Week 15: the lifecycle of your library's data

Here are the questions on my mind after Becky Yoose’s talk:

  • How is your library thinking about data in terms of the steps Becky laid out – collection, storage, access, reporting, retention, deletion?

  • How could you start thinking about these things? Where are opportunities for staff training, policies, vendors, and systems? How could you incorporate these plans into your final projects?

I’ve decided that in terms of where I should start with privacy related issues in our library, this is it. Since Becky’s talk, I’ve already informed my director that I want to do an audit on the data that we are collecting on our patrons. I appreciated how Becky talked about doing this in stages since it is impossible to tackle all at once. My plan would be to start with the data that we are gathering (as opposed to the data vendors are gathering on our patrons). Within the next few weeks, we will be having a discussion as a team about data collection, and this will be a perfect time to get everyone’s feedback (to make sure I don’t miss any of our data collecting areas), and to let the staff know that I will be bugging them individually about what data they collect in their areas in the near future. :wink:
Once I have all the info and recommendations for the collecting areas, then I will present it to the staff. My hope is to create a privacy policy, which we don’t currently have. Depending on how much of our data-gathering procedures I may try to convince staff to change, I might have to start with mini-tutorials on privacy/data gathering. For instance, and this is going to make some of you gasp, we do keep patron driver’s license info in their account, and the risk of a data breach is now super scary to me. I’d love to hear who is/isn’t collecting driver’s license info. This would help me with my quest to have us stop!

This is one of those areas where I feel like I can only make a small dent on the local level. My library works more like a consortium and our patron data is stored by a centralized university office. They do have privacy policies in place at that level, however, we’re going through an even worse budget year than before and that office is woefully understaffed. That’s where I’m fearful that data can easily slip through the cracks.

On a more local level, I’ve been thinking more in terms of what we keep on paper. Becky mentioned this in her talk, and I feel like that’s something that my library can work on. Destroying data that’s collected in hard copy, such as sign-up forms for workshops.

We collect some patrong data on our website and I think we can start purging that information as soon as it’s used/read. This is stuff like names and email addresses, but I’ve made it point that unless it’s absolutely necessary that we don’t even collect that information.

1 Like

Excellent! I thought her workplan was really manageable. Definitely let us know how it all goes.

Harm reduction matters!

Becky’s talk reminded me how sort of silo-ed and departmentalized my library is in that I hardly ever have to think the technical parts of the data life cycle. One type of patron data that I do work really closely with are ref desk stats. Currently, we collect very minimal details on patron reference visits - simply marking which method the patron used to ask a question (in-person, phone, email, etc) and how long the interaction was. Our chat service is pretty anonymized too. Email requests hold the most user information as they come through LibAnswers. We often know the name, email, and status (ex: student vs faculty) of the person who is emailing in addition to all of information they give us in the body of the email itself. I plan to ask how long we keep these emails and the encryption level of the messaging.

1 Like

A couple of years back, my library did an inventory of the patron data we were collecting. This was done by a task force of folks from public services, IT, and assessment (my department). Within the group, we were able to think of a lot of data we were collecting, but we also sent out a survey to the library to ask what the different departments were collecting. What was interesting was all the unexpected areas where data was collected. There was also a lot of information gathered on paper forms. We are definitely not at the paperless future we keep hearing about. :slight_smile:

The other thing that became clear very quickly was the data being collected in the library by other departments at the university. You have to scan your ID to enter the building. Our IDs are linked to our names, university status (faculty, student, staff, etc.), and department. While the library couldn’t get access to that PII, it was/is being collected by the university’s Facilities Department. The same is true for our computers (although I think that information isn’t as detailed). So while the library just gets the number of times the building was entered and how many times the computers were accessed, I’m pretty sure there are records of people entering the building and if they used a computer somewhere outside of the library. When I brought up that we should talk to facilities and university IT about what they are doing with that data, the feeling was that we weren’t going to get much interest in addressing our privacy concerns because library privacy concerns are different than university privacy concerns and the university always wins.

While we chose to not tackle the university regarding privacy, we did tighten up who has access to certain types of data and how long we are keeping things. But after two years and new systems, it’s probably time to at least do another audit of permissions and make sure folks only have access to data they need.

