CC.1: Week 3, privacy policies

  • How does your library’s policy (or the policy you chose) measure up to the best practices we discussed? (note: you don’t have to identify the library in the discussion)
  • What challenges might you face trying to update your library’s policy to meet best practices? Implementation? Enforcement? Making the policy a priority at all?
  • What experiences have you had interacting with library privacy policies (or lack thereof)?
  • Share example library privacy policies and what you found noteworthy about them (good and bad)

The local public library’s website refers users to the city’s website privacy policy, which includes this slippery language over the sale of data:


(source)

…so it seems like the city’s privacy policy just seems to meet the bare minimum for legal compliance in the state of California, which is fine? It would be nice to have the library’s “privacy policy” available to the public.

(the actual NISO doc from the Ayre article is outdated so i’ll just post the link here for reference)

A slight sidebar from libraries’ privacy policies, but I have recently been closing a lot of old accounts I no longer use (thanks to my password manager for helping me keep track of them all… there are so many…). The range in how easy or difficult this is to do is absolutely fascinating.

For some of the ones I couldn’t delete myself, especially if they have lots of my personal info, I’ve been reading privacy policies galore to figure out how to delete my data. I find it really interesting that they often have clauses explicitly saying I can delete my data at any time by emailing privacy@[whatever]… but then when I email about 50% of the time that email bounces back as undeliverable (I HATE THIS SO MUCH) or they never respond (at least, in the month since I’ve emailed them).

Also, quite a few of these are for those horrible website that you have to use to apply to certain jobs instead of just sending them a letter and resume (often public and academic library jobs have these portals at big enough cities/institutions). So they don’t just have my email, they have quite a lot of personal info with no way to delete it. GRRRRRRRR.

— added after posting
Actually as I think about this, it relates to a general gripe I have, which is libraries treating patrons by one (often higher) standard (at least on paper) and staff by another… In this case, I know some of these libraries/universities I previously applied for jobs at have very strict policies for patron privacy, removal of information, etc, but when it comes to job applicants, not so much! This also seems to come up around intellectual freedom – we’re all for it for the patrons, but should staff dare speak their minds fully on something like BDS…

3 Likes

I think my library’s privacy policy stands up pretty well. I was happy to see no wishy-washy “administrative need” language in the section about giving records to LE – very clearly says no unless under a court order, warrant, or subpoena. It could stand to be more specific. The section about “Customer Research Data” is very vague, and the “Third Parties” just passes the buck back to the patron without help or clarity over what they might find. It could use more specific timelines about what info is kept for how long. Other policies are linked, such as Computer/Internet Use and Youth Use, but none provide more specific details beyond what we wipe on our public computers.

I think the challenges would be the bureaucracy of getting the policy changed, and then communicating what that means to staff. Namely, I think outside of the usual policy review cycle, it wouldn’t get done for lack of time and priority, and I think I just missed that window. Plus, it would be a lot of work specifically for IT. We’re the ones that would need to decide (in conjunction with leadership) the timelines for how long to keep info, what are the needs are for them, where logs and backups are stored and for how long. That’s a lot of meetings. So like Alison said, time. It will take a lot of time, and like what Topher said happened at his library, that comes with the potential to lose enthusiasm, buy-in, and the staff dedicated to making it happen. I’m lucky in that it would all be internal – we’re not beholden to a larger university or city/county authority.

Mostly, the interactions I’ve had with the policy have been in application of it. Our ILS’s API, for example, doesn’t limit what calls can be made. Any vendors with access could literally call up any info we keep in our ILS about a patron. Our manager who deals with these vendors had no idea. On the other end, my boss wanted to retain certain IP info until I pointed out we had no specific reason to keep it and it was a privacy risk. So a lot of things could have slipped by a less privacy-aware IT department.

I would love others’ opinions on our Privacy and related policies. All our policies are on our website: https://www.nols.org/policies/ The Privacy and Confidentiality is under Library Operations.

