unauthorized use
- Who has access to the data
- How long is the data retained
Designate Library Privacy Officer
- Keep up-to-date on privacy issues
- Oversee & coordinate library practices
Educate staff
- Coordinate public education
- Handle privacy incidents
Educate the Public
- Make library privacy policy available at multiple contact points (web site, circulation desk, etc.)
- Consider library role in public "privacy literacy"
Importance of Library Staff Education
- Library policies are only good if correctly implemented
- Staff are the front line in protecting library users
Summary
- Know what information your systems are collecting that match identity with information seeking behavior.
- Keep the minimum information necessary to meet your legitimate goals, and don't collect information "just in case."
- Keep the information only as long as you must.
- Restrict access to the information closely and reveal it only with appropriate authority.
- Tell your users what information you are keeping and why, and how to ask you for more clarification.
Some Links
©Karen Coyle, 2002
This work is licensed under a Creative Commons License.