1 Like

My manager just asked me about a revision to our policy for collecting patron data that she wrote. I used it as an opportunity to advocate for a written policy that outlines the proper data practices that Becky Yoose discussed. She was very receptive to the idea and is bringing it to the director, so hopefully we can start to implement some proper practices. Right now everything is terrible and done on a whim (we do a good job of limiting the amount of patron data that is collected though).

I eventually want to get us talking about how we use data in marketing because I think that justifying our services with statistics both undermines the necessity of the library irrespective of the volume of use and is bad privacy practice.

2 Likes

I pitched the idea of a data audit to our director, and she is totally onboard for it. In general, we don’t collect a lot of patron information (name, phone number, address, and email), and we shred library card applications, so there’s already a basis for us taking these steps farther (like formalizing how long we keep patron’s who are expired with fine’s information, and creating an actual patron privacy policy).

I’m really excited to look into our vendor contracts, as well (and using some of what we’ve learned in previous weeks). Since New Hampshire is such a small state, we get a lot of our digital resources through the state, but at the same time, I might be able to get our State Tech Librarian on our side, and be able to use her clout to approach vendors (but that’s still far away).

I have very little control over the digital side of things, since we are part of an almost state-wide consortium with a centralized server. I plan to get more involved in the Intellectual Freedom interest group of our state library association, and I’m thinking this is a conversation starter at our meeting next month. We do a pretty good job of not storing anything hard copy – new card applications are double-checked and then shredded, and I can’t think of anything else we take that contains patron information. This whole experience has already led to a lot of conversations with my staff about why we are so vigilant about privacy, and I’m hoping that our created resources will be used for region-wide staff training.

1 Like

Two things I really took away from Becky’s talk:

  1. The idea that you often cannot delete something just once – it’s often duplicated in back-ups, hard copies, etc. It may be obvious, I know, but really important to think about when really protecting patron information.
  2. The other thing I plan on investigating is whether security incidents are considered patron data. I am going to look into this, as there’s some movement in my system about looking at policy around incident reports. I want to make sure we are storing and sharing these appropriately – for both the protection of patrons and the safety of staff. I think Becky said that whether is considered patron data (and can be shared with law enforcement) varies from state to state.
1 Like

This seems to be the unfortunate reality in most academic settings, and one reason why it’s so important to have a network of academic librarians fighting together.

I think you can definitely set this up in your data policy with the right language about ethics and third parties and such. Ready to review a draft as needed.

I’m sure that Chuck McAndrew will be down for this too. I bet you could create an auditing model that could be used by other small libraries.

Now that is a great question.

Just kind of riffing on what some other folx said about the size of their dent (I concur, small dent here), and inspired by Becky’s talk and some things underway here at the library. We are going to build a privacy rubric in the teen space I work in to mitigate any issues we uncover while doing a privacy ‘inventory’. So including paperwork, electronic forms, how we key in login passes for computers, how long we hold data and where, e.g. - and excluding network stuff outside of our purview, I think this can fundamentally change how we operate on the daily in regards to protecting patron data. People work in different and sometimes harmful ways without knowing it and getting everyone practicing privacy together is good.

I am sorry I am just now getting to this, but I have been thinking about this a lot. I want to ask my library to do a privacy audit like Becky suggested. It likely won’t begin until the latter part of next year because we are in the middle of a pretty intensive strategic planning process that will end in March of 2020.

In the years I have worked here (14), I know that I have seen a slow increase in the amount of data we collect, and my opinion is that a lot of it is unnecessary. I think the best way to frame this project is just to start with asking the questions and at the very least having a better understanding of the privacy vulnerabilities that we are creating for our patrons. I think starting with awareness is place that our team can agree to start. (Thanks, Becky!)

This is straying a bit off topic, but one thing that LFI has really shaped my thinking around is changing the framing of how I approach privacy with other people. I used to start with, “Delete Facebook and never use Google.” Now my approach is much softer, I take the approach of, “If you are using these tools, then would you be interested in learning more about how they operate and how they impact your life?”

I am so grateful to LFI and to all of you for teaching me!

1 Like

:heart_decoration::heart_decoration::heart_decoration::heart_decoration::heart_decoration::heart_decoration::heart_decoration::heart_decoration:
grateful for you too Ashley!!!