1 Like

Yes, I think that’s a really good point about double standards re: staff vs. patrons. intellectual freedom, privacy, and even accessibility to a great extent are often (at least aspirationally) important for patrons, but the jobs are often these precarious, part time or on call, no benefits, low wages sorts of situations where staff regularly encounter harassment or censorship or any number of things. The idea that the library staff are in a position where they can make all these “sacrifices” to serve the public certainly doesn’t help set you up to have a library staff that mirrors your community… [I don’t want to overstate the extent to which libraries are accessible to patrons, there is still a loooong way to go there, but I think there is this idea that library staff are supposed to be able to “sacrifice” a variety of things in order to make things better/more accessible/etc for patrons in a way that might prevent said patrons from ever being able to cross that divide and actually work for the library…]

1 Like

The library at the university where I work has an easy-to-find policy that does indeed mention Google Analytics: McGill Library Privacy Statement | McGill Library - McGill University
However, I haven’t interacted with it much (I don’t work in the library)

The conversation does make me think about related administrative policies that I’ve worked with more closely, particularly in terms of enforcement/accountability. There’s a LOT of non-malicious non-compliance that mostly doesn’t seem to harm anybody but leaves a lot of holes/exposed information that is a bit of a liability.

Pre-pandemic we had paper time sheets which by default request your SIN (Social Insurance Number, Canadian equivalent of SSN)!! this is not something you should be writing on a piece of paper to leave on my desk every two weeks!!! (All my trainings I told them not to fill it out, and the stack of blank ones I prepped had the field crossed out…)

Now we use Workday which is arguably more secure (2FA! have to sign on to McGill VPN!) but also full of all sorts of problems since the start that have meant people have gone unpaid, were hired late, didn’t get time off they were entitled to over and over again – which is also a threat to their wellbeing if not a privacy concern!!

More directly in terms of policy, we have a Cloud Data Directive, which is what I run into the most often as it covers PII and email and cloud services and I regularly deal with e.g. contracts and other files with sensitive info. This is the document: https://www.mcgill.ca/it/files/it/cloud_data_directive.pdf

However, other than this being periodically included in reminders to staff, actual enforcement or training has been extreeeemely limited. (We are supposed to use Outlook but also need gmail for some things our lab uses and for awhile I was forwarding to gmail for most of my email until my boss mentioned that would be a problem… but that’s it.) Theoretically IT service can “Verify compliance” from time to time but compared to the number of times we’ve been audited by research grant compliance (a few, in ~six years) it’s not a lot (specifically, zero times…)

The other thing that is tricky is that of course even when you comply religiously with this directive, the safe enterprise cloud solution is microsoft which does allllll kinds of analytics with everything, a lot of which you can’t turn off as an individual. So it’s hard to get super enthusiastic about it. ("Don’t store your files on that cloud service! it’s not safe! come store them here so microsoft can aggregate data about worker productivity to create the normative patterns by which we will all be surveilled, hired, and fired in the future!)
ahem.

1 Like

We do an anti-doxxing/remove yourself from data brokers training in LFP and this comes up a lot. It’s a form of a dark pattern; making it nearly impossible to delete the service, so you just end up staying on it.

I think it relates to some of the thinking about privacy in libraries…library workers see companies behaving in these horrible and violating ways, and they think “well why should we bother to protect patron privacy when every other service they use doesn’t care at all”. A lot of the convincing we do as privacy advocates needs to happen to people who are stuck in this resigned way of thinking.

That is pretty specific! Or at least, much better than the average.

Sadly very typical.

All good points. So maybe in your situation, updating the privacy policy doesn’t need to be the #1 priority. It’s at least in a fairly solid place, and maybe there are other, smaller ways of focusing on privacy at your library, and those could generate enthusiasm and buy-in. Then, the privacy policy update could be a later step.

Ugh, these settings defaults in our ILS are the worst. So many things just left completely wide open, and you don’t become aware of it until you go and look.

That’s encouraging! Although I would personally change the language a little to make it clear that while the library can only view it in an anonymized form, it is not anonymous to Google.

Non-malicious non-compliance is suuuuuuch a thing.

