A couple of years back, my library did an inventory of the patron data we were collecting. This was done by a task force of folks from public services, IT, and assessment (my department). Within the group, we were able to think of a lot of data we were collecting, but we also sent out a survey to the library to ask what the different departments were collecting. What was interesting was all the unexpected areas where data was collected. There was also a lot of information gathered on paper forms. We are definitely not at the paperless future we keep hearing about.
The other thing that became clear very quickly was the data being collected in the library by other departments at the university. You have to scan your ID to enter the building. Our IDs are linked to our names, university status (faculty, student, staff, etc.), and department. While the library couldn’t get access to that PII, it was/is being collected by the university’s Facilities Department. The same is true for our computers (although I think that information isn’t as detailed). So while the library just gets the number of times the building was entered and how many times the computers were accessed, I’m pretty sure there are records of people entering the building and if they used a computer somewhere outside of the library. When I brought up that we should talk to facilities and university IT about what they are doing with that data, the feeling was that we weren’t going to get much interest in addressing our privacy concerns because library privacy concerns are different than university privacy concerns and the university always wins.
While we chose to not tackle the university regarding privacy, we did tighten up who has access to certain types of data and how long we are keeping things. But after two years and new systems, it’s probably time to at least do another audit of permissions and make sure folks only have access to data they need.