We've talked about so much, but how to put these lessons into practice? We've got some tips for you!
Transcript
Davis: Hey Erin! We’ve covered so many topics so far, and I think we’d be remiss to leave folks hanging without some practical advice about how to put this knowledge into practice at libraries. So what’s the first thing libraries as an organization should do when it comes to organizing themselves to create better policies and practice around protecting patron privacy?
Erin: I think the first step is in starting to build a culture around privacy, and that begins with talking about privacy as part of your regular conversations around various procedures already in place at the library. Think about things like does your library have staff training about privacy? Do you do any programs for the public? Does your library have a privacy policy?
I found that the more we started talking about privacy, the more ingrained it became in the culture of our library. That being said, changing culture takes a long time, so don’t get frustrated if after six months or even a year it hasn’t become the culture of the library. It could take a long time; just keep at it. Keep talking and bringing other people in to the privacy world, and one great way to just start culture building is actually by performing a privacy audit.
The first step is in starting to build a culture around privacy, and that begins with talking about privacy as part of your regular conversations around various procedures already in place at the library.
Davis: How does a library perform a privacy audit? And also how do you use the audit findings to create an effective set of policies and procedures around data privacy?
Erin: We’ve actually created a Privacy Audit Field Guide that will walk you through the audit process. It’s going to look a little different for each library, and if you can’t do a library level audit, that’s okay. You can still do a personal one with the areas of user data that you have control over.
Essentially, you’re looking at every single piece of data that you collect about a user and asking yourself a set of core questions. What information do you collect? Why do you collect it? Do you need to collect it? How do you collect it? Who has access? What are the storage and retention policies or procedures? What are the current best practices and policies and if the data is being collected by a vendor?
You’ll also want to ask what vendor is being used is the information shared or collected by the vendor. Is the information collected by the vendor necessary for business operations? And what are the vendors privacy policies and do they align with the library’s? Finally, you want to ask what changes need to be made to ensure the privacy and security of user data.
After you ask these questions, then your library can use the ALA Privacy Guidelines and Checklist to ensure libraries align with those best practices of the industry. That’s when you start building in your policies and procedures. So knowing your baseline is an important place to start. You need to know where you are before you can decide where to go and how to get there. So you can start using findings from your privacy audit to start shaping your policies and procedures. For example, you may find that you don’t have a retention policy. Library workers have been stashing away papers with personal information on them for decades? Time to have a shredding party and create some procedures.
Davis: I want to go to a shredding party. That sounds so fun. What makes a good privacy policy, would you say? What sorts of things should it address?
Erin: The first thing that makes a good privacy policy is that it’s written in plain language. It should be simple and easy for people to understand. The federal government passed the Plain Language Act in 2010 requiring government websites to be easy to read. They created a fantastic website to help anyone write in plain language. I cannot recommend it highly enough. It’s changed the way that I do all my writing.
The first thing that makes a good privacy policy is that it’s written in plain language. It should be simple and easy for people to understand.
Next, make sure your policy is discoverable. Make it easy for your users to find in addition to read. That Privacy Policies Field Guide I talked about before will help you write your policy in addition to helping you read them. The main sections that should be included: are what information does the library collect, who has access that information, how does the library protect the privacy of students and minors, your technology practices such as https cookies data and network security, public computers and connected devices, third-party vendors — and here’s what you’ll tell people that those vendors have got different policies than the library — any surveillance used in the library, and last how the library handles requests from law enforcement.
Davis: We talk so much about data in the online world. To what extent does privacy in physical spaces come into play in the library?
Erin: I’m so glad you brought up the physical environment. Often our minds go straight to technology when we discuss privacy. Remember, though, privacy has been part of our ethical charge since 1939, way before computers. So we actually created a Non-Tech Privacy Field Guide to assist libraries and looking at their physical spaces. This is especially important because some libraries may have little to no control over the technology deployed at their locations.
Think about things like security cameras, or how the furniture is set up. Ideally cameras would not be inside the library at all. Are there places where users can sit inside the library and read a book without someone seeing the title or look at their laptop screen without someone passing by and seeing? We can also think about how our hold shelves are arranged. You know, holds slip should not include the entire name of a user. In fact, in a smaller town, even the first few letters of the first and last name can identify the person.
You may also inadvertently expose someone’s library use by talking about users. There are times when we have to disclose the identity of someone to our co-workers for safety concerns or something of that nature, but this should only be done in private and when absolutely necessary. Even speaking in generalizations about someone can clue another user into who you’re discussing, so keep conversations about users to a minimum and have them in private.
Davis: As with any sort of policy, communicating about changes is pretty key. In the case of data privacy, I think
libraries face a specific challenge because patrons have come to expect robust and speedy services, and many of those services are powered by unfettered access to user data. So any tips for how libraries can demonstrate to the public that a new privacy policy is in place? And that these policies have value?
It’s really important that all staff, and especially frontline staff who are interacting with patrons day-to-day, understand the privacy policy and that they feel confident talking about it to their users.
Erin: Yeah it’s hard because the vast majority of people aren’t going to read our privacy policies. And that’s okay. We still want to have them. And the easier they are to read, the more likely it is that somebody will be able to read it and understand it. When you do change it that’s the opportunity to talk about the library’s commitment to privacy more broadly think about publishing it in your newsletter on the home page it’s also really important that all staff and especially frontline staff who are interacting with patrons day-to-day understand the privacy policy and that they feel confident talking about it to their users.
Davis: All of this is such great advice, thank you so much Erin. If folks were interested in digging into this sort of work, where should they start in terms of resources and other guidance?
Erin: I think the best place to start is probably the newly redesigned landing page for privacy on the ALA home page. The Privacy Subcommittee has curated a great set of resources including those Privacy Field Guides for anyone to jump right in and start doing this work.
Davis: Thank you. Coming up next, we’ll talk about the ways in which data privacy impacts various groups of patrons and what library staff should know, so stay tuned.
Further Reading
Privacy Field Guides
Practical, hands-on exercises for you to create a more privacy-focused library. These guides were designed for academic, public, and school libraries of all types. Sponsored by The Institute of Museum and Library Services in partnership with the American Library Association.Plain Language Act
Signed on October 13, federal law requires that agencies use clear government communication that the public can understand and useALA Privacy Subcommittee
ALA's Privacy Subcommittee "ongoing privacy developments in technology, politics and legislation, as well as social and cultural trends that impact individual privacy and confidentiality, both in libraries and the wider world.
Contributor Bios
- Erin Berman is a Division Director at the Alameda County Library in California and serves as the Chair of the American Library Association’s Intellectual Freedom Committee’s Privacy Subcommittee.
- Davis Erin Anderson is Director of Programs and Partnerships at METRO Library Council.
- This project is funded by the Mayor’s Office of the Chief Technology Officer, and produced in collaboration with Brooklyn Public Library, The New York Public Library, and Queens Public Library.