I checked out my library’s policy and I liked many things about it- it uses clear language to explain things, like third party vendors having their own privacy policies, and the different types of information collected. The policy was also recently updated and links to ALA’s Code of Ethics as guiding the privacy statement. Some best practices are missing, such as what happens if there is a data breach, but other than that, it’s pretty comprehensive.

Until seeking it out for this class, I have had no interaction with the policy, which seems absurd. It should be part of the onboarding process for staff and student employees. We also have other mandatory online trainings with quizzes, which would familiarize people with the policy, but this is at a university level and these are not specific to the library. At the very least the policy should be reviewed regulary. A challenge I see is who would be “in charge” of updating or improving the policy, since all departments are involved… Something noteworthy is that a COVID-19 contact tracing was added to our policy to inform users that we don’t keep data on people entering the library, so will not be involved with any contact tracing.

2 Likes

I’d be interested to know what that process was like!

Actually, I wonder if this is the reason why it was updated.

1 Like

I mentioned this in class, but one of the issues that I’ve encountered with our privacy policy is that it defers to larger university policies that can be unclear and overly long. This practice of deferring to the university is also something that is used as an excuse to not enact better protections of our patron privacy by library administration who say their hands are tied as this is university policy not library policy. I imagine this also happens with public libraries where their policies might be tied to the city or town.

COVID-19 has only intensified this as a lot of policies that track patrons is coming from the university. While our mask restrictions have changed due to CDC recommendations, the previous protocol was if a patron was refusing to wear a mask either fill out a form that essentially does nothing or call the police. Definitely, 0 to 100. However, the lack of agency given to library staff means that they have been much more likely to take the extreme action. Much of our contact tracing data is surveillance data (such as card swipes, cameras, etc.) that is owned by campus police. The framing of these policies as “health and safety” policies imply that police and surveillance are necessary to the health and safety of our community, which have made it even more difficult to advocate for a less carceral approach.

Another way this shows up is how some vendors will have blanket privacy policies for all their products and customers, and those policies are not at all specific to their library customers. I just ran into this the other day because Cengage asked for a meeting with LFP to talk about their score on our vendor scorecard. We pointed out all the flaws in their policy, and they were like, oh well our library products don’t do those things. But they didn’t seem that motivated to create a policy specific to libraries. We were like…are we just supposed to take you at your word? Because…no.

So important to point out this harmful framing. Few will question the “health and safety” logic, especially in a pandemic! And so many new covid-era practices have popped up in the name of “health and safety”, and will likely remain in place after the pandemic.

When we get to our talking points week (which I think is next week), we’ll talk about reframing ideas about security and safety to challenge these conventional notions (which are really about increased policing and increased surveillance). One of the best ways we can fight for privacy is by challenging accepted ideas about what makes us safe, what is security, etc.

Howdy, all,

I’ve been reflecting on this topic since the discussion in class–my biggest conclusion is just how many feelings I still have, even though the mess was over and done with in mid-2019…

Ok, so, the tl;dr version is that after about six months of working on a draft privacy policy, the whole thing crashed and burned. Without “champions” for privacy, we’re back in exactly the patterns we always had, and Covid kinda made everything worse.

The longer version: in late 2018-ish, several efforts came under one umbrella for “privacy efforts” to (hopefully) conclude with a library privacy policy. The team was one Library IT librarian, one assessment librarian(me), and the two department heads, (LIT and LibAssess). One of the efforts captured in that umbrella was a data audit started by the LIT librarian. Our first step was to expand that quite a bit, to see what data the library was capturing, how they handled it, and when it was deleted, if at all.

One of the interesting findings from that process was how much focus was given to “borrowing records” (DC law, (toothless)university policy, and training on the part of our Access team) in comparison to, say, wifi use data, authentication/IP tracking, and similar. We also weren’t as good with deleting old data as we should have been.

Happy to talk more about our process if folks are interested, but the pair of us, with some help from our department heads, spoke with every department in the library, either the person in charge, or the person who knew the most about the data used in that specific workflow. Besides a standardized set of prompts, we also did a lot of relationship building, and a lot of reminding librarians that even if they wanted to keep all the data they could find they had an ethical obligation to protect or delete it. It mostly worked, though we got some pushback of the “but what if I need that someday?” type.

Finally, we worked with various templates and examples to write a draft privacy policy–it wasn’t perfect, but was better than nothing. We had the library on board, and met with one of the campus higher-ups to see what the next steps would be. We had basically done it right for “phase one”–but getting a policy approved on campus is a 3 year process even after everybody agrees, we were informed.

Crestfallen, we pivoted our policy to be a “vision statement” (totally toothless, but at least it was good as a fire conversation starter). Less than six weeks later, both LIT folks had left for other jobs, and the head of library assessment determined that her priorities lay elsewhere. We haven’t picked up the process again.

Of course, with Covid, our campus threw in with digital proctoring services and lots of other surveillance-type tech, and that’s something that’s much harder for us to push back against. For me, the whole thing has been a lesson in politics, and while I certainly try to be diplomatic, I have opinions about where our leadership’s priorities lie.

So ashamed to say my organization doesn’t have a privacy policy. I ended up requesting my partner libraries’ policies to have something to review. I have made developing a privacy policy a goal to pursue next fiscal year which will formally make it part of my evaluation.

The biggest challenge for me will be starting from scratch. This course is right on time and I’ll be taking note of good examples to build off of. I have already started talking to my team about the need for this policy so I think I’ll have their buy in. I also have a board member who is a privacy advocate so I think she will be instrumental in helping me educate other board members on the importance of this policy.

I can’t really say I have much experience with library policy policies but I do think library school training pounded into my mind that part of my job is keeping patron data secure so I’m always mindful about trying to retain as little patron data as possible when answering reference questions or helping at the circulation desk. In my new role, I would like more transparency and hope to post our privacy policy on our website and ideally will also link to vendor privacy policies as well.

Privacy Policy (stmalib.org)

This is St. Mary’s County Library’s privacy policy. I appreciate that their policy leads with the Maryland law information (although I think the MD law could much stronger). I love that they have a section on digital branch privacy explaining how information is used on the library’s website, in online communication with the library and third party digital services complete with links to the vendor privacy policies.

Calvert Library Privacy and Confidentiality Policy – Calvert Library

This one is for Calvert Library. I thought the third party vendor section could have been fleshed out more since the vendors are probably the most problematic when it comes to privacy. However, I did like the fact that this policy includes a remember to protect your library card number and pin number. Customers should be aware of the high tech and low tech ways in which their privacy might be compromised when using the library. Over my years as a branch manager, I can’t tell you how many library cards I had to shred that got left behind.

Overall, I think our Patron Data Privacy Policy is pretty good (minus the lack of a surveillance policy, as I mentioned earlier). I appreciate that it starts by outlining the Purpose and Principles:

Purpose
The purpose of this policy is to communicate Hennepin County Library’s (the Library) role and responsibility to safeguard patron data and to describe the obligations and constraints under which the Library operates.

Principles

  • We value and advocate for patron privacy and confidentiality.
  • We value intellectual freedom and a patron’s right to open inquiry without having the subject of one’s interest examined or scrutinized by others.
  • We recognize that networked and digitized environments create new and ongoing challenges to safeguard patron data.
  • We expect the Library to employ responsible and transparent data practices, stay abreast of developments in the field, and leverage its role as a national leader of library service to maintain patron data privacy standards in this rapidly evolving world.

The policy outlines the circumstances when data may be released, such as a court order or data pursuant to the patriot act, and what may be disclosed to a parent/guardian of a minor or vulnerable adult. Later it links to all associated policies and laws. It was also helpful to see that the review process and policy history are included at the end.

The policy does state that library staff take data security every year but honestly that is a county-wide training that is pretty really broad and doesn’t consider library-specific scenarios. There is no training in regards to data + law enforcement but there are some good internal docs that are used for staff training around patron scenarios, such as what information can/can’t a cardholder, relative, friend, etc access about a patron.

One line that stood out to me is, “The Library actively works with third party vendors to support patron data privacy.” This is not elaborated on in the policy, and I’m not quite sure what this has looked like in practice. Also, some of the vendor information is on a different page where patrons can follow links to their policies (I’m guessing this is so they don’t have to worry about revising the policy every time a vendor/link needs to be updated).

Hello all,

I would describe our privacy policy as a decent start, but it covers very few areas because its champion was one of my Access Services colleagues who decided to focus on AS issues and for some good reasons. Other colleagues were not so interested at the time and this was a sphere where we could take some action.

What I appreciate about my colleague’s effort is not really found within the policy but the process used to identify privacy issues that AS folks encounter all the time in daily work (lost and found, help with appointments, helping over the phone v in person, etc.), but may not think about. So we had some “ground up” discussions to help us identify situations where people weren’t sure what to do or where we were clearly doing very different things in our different settings and then used this scenario approach to begin identifying privacy concerns involved and to determine best–or at least better–practices that we incorporated into training. More work went into drafting of best practice documents and also training based on those practices than on the bare bones policy. These practices also now need to be updated, but I liked my colleague’s approach and the way that it drew upon our staff members’ experiences. I think this helps to develop privacy as more of a shared value that affects all of us (and our users).

Because of this back story, there are many important areas that our policy (and practices) don’t begin to cover. It also means that most library employees have no idea of the policy or any of the practices connected to it. And the policy may not speak to their concerns or work practices.

We clearly need a broader group to address some of these areas, to develop a robust policy, and also to develop practices that speak to the types of work that happens across our organization and the types of concerns that arise in addition to some areas that tie directly to specific roles (security cameras, vendor records, our “enemy within” of having no records retention schedules…). We will never be big enough to have a single privacy officer, but we could I think develop a core team to perhaps better attend to these areas on an ongoing basis.

Cindy

It’s so sad to hear this story, especially because you did all the right things, and the right things didn’t even work.

This is very common in my experience. It seems like a vestige of an earlier library era. What has always really frustrated me is the insistence (from ALA and various bigwig library folks) that librarians are privacy champions because we care so much about deleting borrowing records. And yet, few mention all those other things (which we’re probably keeping in perpetuity).

The bigger the university or library system, the more this is true also. It’s wild how people can tell you that the process is three years, no matter what the policy is, or what the consensus on that policy is. Nope, it’s all three years! Fine system here.

Organizational politics is such a big part of all of this.

We’re not shaming here Ashley! We’re learning together so we can know more and do differently!

That’s awesome, and if I can help with that at all please let me know! Maybe you could think about what your process for this looks like as a final project for this course?

That IS great. Not that we want to rely on legal frameworks for everything (lots of laws are bad!), but grounding our policy in what our legal responsibilities are can help us keep them in mind all the time!

I like this too, it makes it a lot more readable than most policies. Also values statements are always good imo.

That word “actively” is doing a lot here! I wanna know what this means!

I love the way your colleague approached this! Involving all AS staff like that instead of just handing down a policy. Everyone will be more invested in the outcome because they’ve been directly involved.

That’s true, but if you continue in the same process that your colleague created, you’ll be able to make something that really reflects privacy as a shared value, as you put it. Also, creating the policy using this method is both a policy and a privacy audit in one!

THE THREAT MODEL IS COMING FROM INSIDE THE HOUSE

Thank you everyone for sharing your library’s policies! Reading through definitely helped me a lot. My library has a list of policies, it took me a bit to dig through each document to find what I was looking for - though I learned a lot about my own library by reading each document!

1 Like

This is a big reason why I joined this course! I was astounded at how much of this sort of info wasn’t being noticed. Were you able to address it at all in the policy you created? I’d love to hear more about what your process was and what worked and what didn’t when we talk about privacy audits.

1 Like

There’s will, but not a lot of action around privacy issues. Enforcement is slowly happening through licensing, but it’ll be interesting to see what actually occurs if there’s a data breach.